From 700d4ef187f279bc0949eed074656151891374cf Mon Sep 17 00:00:00 2001 From: doug Date: Mon, 8 Feb 2016 10:54:41 -0500 Subject: [PATCH] securityonion-capme needs additional input validation in index.php #856 --- debian/changelog | 6 + ...itional-input-validation-in-index.php-#856 | 163 ++++++++++++++++++ debian/patches/series | 1 + 3 files changed, 170 insertions(+) create mode 100644 debian/patches/securityonion-capme-needs-additional-input-validation-in-index.php-#856 diff --git a/debian/changelog b/debian/changelog index 50e384d..58976da 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,9 @@ +securityonion-capme (20121213-0ubuntu0securityonion32) trusty; urgency=medium + + * securityonion-capme needs additional input validation in index.php #856 + + -- Doug Burks Mon, 08 Feb 2016 10:53:56 -0500 + securityonion-capme (20121213-0ubuntu0securityonion31) trusty; urgency=medium * Issue 840: securityonion-capme: remove include config from callback diff --git a/debian/patches/securityonion-capme-needs-additional-input-validation-in-index.php-#856 b/debian/patches/securityonion-capme-needs-additional-input-validation-in-index.php-#856 new file mode 100644 index 0000000..70052ce --- /dev/null +++ b/debian/patches/securityonion-capme-needs-additional-input-validation-in-index.php-#856 @@ -0,0 +1,163 @@ +Description: + TODO: Put a short summary on the line above and replace this paragraph + with a longer explanation of this change. Complete the meta-information + with other relevant fields (see below for details). To make it easier, the + information below has been extracted from the changelog. Adjust it or drop + it. + . + securityonion-capme (20121213-0ubuntu0securityonion32) trusty; urgency=medium + . + * securityonion-capme needs additional input validation in index.php #856 +Author: Doug Burks + +--- +The information above should follow the Patch Tagging Guidelines, please +checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here +are templates for supplementary fields that you might want to add: + +Origin: , +Bug: +Bug-Debian: http://bugs.debian.org/ +Bug-Ubuntu: https://launchpad.net/bugs/ +Forwarded: +Reviewed-By: +Last-Update: + +--- securityonion-capme-20121213.orig/capme/index.php ++++ securityonion-capme-20121213/capme/index.php +@@ -3,17 +3,117 @@ include '.inc/functions.php'; + // Argument counters + $s = 0; + ++// If any input validation fails, return error and exit immediately ++function invalid($string) { ++ echo $string; ++ exit; ++} ++ + // Argument defaults + $sip = $spt = $dip = $dpt = $stime = $etime = $usr = $pwd = $sancp = $event = $elsa = $bro = $tcpflow = $pcap = ''; +-// Grab any arguments provided in URI +-if (isset($_REQUEST['sip'])) { $sip = $_REQUEST['sip']; $s++; } +-if (isset($_REQUEST['spt'])) { $spt = $_REQUEST['spt']; $s++; } +-if (isset($_REQUEST['dip'])) { $dip = $_REQUEST['dip']; $s++; } +-if (isset($_REQUEST['dpt'])) { $dpt = $_REQUEST['dpt']; $s++; } +-if (isset($_REQUEST['stime'])) { $stime = $_REQUEST['stime']; $s++; } +-if (isset($_REQUEST['etime'])) { $etime = $_REQUEST['etime']; $s++; } +-if (isset($_REQUEST['user'])) { $usr = $_REQUEST['user']; $s++; } +-if (isset($_REQUEST['password'])) { $pwd = $_REQUEST['password']; $s++; } ++ ++// Validate user input - source IP address - sip ++if (isset($_REQUEST['sip'])) { ++ if (!filter_var($_REQUEST['sip'], FILTER_VALIDATE_IP)) { ++ invalid("Invalid source IP."); ++ } else { ++ $sip = $_REQUEST['sip']; $s++; ++ } ++} ++ ++// Validate user input - source port - spt ++// must be an integer between 0 and 65535 ++if (isset($_REQUEST['spt'])) { ++ if (filter_var($_REQUEST['spt'], FILTER_VALIDATE_INT, array("options" => array("min_range"=>0, "max_range"=>65535))) === false) { ++ invalid("Invalid source port."); ++ } else { ++ $spt = $_REQUEST['spt']; $s++; ++ } ++} ++ ++// Validate user input - destination IP address - dip ++if (isset($_REQUEST['dip'])) { ++ if (!filter_var($_REQUEST['dip'], FILTER_VALIDATE_IP)) { ++ invalid("Invalid destination IP."); ++ } else { ++ $dip = $_REQUEST['dip']; $s++; ++ } ++} ++ ++// Validate user input - destination port - dpt ++// must be an integer between 0 and 65535 ++if (isset($_REQUEST['dpt'])) { ++ if (filter_var($_REQUEST['dpt'], FILTER_VALIDATE_INT, array("options" => array("min_range"=>0, "max_range"=>65535))) === false) { ++ invalid("Invalid destination port."); ++ } else { ++ $dpt = $_REQUEST['dpt']; $s++; ++ } ++} ++ ++// Validate user input - start time - stime ++// must be greater than 5 years ago and less than 5 years from today ++if (isset($_REQUEST['stime'])) { ++ if (!( ($_REQUEST['stime'] >= (time() - 5 * 365 * 24 * 60 * 60)) && ($_REQUEST['stime'] <= time() + 5 * 365 * 24 * 60 * 60) )) { ++ invalid("Invalid start time."); ++ } else { ++ $stime = $_REQUEST['stime']; $s++; ++ } ++} ++ ++// Validate user input - end time - etime ++// must be greater than 5 years ago and less than 5 years from today ++if (isset($_REQUEST['etime'])) { ++ if (!( ($_REQUEST['etime'] >= (time() - 5 * 365 * 24 * 60 * 60)) && ($_REQUEST['etime'] <= time() + 5 * 365 * 24 * 60 * 60) )) { ++ invalid("Invalid end time."); ++ } else { ++ $etime = $_REQUEST['etime']; $s++; ++ } ++} ++ ++// Validate user input - username and password ++if ( isset($_REQUEST['user']) && isset($_REQUEST['password']) ) { ++ // Validate user input - username - user ++ // Username must be alphanumeric ++ if (!(ctype_alnum($_REQUEST['user']))) { ++ invalid("The user name or password is incorrect."); ++ } else { ++ $usr = $_REQUEST['user']; $s++; ++ } ++ ++ // Validate user input - password ++ $pwd = $_REQUEST['password']; $s++; ++ $db = mysql_connect($dbHost,$dbUser,$dbPass); ++ $link = mysql_select_db($dbName, $db); ++ if ($link) { ++ $query = "SELECT * FROM user_info WHERE username = '$usr'"; ++ $result = mysql_query($query); ++ $numRows = mysql_num_rows($result); ++ ++ if ($numRows > 0) { ++ while ($row = mysql_fetch_row($result)) { ++ $userHash = $row[3]; ++ } ++ // The first 2 chars are the salt ++ $theSalt = substr($userHash, 0,2); ++ ++ // The remainder is the hash ++ $theHash = substr($userHash, 2); ++ ++ // Now we hash the users input ++ $testHash = sha1($pwd . $theSalt); ++ ++ // Does it match? If not, exit. ++ if ($testHash !== $theHash) { ++ invalid("The user name or password is incorrect."); ++ } ++ } else { ++ invalid("The user name or password is incorrect."); ++ } ++ } else { ++ invalid("Connection Failed."); ++ } ++} ++ + // If we see a filename parameter, we know the request came from Snorby + // and if so we can just query the event table since Snorby just has NIDS alerts + // If the referer contains "elsa-query", then it's most likely a Security Onion user +--- securityonion-capme-20121213.orig/capme/pcap/index.php ++++ securityonion-capme-20121213/capme/pcap/index.php +@@ -1,5 +1,4 @@ + diff --git a/debian/patches/series b/debian/patches/series index 29e8912..466adfa 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -19,3 +19,4 @@ update-cron-job-to-remove-old-pcaps-from-varwwwso change-ELSA-referer-check-from-3154-to-elsa-query add-input-validation Issue-840:-securityonion-capme:-remove-include-config-from-callback +securityonion-capme-needs-additional-input-validation-in-index.php-#856