Project

General

Profile

Actions
Copy link

Bug #8871

closed

Suricata: input not validated properly in suricata_rulesets.php results in wrong argument passed to in_array()

Added by L H over 6 years ago. Updated about 6 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
09/04/2018
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
Affected Plus Version:
Affected Architecture:

Description

Spotted this today:

Crash report begins.  Anonymous machine information:

amd64
11.2-RELEASE-p2
FreeBSD 11.2-RELEASE-p2 #106 b0703dcab3c(RELENG_2_4_4): Sun Sep  2 22:17:18 EDT 2018     root@buildbot3:/builder/crossbuild-ce-master/obj/amd64/FWJoMRHc/builder/crossbuild-ce-master/pfSense/tmp/FreeBSD-src/sys/pfSense

Crash report details:

PHP Errors:
[03-Sep-2018 10:26:58 Etc/UTC] PHP Warning:  in_array() expects parameter 2 to be array, string given in /usr/local/www/suricata/suricata_rulesets.php on line 450

No FreeBSD crash data found.

It will only trigger if the community rules are enabled:

                        <?php elseif (in_array($community_rules_file, $enabled_rulesets_array)): ?>
                                <tr>
                                        <td>
                                                <input type="checkbox" name="toenable[]" value="<?=$community_rules_file;?>" checked="checked"/>
                                        </td>
                                        <td colspan="4">
                                                <?php if ($no_community_files): ?>
                                                        <?php echo gettext("{$msg_community}"); ?>
                                                <?php else: ?>
                                                        <a href='suricata_rules.php?id=<?=$id;?>&openruleset=<?=$community_rules_file;?>'><?php echo gettext("{$msg_community}"); ?></a>
                                                <?php endif; ?>
                                        </td>
                                </tr>
                        <?php else: ?>

Without further inspection, I would guess at some point $enabled_rulesets_array is initialized with information probably stored from user input (I noticed this came up after I added a new rule to my disabled list but could have been there earlier).

Probably not a security risk, but it deserves further analysis as it might indicate a lack of user input validation (you do need to be authenticated and privileged to alter the Suricata configuration).
I don't know if it manifests functionally elsewhere (ex by causing problems).

Actions
Copy link
 #1

Updated by L H over 6 years ago

Forgot to set Category -> Suricata.
Running b0703dcab3c(RELENG_2_4_4) (snapshot) with latest Suricata package available.

Actions
Copy link
 #2

Updated by L H about 6 years ago

Seems to have been fixed silently, or through a different component or such, but no updates recorded here...

Actions
Copy link
 #3

Updated by Bill Meeks about 6 years ago

The variable $enabled_rulesets_array is populated by the PHP code as it reads the config.xml configuration for the Suricata package. This array represents the list of enabled categories the user has previously "clicked" on the CATEGORIES tab. The array values are not direct user input, and thus it does not require user input validation.

That error was coming from the PHP 7 upgrade, but it should be fixed now.

Actions
Copy link
 #4

Updated by Jim Pingle about 6 years ago

  • Status changed from New to Resolved
Actions
Copy link

Also available in: Atom PDF