From e1be647aab970954f0c1312d3579c1e312add9ba Mon Sep 17 00:00:00 2001 From: bmeeks8 Date: Sun, 7 Sep 2014 17:56:35 -0400 Subject: Use $_POST instead of $_GET for DEL action to improve security. --- config/suricata/suricata_suppress.php | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) (limited to 'config/suricata/suricata_suppress.php') diff --git a/config/suricata/suricata_suppress.php b/config/suricata/suricata_suppress.php index 2fd2deeb..80249724 100644 --- a/config/suricata/suricata_suppress.php +++ b/config/suricata/suricata_suppress.php @@ -94,15 +94,16 @@ function suricata_find_suppresslist_interface($supplist) { return false; } -if ($_GET['act'] == "del") { - if ($a_suppress[$_GET['id']]) { +if ($_POST['del'] && is_numericint($_POST['list_id'])) { + if ($a_suppress[$_POST['list_id']]) { // make sure list is not being referenced by any Suricata-configured interface - if (suricata_suppresslist_used($a_suppress[$_GET['id']]['name'])) { + if (suricata_suppresslist_used($a_suppress[$_POST['list_id']]['name'])) { $input_errors[] = gettext("ERROR -- Suppress List is currently assigned to an interface and cannot be removed!"); } else { - unset($a_suppress[$_GET['id']]); - write_config(); + unset($a_suppress[$_POST['list_id']]); + write_config("Suricata pkg: deleted SUPPRESS LIST."); + sync_suricata_package_config(); header("Location: /suricata/suricata_suppress.php"); exit; } @@ -126,6 +127,7 @@ if ($input_errors) { ?>
+ - + -- cgit v1.2.3
@@ -189,10 +191,8 @@ if ($input_errors) { width="17" height="17" border="0" title=""/> ')">">');" + src="/themes//images/icons/icon_x.gif" width="17" height="17" border="0" title=""/>