Bug #8871
closedSuricata: input not validated properly in suricata_rulesets.php results in wrong argument passed to in_array()
0%
Description
Spotted this today:
Crash report begins. Anonymous machine information: amd64 11.2-RELEASE-p2 FreeBSD 11.2-RELEASE-p2 #106 b0703dcab3c(RELENG_2_4_4): Sun Sep 2 22:17:18 EDT 2018 root@buildbot3:/builder/crossbuild-ce-master/obj/amd64/FWJoMRHc/builder/crossbuild-ce-master/pfSense/tmp/FreeBSD-src/sys/pfSense Crash report details: PHP Errors: [03-Sep-2018 10:26:58 Etc/UTC] PHP Warning: in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 450 No FreeBSD crash data found.
It will only trigger if the community rules are enabled:
<?php elseif (in_array($community_rules_file, $enabled_rulesets_array)): ?> <tr> <td> <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" checked="checked"/> </td> <td colspan="4"> <?php if ($no_community_files): ?> <?php echo gettext("{$msg_community}"); ?> <?php else: ?> <a href='suricata_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a> <?php endif; ?> </td> </tr> <?php else: ?>
Without further inspection, I would guess at some point $enabled_rulesets_array is initialized with information probably stored from user input (I noticed this came up after I added a new rule to my disabled list but could have been there earlier).
Probably not a security risk, but it deserves further analysis as it might indicate a lack of user input validation (you do need to be authenticated and privileged to alter the Suricata configuration).
I don't know if it manifests functionally elsewhere (ex by causing problems).
Updated by L H about 6 years ago
Forgot to set Category -> Suricata.
Running b0703dcab3c(RELENG_2_4_4) (snapshot) with latest Suricata package available.
Updated by L H about 6 years ago
Seems to have been fixed silently, or through a different component or such, but no updates recorded here...
Updated by Bill Meeks about 6 years ago
The variable $enabled_rulesets_array is populated by the PHP code as it reads the config.xml configuration for the Suricata package. This array represents the list of enabled categories the user has previously "clicked" on the CATEGORIES tab. The array values are not direct user input, and thus it does not require user input validation.
That error was coming from the PHP 7 upgrade, but it should be fixed now.