aboutsummaryrefslogtreecommitdiffstats
path: root/config/suricata
diff options
context:
space:
mode:
Diffstat (limited to 'config/suricata')
-rw-r--r--config/suricata/suricata.xml2
-rw-r--r--config/suricata/suricata_rules_flowbits.php2
-rw-r--r--config/suricata/suricata_select_alias.php18
3 files changed, 12 insertions, 10 deletions
diff --git a/config/suricata/suricata.xml b/config/suricata/suricata.xml
index a2acd49e..6aae2d93 100644
--- a/config/suricata/suricata.xml
+++ b/config/suricata/suricata.xml
@@ -51,7 +51,7 @@
<description>Suricata IDS/IPS Package</description>
<requirements>None</requirements>
<name>suricata</name>
- <version>1.4.6 pkg v1.0.2</version>
+ <version>1.4.6 pkg v1.0.6</version>
<title>Services: Suricata IDS</title>
<include_file>/usr/local/pkg/suricata/suricata.inc</include_file>
<menu>
diff --git a/config/suricata/suricata_rules_flowbits.php b/config/suricata/suricata_rules_flowbits.php
index c5193a8b..8d0fd5d3 100644
--- a/config/suricata/suricata_rules_flowbits.php
+++ b/config/suricata/suricata_rules_flowbits.php
@@ -65,7 +65,7 @@ if (is_null($id)) {
// Set who called us so we can return to the correct page with
// the RETURN ('cancel') button.
-if ($_POST['referrer'])
+if (isset($_POST['referrer']) && strpos($_POST['referrer'], '://'.$_SERVER['SERVER_NAME'].'/') !== FALSE)
$referrer = $_POST['referrer'];
else
$referrer = $_SERVER['HTTP_REFERER'];
diff --git a/config/suricata/suricata_select_alias.php b/config/suricata/suricata_select_alias.php
index 527412d1..c11802c2 100644
--- a/config/suricata/suricata_select_alias.php
+++ b/config/suricata/suricata_select_alias.php
@@ -47,29 +47,31 @@ else
// Retrieve any passed QUERY STRING or POST variables
if (isset($_POST['type']))
- $type = $_POST['type'];
+ $type = htmlspecialchars($_POST['type']);
elseif (isset($_GET['type']))
$type = htmlspecialchars($_GET['type']);
if (isset($_POST['varname']))
- $varname = $_POST['varname'];
+ $varname = htmlspecialchars($_POST['varname']);
elseif (isset($_GET['varname']))
$varname = htmlspecialchars($_GET['varname']);
if (isset($_POST['multi_ip']))
- $multi_ip = $_POST['multi_ip'];
+ $multi_ip = htmlspecialchars($_POST['multi_ip']);
elseif (isset($_GET['multi_ip']))
$multi_ip = htmlspecialchars($_GET['multi_ip']);
-if (isset($_POST['returl']))
+if (isset($_POST['returl']) && substr($_POST['returl'], 0, 1) == '/')
$referrer = urldecode($_POST['returl']);
-elseif (isset($_GET['returl']))
+elseif (isset($_GET['returl']) && substr($_GET['returl'], 0, 1) == '/')
$referrer = urldecode($_GET['returl']);
+else
+ $referrer = $_SERVER['HTTP_REFERER'];
// Make sure we have a valid VARIABLE name
// and ALIAS TYPE, or else bail out.
if (is_null($type) || is_null($varname)) {
- header("Location: http://{$referrer}?{$querystr}");
+ header("Location: {$referrer}?{$querystr}");
exit;
}
@@ -132,8 +134,8 @@ include("head.inc");
<input type="hidden" name="varname" value="<?=$varname;?>"/>
<input type="hidden" name="type" value="<?=$type;?>"/>
<input type="hidden" name="multi_ip" value="<?=$multi_ip;?>"/>
-<input type="hidden" name="returl" value="<?=$referrer;?>"/>
-<input type="hidden" name="org_querystr" value="<?=$querystr;?>"/>
+<input type="hidden" name="returl" value="<?=htmlspecialchars($referrer);?>"/>
+<input type="hidden" name="org_querystr" value="<?=htmlspecialchars($querystr);?>"/>
<?php if ($input_errors) print_input_errors($input_errors); ?>
<div id="boxarea">
<table width="100%" border="0" cellpadding="0" cellspacing="0">
generated by cgit v1.2.3 (git 2.25.1) at 2024-11-05 10:26:24 +0000