Add input validation to avoid XSS #3 #4 #5 #6 #7 #8 #9 #10

Security-Onion-Solutions · Feb 8, 2016 · 6adb8d1 · 6adb8d1
1 parent a23b7aa
commit 6adb8d1
Showing 1 changed file with 109 additions and 9 deletions.
diff --git a/capme/index.php b/capme/index.php
@@ -3,17 +3,117 @@
 // Argument counters
 $s = 0;
 
+// If any input validation fails, return error and exit immediately
+function invalid($string) {
+        echo $string;
+        exit;
+}
+
 // Argument defaults
 $sip = $spt = $dip = $dpt = $stime = $etime = $usr = $pwd = $sancp = $event = $elsa = $bro = $tcpflow = $pcap = '';
-// Grab any arguments provided in URI
-if (isset($_REQUEST['sip']))      { $sip    = $_REQUEST['sip'];      $s++; }
-if (isset($_REQUEST['spt']))      { $spt    = $_REQUEST['spt'];      $s++; }
-if (isset($_REQUEST['dip']))      { $dip    = $_REQUEST['dip'];      $s++; }
-if (isset($_REQUEST['dpt']))      { $dpt    = $_REQUEST['dpt'];      $s++; }
-if (isset($_REQUEST['stime']))    { $stime  = $_REQUEST['stime'];    $s++; }
-if (isset($_REQUEST['etime']))    { $etime  = $_REQUEST['etime'];    $s++; }
-if (isset($_REQUEST['user']))     { $usr    = $_REQUEST['user'];     $s++; }
-if (isset($_REQUEST['password'])) { $pwd    = $_REQUEST['password']; $s++; }
+
+// Validate user input - source IP address - sip
+if (isset($_REQUEST['sip']))      { 
+	if (!filter_var($_REQUEST['sip'], FILTER_VALIDATE_IP)) {
+        	invalid("Invalid source IP.");
+	} else {
+		$sip    = $_REQUEST['sip'];      $s++; 
+	}
+}
+
+// Validate user input - source port - spt
+// must be an integer between 0 and 65535
+if (isset($_REQUEST['spt']))      { 
+	if (filter_var($_REQUEST['spt'], FILTER_VALIDATE_INT, array("options" => array("min_range"=>0, "max_range"=>65535))) === false) {
+        	invalid("Invalid source port.");
+	} else {
+		$spt    = $_REQUEST['spt'];      $s++;
+	}
+}
+
+// Validate user input - destination IP address - dip
+if (isset($_REQUEST['dip']))      { 
+	if (!filter_var($_REQUEST['dip'], FILTER_VALIDATE_IP)) {
+        	invalid("Invalid destination IP.");
+	} else {
+		$dip    = $_REQUEST['dip'];      $s++; 
+	}
+}
+
+// Validate user input - destination port - dpt
+// must be an integer between 0 and 65535
+if (isset($_REQUEST['dpt']))      { 
+	if (filter_var($_REQUEST['dpt'], FILTER_VALIDATE_INT, array("options" => array("min_range"=>0, "max_range"=>65535))) === false) {
+        	invalid("Invalid destination port.");
+	} else {
+		$dpt    = $_REQUEST['dpt'];      $s++;
+	}
+}
+
+// Validate user input - start time - stime
+// must be greater than 5 years ago and less than 5 years from today
+if (isset($_REQUEST['stime']))      { 
+	if (!( ($_REQUEST['stime'] >= (time() - 5 * 365 * 24 * 60 * 60)) && ($_REQUEST['stime'] <= time() + 5 * 365 * 24 * 60 * 60) )) {
+        	invalid("Invalid start time.");
+	} else {
+		$stime	= $_REQUEST['stime'];	$s++;
+	}
+}
+
+// Validate user input - end time - etime
+// must be greater than 5 years ago and less than 5 years from today
+if (isset($_REQUEST['etime']))      { 
+	if (!( ($_REQUEST['etime'] >= (time() - 5 * 365 * 24 * 60 * 60)) && ($_REQUEST['etime'] <= time() + 5 * 365 * 24 * 60 * 60) )) {
+        	invalid("Invalid end time.");
+	} else {
+		$etime	= $_REQUEST['etime'];	$s++;
+	}
+}
+
+// Validate user input - username and password
+if ( isset($_REQUEST['user']) && isset($_REQUEST['password']) )      { 
+	// Validate user input - username - user
+	// Username must be alphanumeric
+	if (!(ctype_alnum($_REQUEST['user']))) {
+        	invalid("The user name or password is incorrect.");
+	} else {
+		$usr	= $_REQUEST['user'];	$s++;
+	}
+
+	// Validate user input - password
+	$pwd    = $_REQUEST['password'];	$s++;
+	$db = mysql_connect($dbHost,$dbUser,$dbPass);
+	$link = mysql_select_db($dbName, $db);
+	if ($link) {
+	        $query = "SELECT * FROM user_info WHERE username = '$usr'";
+        	$result = mysql_query($query);
+	        $numRows = mysql_num_rows($result);
+
+	        if ($numRows > 0) {
+        	    while ($row = mysql_fetch_row($result)) {
+                	$userHash       = $row[3];
+	            }
+        	    // The first 2 chars are the salt     
+	            $theSalt = substr($userHash, 0,2);
+
+	            // The remainder is the hash
+        	    $theHash = substr($userHash, 2);
+
+	            // Now we hash the users input                 
+        	    $testHash = sha1($pwd . $theSalt);
+
+	            // Does it match? If not, exit.
+        	    if ($testHash !== $theHash) {
+                	invalid("The user name or password is incorrect.");
+	            }
+        	} else {
+	            invalid("The user name or password is incorrect.");
+        	}
+	} else {
+        	invalid("Connection Failed.");
+	}
+}
+
 // If we see a filename parameter, we know the request came from Snorby
 // and if so we can just query the event table since Snorby just has NIDS alerts
 // If the referer contains "elsa-query", then it's most likely a Security Onion user