From 59ed3438729fd56452f58a0f79f0c288db982ac3 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 20 May 2014 08:59:44 -0400 Subject: Fix file browser vulnerability on LOGS BROWSER tab. --- config/suricata/suricata_logs_browser.php | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) (limited to 'config/suricata/suricata_logs_browser.php') diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index 04edf373..566ab93f 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -55,21 +55,22 @@ $suricata_uuid = $a_instance[$instanceid]['uuid']; $if_real = get_real_interface($a_instance[$instanceid]['interface']); // Construct a pointer to the instance's logging subdirectory -$suricatalogdir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}"; +$suricatalogdir = SURICATALOGDIR . "suricata_{$if_real}{$suricata_uuid}/"; -$logfile = $_POST['file']; +// Limit all file access to just the currently selected interface's logging subdirectory +$logfile = htmlspecialchars($suricatalogdir . basename($_POST['file'])); if ($_POST['action'] == 'load') { - if(!is_file($_POST['file'])) { + if(!is_file($logfile)) { echo "|3|" . gettext("Log file does not exist or that logging feature is not enabled") . ".|"; } else { - $data = file_get_contents($_POST['file']); + $data = file_get_contents($logfile); if($data === false) { echo "|1|" . gettext("Failed to read log file") . ".|"; } else { $data = base64_encode($data); - echo "|0|{$_POST['file']}|{$data}|"; + echo "|0|{$logfile}|{$data}|"; } } exit; @@ -180,7 +181,7 @@ if ($input_errors) { $selected = ""; if ($log == basename($logfile)) $selected = "selected"; - echo "\n"; + echo "\n"; } ?>    @@ -222,7 +223,7 @@ if ($input_errors) { - + -- cgit v1.2.3 From 2cd38ef500629821e72ddbce30c4bbd54ca201aa Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 20 May 2014 09:36:35 -0400 Subject: Need to include "instance" val in $_POST data for Ajax. --- config/suricata/suricata_logs_browser.php | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) (limited to 'config/suricata/suricata_logs_browser.php') diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index 566ab93f..b949b499 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -48,6 +48,8 @@ elseif (isset($_GET['instance']) && is_numericint($_GET['instance'])) if (empty($instanceid)) $instanceid = 0; +log_error("Instance ID: {$instanceid}"); + if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_instance = $config['installedpackages']['suricata']['rule']; @@ -102,7 +104,7 @@ if ($input_errors) { jQuery.ajax( "", { type: 'POST', - data: "action=load&file=" + jQuery("#logFile").val(), + data: "instance=" + jQuery("#instance").val() + "&action=load&file=" + jQuery("#logFile").val(), complete: loadComplete } ); -- cgit v1.2.3 From 9bc3ab11bf16b35875baa0dae75996ab3c8775a2 Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Tue, 20 May 2014 09:44:41 -0400 Subject: Remove debugging line inadvertently left in. --- config/suricata/suricata_logs_browser.php | 2 -- 1 file changed, 2 deletions(-) (limited to 'config/suricata/suricata_logs_browser.php') diff --git a/config/suricata/suricata_logs_browser.php b/config/suricata/suricata_logs_browser.php index b949b499..cbe5ee7b 100644 --- a/config/suricata/suricata_logs_browser.php +++ b/config/suricata/suricata_logs_browser.php @@ -48,8 +48,6 @@ elseif (isset($_GET['instance']) && is_numericint($_GET['instance'])) if (empty($instanceid)) $instanceid = 0; -log_error("Instance ID: {$instanceid}"); - if (!is_array($config['installedpackages']['suricata']['rule'])) $config['installedpackages']['suricata']['rule'] = array(); $a_instance = $config['installedpackages']['suricata']['rule']; -- cgit v1.2.3