Securety update for graph.php

Tags: #<Tag:0x00007f84a0c71cb8> #<Tag:0x00007f84a0c71bf0> #<Tag:0x00007f84a0c71b28>

Idee is simple:

i whant to utilise ex the port utilisation
whit an graph to the mail
but the image is only a limit time available

so i added:

$config['allow_unauth_graphs'] = true;

Now anny dumb script kiddy can try to see ports / etc
I dont know the subnets from all email clients … to manny
So i whant this added, i dont know how to implement it , but maybe some1 can help me whit it:

So the template IMG:

<img src="https://librenms.domain/graph/?device={{ $value['device_id'] }}&type=port_bits&id={{ $value['port_id'] }}&width=800&height=300&from={{ $value['poll_prev'] }}&rule={{ $alert->rule_id }}&alert={{ $alert->id }}">

I need: Device ID / rule ID and Alert ID|

So inside graph.php
we need an connection to the database:

1st check: is the alert an valid alert to show?

SELECT * FROM `alert_log` WHERE id = <$alert->id> AND state =! 0 ORDER BY id DESC

if no input = deny the request ( since its no no error on th eallert)
If there is input:
get the time_logged
example: 2019-08-19 10:00:00

2nd Check and final:

SELECT * FROM `alert_log` WHERE rule_id = <$alert->rule_id> AND device_id = <$value['device_id']> AND id >= <$alert->id> AND state = 0 AND details IS NOT NULL ORDER BY id DESC

So show list whenn not cleared there will be state 0 with details = ‘NULL’ - ignore it

but whenn there is no results meaning the alert is active = show image whit date = NOW
whenn there is only 1 input, meaning its closed, get that time_logged
whenn there are multiple inputs meaning u got an old alert_id and deny the vieuw.

So now we have 3 outcomes
1 = vieuw the image whit date NOW (as its not resolved yet)
2 = vieuw the image whit date time_logged (as its closed but its resent alert)
3 = deny the vieuw as its closed / old / wrong id’s

So in PHP:
or
$date = date_create('2019-08-19 10:00:00');
(the date from the database)
or
$date = date_create(date("Y-m-d H:i:s"));
(the date now)

to check if the is passed ex 15 mins:

if (time() - date_timestamp_get($date) > 15 * 60) {
    echo "15 min error\n";// 15 mins has passed
}

Would love to have in config someting like:

$config['allow_unauth_time_limit'] = 1; // Use Time limit function
$config['allow_unauth_time_befor'] = '10'; // Time in minutes
$config['allow_unauth_time_after'] = '15'; // Time in minutes
$config['allow_unauth_redirect'] = 1; // Redirect on error?
$config['allow_unauth_redirect_to'] = 'https://librenms.domain/wrong_input.php'; // Redirect URL?

So the from whould be 60 times config:
floor($value[‘poll_prev’]/600) * 600
and after the image is denyd
if (time() - date_timestamp_get($date) > 15 * 60)

Maybe to make better error page for this and or log an brute force requests
or make an redirect URL?

Hope some1 can collaborate whit me?

Cheers.

  1. set “to” to “now”
  2. just set the date, convert it to timestamp
  3. https://laravel.com/docs/5.8/urls#signed-urls (needs implementation in LibreNMS)

Hey Murrant,

1> not relevant, no to = to now ,
2> i know, but its a securety, + set date =! dynamic
3> i dont know that part

i yust whant some securety patches against script kiddys

Only option right now is to lock it down via IP (described in docs).
Secure option would be to implement signed urls for emailing, instead of the silly unauth graphs setting.