securityonion-capme needs additional input validation in index.php #856

debian/changelog

@@ -1,3 +1,9 @@
+securityonion-capme (20121213-0ubuntu0securityonion32) trusty; urgency=medium
+
+  * securityonion-capme needs additional input validation in index.php #856 
+
+ -- Doug Burks <[email protected]>  Mon, 08 Feb 2016 10:53:56 -0500
+
 securityonion-capme (20121213-0ubuntu0securityonion31) trusty; urgency=medium
 
   * Issue 840: securityonion-capme: remove include config from callback 

debian/patches/securityonion-capme-needs-additional-input-validation-in-index.php-#856

@@ -0,0 +1,163 @@
+Description: <short summary of the patch>
+ TODO: Put a short summary on the line above and replace this paragraph
+ with a longer explanation of this change. Complete the meta-information
+ with other relevant fields (see below for details). To make it easier, the
+ information below has been extracted from the changelog. Adjust it or drop
+ it.
+ .
+ securityonion-capme (20121213-0ubuntu0securityonion32) trusty; urgency=medium
+ .
+   * securityonion-capme needs additional input validation in index.php #856
+Author: Doug Burks <[email protected]>
+
+---
+The information above should follow the Patch Tagging Guidelines, please
+checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
+are templates for supplementary fields that you might want to add:
+
+Origin: <vendor|upstream|other>, <url of original patch>
+Bug: <url in upstream bugtracker>
+Bug-Debian: http://bugs.debian.org/<bugnumber>
+Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
+Forwarded: <no|not-needed|url proving that it has been forwarded>
+Reviewed-By: <name and email of someone who approved the patch>
+Last-Update: <YYYY-MM-DD>
+
+--- securityonion-capme-20121213.orig/capme/index.php
++++ securityonion-capme-20121213/capme/index.php
+@@ -3,17 +3,117 @@ include '.inc/functions.php';
+ // Argument counters
+ $s = 0;
+
++// If any input validation fails, return error and exit immediately
++function invalid($string) {
++        echo $string;
++        exit;
++}
++
+ // Argument defaults
+ $sip = $spt = $dip = $dpt = $stime = $etime = $usr = $pwd = $sancp = $event = $elsa = $bro = $tcpflow = $pcap = '';
+-// Grab any arguments provided in URI
+-if (isset($_REQUEST['sip']))      { $sip    = $_REQUEST['sip'];      $s++; }
+-if (isset($_REQUEST['spt']))      { $spt    = $_REQUEST['spt'];      $s++; }
+-if (isset($_REQUEST['dip']))      { $dip    = $_REQUEST['dip'];      $s++; }
+-if (isset($_REQUEST['dpt']))      { $dpt    = $_REQUEST['dpt'];      $s++; }
+-if (isset($_REQUEST['stime']))    { $stime  = $_REQUEST['stime'];    $s++; }
+-if (isset($_REQUEST['etime']))    { $etime  = $_REQUEST['etime'];    $s++; }
+-if (isset($_REQUEST['user']))     { $usr    = $_REQUEST['user'];     $s++; }
+-if (isset($_REQUEST['password'])) { $pwd    = $_REQUEST['password']; $s++; }
++
++// Validate user input - source IP address - sip
++if (isset($_REQUEST['sip']))      { 
++	if (!filter_var($_REQUEST['sip'], FILTER_VALIDATE_IP)) {
++        	invalid("Invalid source IP.");
++	} else {
++		$sip    = $_REQUEST['sip'];      $s++; 
++	}
++}
++
++// Validate user input - source port - spt
++// must be an integer between 0 and 65535
++if (isset($_REQUEST['spt']))      { 
++	if (filter_var($_REQUEST['spt'], FILTER_VALIDATE_INT, array("options" => array("min_range"=>0, "max_range"=>65535))) === false) {
++        	invalid("Invalid source port.");
++	} else {
++		$spt    = $_REQUEST['spt'];      $s++;
++	}
++}
++
++// Validate user input - destination IP address - dip
++if (isset($_REQUEST['dip']))      { 
++	if (!filter_var($_REQUEST['dip'], FILTER_VALIDATE_IP)) {
++        	invalid("Invalid destination IP.");
++	} else {
++		$dip    = $_REQUEST['dip'];      $s++; 
++	}
++}
++
++// Validate user input - destination port - dpt
++// must be an integer between 0 and 65535
++if (isset($_REQUEST['dpt']))      { 
++	if (filter_var($_REQUEST['dpt'], FILTER_VALIDATE_INT, array("options" => array("min_range"=>0, "max_range"=>65535))) === false) {
++        	invalid("Invalid destination port.");
++	} else {
++		$dpt    = $_REQUEST['dpt'];      $s++;
++	}
++}
++
++// Validate user input - start time - stime
++// must be greater than 5 years ago and less than 5 years from today
++if (isset($_REQUEST['stime']))      { 
++	if (!( ($_REQUEST['stime'] >= (time() - 5 * 365 * 24 * 60 * 60)) && ($_REQUEST['stime'] <= time() + 5 * 365 * 24 * 60 * 60) )) {
++        	invalid("Invalid start time.");
++	} else {
++		$stime	= $_REQUEST['stime'];	$s++;
++	}
++}
++
++// Validate user input - end time - etime
++// must be greater than 5 years ago and less than 5 years from today
++if (isset($_REQUEST['etime']))      { 
++	if (!( ($_REQUEST['etime'] >= (time() - 5 * 365 * 24 * 60 * 60)) && ($_REQUEST['etime'] <= time() + 5 * 365 * 24 * 60 * 60) )) {
++        	invalid("Invalid end time.");
++	} else {
++		$etime	= $_REQUEST['etime'];	$s++;
++	}
++}
++
++// Validate user input - username and password
++if ( isset($_REQUEST['user']) && isset($_REQUEST['password']) )      { 
++	// Validate user input - username - user
++	// Username must be alphanumeric
++	if (!(ctype_alnum($_REQUEST['user']))) {
++        	invalid("The user name or password is incorrect.");
++	} else {
++		$usr	= $_REQUEST['user'];	$s++;
++	}
++
++	// Validate user input - password
++	$pwd    = $_REQUEST['password'];	$s++;
++	$db = mysql_connect($dbHost,$dbUser,$dbPass);
++	$link = mysql_select_db($dbName, $db);
++	if ($link) {
++	        $query = "SELECT * FROM user_info WHERE username = '$usr'";
++        	$result = mysql_query($query);
++	        $numRows = mysql_num_rows($result);
++
++	        if ($numRows > 0) {
++        	    while ($row = mysql_fetch_row($result)) {
++                	$userHash       = $row[3];
++	            }
++        	    // The first 2 chars are the salt     
++	            $theSalt = substr($userHash, 0,2);
++
++	            // The remainder is the hash
++        	    $theHash = substr($userHash, 2);
++
++	            // Now we hash the users input                 
++        	    $testHash = sha1($pwd . $theSalt);
++
++	            // Does it match? If not, exit.
++        	    if ($testHash !== $theHash) {
++                	invalid("The user name or password is incorrect.");
++	            }
++        	} else {
++	            invalid("The user name or password is incorrect.");
++        	}
++	} else {
++        	invalid("Connection Failed.");
++	}
++}
++
+ // If we see a filename parameter, we know the request came from Snorby
+ // and if so we can just query the event table since Snorby just has NIDS alerts
+ // If the referer contains "elsa-query", then it's most likely a Security Onion user 
+--- securityonion-capme-20121213.orig/capme/pcap/index.php
++++ securityonion-capme-20121213/capme/pcap/index.php
+@@ -1,5 +1,4 @@
+ <?php
+-$host  = $_SERVER['HTTP_HOST'];
+-header("Location: https://$host/capme");
++header("Location: /capme");
+ exit;
+ ?>

debian/patches/series

@@ -19,3 +19,4 @@ update-cron-job-to-remove-old-pcaps-from-varwwwso
 change-ELSA-referer-check-from-3154-to-elsa-query
 add-input-validation
 Issue-840:-securityonion-capme:-remove-include-config-from-callback
+securityonion-capme-needs-additional-input-validation-in-index.php-#856