From 6857ff8505977e8898b93c28c394d73ffb167087 Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Tue, 28 Jan 2014 14:38:05 -0200
Subject: Restrict snort_log_view.php to show only files inside SNORTLOGDIR, it
 fixes http://seclists.org/fulldisclosure/2014/Jan/187

---
 config/snort/snort_log_view.php | 5 ++++-
 pkg_config.10.xml               | 2 +-
 pkg_config.8.xml                | 2 +-
 pkg_config.8.xml.amd64          | 2 +-
 4 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/config/snort/snort_log_view.php b/config/snort/snort_log_view.php
index 4fc8d990..babae205 100644
--- a/config/snort/snort_log_view.php
+++ b/config/snort/snort_log_view.php
@@ -42,7 +42,10 @@ $contents = '';
 // Read the contents of the argument passed to us.
 // Is it a fully qualified path and file?
 if (file_exists($_GET['logfile']))
-	$contents = file_get_contents($_GET['logfile']);
+	if (substr(realpath($_GET['logfile']), 0, strlen(SNORTLOGDIR)) != SNORTLOGDIR)
+		$contents = gettext("\n\nERROR -- File: {$_GET['logfile']} can not be viewed!");
+	else
+		$contents = file_get_contents($_GET['logfile']);
 // It is not something we can display, so print an error.
 else
 	$contents = gettext("\n\nERROR -- File: {$_GET['logfile']} not found!");
diff --git a/pkg_config.10.xml b/pkg_config.10.xml
index 6dfd6f02..75bcedde 100644
--- a/pkg_config.10.xml
+++ b/pkg_config.10.xml
@@ -401,7 +401,7 @@
 		<!-- Use both styles for now, since our snort port isn't yet optionsng, but barnyard2 and others are. -->
 		<build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_SET=TARGETBASED PERFPROFILE DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITH_TARGETBASED=true;WITH_PERFPROFILE=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITH_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;NOPORTDOCS=true</build_options>
 		<config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file>
-		<version>2.9.5.5 pkg v3.0.2</version>
+		<version>2.9.5.5 pkg v3.0.3</version>
 		<required_version>2.2</required_version>
 		<status>Stable</status>
 		<configurationfile>/snort.xml</configurationfile>
diff --git a/pkg_config.8.xml b/pkg_config.8.xml
index 0e40dfb2..b5505b8e 100644
--- a/pkg_config.8.xml
+++ b/pkg_config.8.xml
@@ -525,7 +525,7 @@
 		<!-- Use both styles for now, since our snort port isn't yet optionsng, but barnyard2 and others are. -->
 		<build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_SET=TARGETBASED PERFPROFILE DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITH_TARGETBASED=true;WITH_PERFPROFILE=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITH_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;NOPORTDOCS=true</build_options>
 		<config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file>
-		<version>2.9.5.5 pkg v3.0.2</version>
+		<version>2.9.5.5 pkg v3.0.3</version>
 		<required_version>2.0</required_version>
 		<status>Stable</status>
 		<configurationfile>/snort.xml</configurationfile>
diff --git a/pkg_config.8.xml.amd64 b/pkg_config.8.xml.amd64
index 6454a58e..9ab48dcb 100644
--- a/pkg_config.8.xml.amd64
+++ b/pkg_config.8.xml.amd64
@@ -512,7 +512,7 @@
 		<!-- Use both styles for now, since our snort port isn't yet optionsng, but barnyard2 and others are. -->
 		<build_options>barnyard2_UNSET=ODBC PGSQL PRELUDE;barnyard2_SET=GRE IPV6 MPLS MYSQL;snort_SET=TARGETBASED PERFPROFILE DECODERPRE FLEXRESP3 GRE IPV6 MPLS NORMALIZER ZLIB;perl_SET=THREADS;WITH_THREADS=yes;WITH_IPV6=true;WITH_MPLS=true;WITH_GRE=true;WITH_TARGETBASED=true;WITH_PERFPROFILE=true;WITH_DECODERPRE=true;WITH_ZLIB=true;WITH_NORMALIZER=true;WITH_REACT=true;WITH_FLEXRESP3=true;WITHOUT_ODBC=true;WITHOUT_POSTGRESQL=true;WITHOUT_PRELUDE=true;NOPORTDOCS=true</build_options>
 		<config_file>http://www.pfsense.com/packages/config/snort/snort.xml</config_file>
-		<version>2.9.5.5 pkg v3.0.2</version>
+		<version>2.9.5.5 pkg v3.0.3</version>
 		<required_version>2.0</required_version>
 		<status>Stable</status>
 		<configurationfile>/snort.xml</configurationfile>
-- 
cgit v1.2.3