From 6048cbcf1b2e2029250f9eb5fe166627c89398fd Mon Sep 17 00:00:00 2001
From: Renato Botelho <garga@FreeBSD.org>
Date: Thu, 19 Jun 2014 15:04:39 -0300
Subject: Improve a bit user input parameters, also make sure referer starts
 with / to avoid sending users to external sites

---
 config/snort/snort_import_aliases.php |  4 ++--
 config/snort/snort_rules_flowbits.php |  2 +-
 config/snort/snort_select_alias.php   | 18 ++++++++++--------
 3 files changed, 13 insertions(+), 11 deletions(-)

diff --git a/config/snort/snort_import_aliases.php b/config/snort/snort_import_aliases.php
index 80b3bb1d..ba71c9bf 100644
--- a/config/snort/snort_import_aliases.php
+++ b/config/snort/snort_import_aliases.php
@@ -32,13 +32,13 @@ require_once("functions.inc");
 require_once("/usr/local/pkg/snort/snort.inc");
 
 // Retrieve any passed QUERY STRING or POST variables
-if (isset($_POST['id']))
+if (isset($_POST['id']) && is_numericint($_POST['id']))
 	$id = $_POST['id'];
 elseif (isset($_GET['id']) && is_numericint($_GET['id']))
 	$id = htmlspecialchars($_GET['id']);
 
 if (isset($_POST['eng']))
-	$eng = $_POST['eng'];
+	$eng = htmlspecialchars($_POST['eng']);
 elseif (isset($_GET['eng']))
 	$eng = htmlspecialchars($_GET['eng']);
 
diff --git a/config/snort/snort_rules_flowbits.php b/config/snort/snort_rules_flowbits.php
index daf1c4ef..3baa502c 100644
--- a/config/snort/snort_rules_flowbits.php
+++ b/config/snort/snort_rules_flowbits.php
@@ -53,7 +53,7 @@ if (is_null($id)) {
 
 // Set who called us so we can return to the correct page with
 // the RETURN ('cancel') button.
-if ($_POST['referrer'])
+if (isset($_POST['referrer']) && substr($_POST['referrer'], 0, 1) == '/')
 	$referrer = $_POST['referrer'];
 else
 	$referrer = $_SERVER['HTTP_REFERER'];
diff --git a/config/snort/snort_select_alias.php b/config/snort/snort_select_alias.php
index c632b388..e13d0cb4 100644
--- a/config/snort/snort_select_alias.php
+++ b/config/snort/snort_select_alias.php
@@ -47,29 +47,31 @@ else
 
 // Retrieve any passed QUERY STRING or POST variables
 if (isset($_POST['type']))
-	$type = $_POST['type'];
+	$type = htmlspecialchars($_POST['type']);
 elseif (isset($_GET['type']))
 	$type = htmlspecialchars($_GET['type']);
 
 if (isset($_POST['varname']))
-	$varname = $_POST['varname'];
+	$varname = htmlspecialchars($_POST['varname']);
 elseif (isset($_GET['varname']))
 	$varname = htmlspecialchars($_GET['varname']);
 
 if (isset($_POST['multi_ip']))
-	$multi_ip = $_POST['multi_ip'];
+	$multi_ip = htmlspecialchars($_POST['multi_ip']);
 elseif (isset($_GET['multi_ip']))
 	$multi_ip = htmlspecialchars($_GET['multi_ip']);
 
-if (isset($_POST['returl']))
+if (isset($_POST['returl'])) && substr($_POST['returl'], 0, 1) == '/')
 	$referrer = urldecode($_POST['returl']);
-elseif (isset($_GET['returl']))
+elseif (isset($_GET['returl'])) && substr($_GET['returl'], 0, 1) == '/')
 	$referrer = urldecode($_GET['returl']);
+else
+	$referrer = $_SERVER['HTTP_REFERER'];
 
 // Make sure we have a valid VARIABLE name
 // and ALIAS TYPE, or else bail out.
 if (is_null($type) || is_null($varname)) {
-	header("Location: http://{$referrer}?{$querystr}");
+	header("Location: {$referrer}?{$querystr}");
 	exit;
 }
 
@@ -132,8 +134,8 @@ include("head.inc");
 <input type="hidden" name="varname" value="<?=$varname;?>"/>
 <input type="hidden" name="type" value="<?=$type;?>"/>
 <input type="hidden" name="multi_ip" value="<?=$multi_ip;?>"/>
-<input type="hidden" name="returl" value="<?=$referrer;?>"/>
-<input type="hidden" name="org_querystr" value="<?=$querystr;?>"/>
+<input type="hidden" name="returl" value="<?=htmlspecialchars($referrer);?>"/>
+<input type="hidden" name="org_querystr" value="<?=htmlspecialchars($querystr);?>"/>
 <?php if ($input_errors) print_input_errors($input_errors); ?>
 <div id="boxarea">
 <table width="100%" border="0" cellpadding="0" cellspacing="0">
-- 
cgit v1.2.3