MISP
/
MISP
mirror of https://github.com/MISP/MISP
2
2
Fork 0
Code Issues Releases Wiki Activity

Fixes to access rights, some sanitization, etc 

- Admins cannot manually change anyone's authkey, they need to generate a
  new one via the reset link

- Some pages could be accessed by changing the url - fixed (though needs
  further testing)

- Edited a change in the manual that may have been confusing

- Some changes to the way ACL is set up - still needs more work
pull/63/head
Andras Iklody 2013-02-04 17:55:35 +01:00
parent 879a5fb282
commit 7f6f166838
11 changed files with 101 additions and 79 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
app/Controller/AppController.php
View File

@ -92,7 +92,7 @@ class AppController extends Controller {
if ($this->_isRest()) {
// disable CSRF for REST access
if (array_key_exists('Security', $this->components))
$this->Security->csrfCheck = false;
$this->Security->csrfCheck = true;
// Authenticate user with authkey in Authorization HTTP header
if (!empty($_SERVER['HTTP_AUTHORIZATION'])) {
@ -128,6 +128,7 @@ class AppController extends Controller {
$this->set('isAclModify', $this->checkAcl('edit'));
$this->set('isAclModifyOrg', $this->checkRole());
$this->set('isAclPublish', $this->checkAcl('publish'));
$this->set('isAclAdd2', $this->checkAction('perm_add'));
$this->set('isAclSync', $this->checkAction('perm_sync'));
$this->set('isAclAdmin', $this->checkAction('perm_admin'));
$this->set('isAclAudit', $this->checkAction('perm_audit'));
@ -164,6 +165,14 @@ class AppController extends Controller {
return false;
}
protected function _isSiteAdmin() {
$org = $this->Auth->user('org');
if (isset($org) && $org === 'ADMIN') {
return true;
}
return false;
}
/**
* Refreshes the Auth session with new/updated data
* @return void
@ -304,7 +313,7 @@ class AppController extends Controller {
$queries = array(
// ATTRIBUTES
// rename value to value1
"ALTER TABLE `attributes` CHANGE `value` `value1` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL "
"ALTER TABLE `attributes` CHANGE `value` `value1` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL "
// add value2
,"ALTER TABLE `attributes` ADD `value2` TEXT CHARACTER SET utf8 COLLATE utf8_unicode_ci NOT NULL AFTER `value1` "
// fix the keys

7
app/Controller/AttributesController.php
View File

@ -167,7 +167,7 @@ class AttributesController extends AppController {
continue; // don't do anything for empty lines
$this->Attribute->create();
$this->request->data['Attribute']['value'] = $attribute; // set the value as the content of the single line
$this->request->data['Attribute']['value'] = Sanitize::clean($attribute); // set the value as the content of the single line
if ('true' == Configure::read('CyDefSIG.private')) {
$this->request->data = $this->Attribute->massageData($this->request->data);
}
@ -375,10 +375,12 @@ class AttributesController extends AppController {
$this->Attribute->create();
if ($this->request->data['Attribute']['malware']) {
$this->request->data['Attribute']['type'] = "malware-sample";
$filename = Sanitize::clean($filename);
$this->request->data['Attribute']['value'] = $filename . '|' . $tmpfile->md5(); // TODO gives problems with bigger files
$this->request->data['Attribute']['to_ids'] = 1; // LATER let user choose to send this to IDS
} else {
$this->request->data['Attribute']['type'] = "attachment";
$filename = Sanitize::clean($filename);
$this->request->data['Attribute']['value'] = $filename;
$this->request->data['Attribute']['to_ids'] = 0;
}
@ -431,13 +433,12 @@ class AttributesController extends AppController {
$execOutput = array();
rename($file->path, $fileInZip->path); // TODO check if no workaround exists for the current filtering mechanisms
if (PHP_OS == 'WINNT') {
$string = "zip -j -P infected " . $zipfile->path . ' "' . $fileInZip->path . '"';
exec("zip -j -P infected " . $zipfile->path . ' "' . $fileInZip->path . '"', $execOutput, $execRetval);
} else {
exec("zip -j -P infected " . $zipfile->path . ' "' . addslashes($fileInZip->path) . '"', $execOutput, $execRetval);
}
if ($execRetval != 0) { // not EXIT_SUCCESS
$this->Session->setFlash(__('Problem with zipping the attachment. Please report to administrator. ' . $string . PHP_OS . $execOutput, true), 'default', array(), 'error');
$this->Session->setFlash(__('Problem with zipping the attachment. Please report to administrator. ' . $execOutput, true), 'default', array(), 'error');
// remove the entry from the database
$this->Attribute->delete();
$fileInZip->delete();

1
app/Controller/EventsController.php
View File

@ -604,6 +604,7 @@ class EventsController extends AppController {
$this->Session->setFlash(__('The event could not be saved. Please, try again.'));
}
} else {
if(!$this->checkAction('perm_modify')) $this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
$this->request->data = $this->Event->read(null, $id);
}

6
app/Controller/LogsController.php
View File

@ -48,6 +48,7 @@ class LogsController extends AppController {
* @return void
*/
public function admin_index() {
if(!$this->checkAction('perm_audit')) $this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
$this->set('isSearch', 0);
if ($this->Auth->user('org') == 'ADMIN') {
$this->AdminCrud->adminIndex();
@ -58,7 +59,7 @@ class LogsController extends AppController {
$this->recursive = 0;
$this->paginate = array(
'limit' => 60,
'maxLimit' => 9999, // LATER we will bump here on a problem once we have more than 9999 logs(?)
'maxLimit' => 9999, // LATER we will bump here on a problem once we have more than 9999 logs(?)
'conditions' => $conditions
);
@ -69,6 +70,7 @@ class LogsController extends AppController {
public $helpers = array('Js' => array('Jquery'));
public function admin_search() {
if(!$this->checkAction('perm_audit')) $this->redirect(array('controller' => 'events', 'action' => 'index', 'admin' => false));
$fullAddress = array('/admin/logs/search', '/logs/admin_search');
$orgRestriction = null;
if ($this->Auth->user('org') == 'ADMIN') {
@ -123,7 +125,7 @@ class LogsController extends AppController {
$this->{$this->defaultModel}->recursive = 0;
$this->paginate = array(
'limit' => 60,
'maxLimit' => 9999, // LATER we will bump here on a problem once we have more than 9999 logs(?)
'maxLimit' => 9999, // LATER we will bump here on a problem once we have more than 9999 logs(?)
'conditions' => $conditions
);
$this->set('list', Sanitize::clean($this->paginate()));

4
app/Controller/WhitelistsController.php
View File

@ -68,7 +68,7 @@ class WhitelistsController extends AppController {
* @throws NotFoundException
*/
public function admin_edit($id = null) {
if($this->Auth->User('org') != 'ADMIN') $this->redirect(array('controller' => 'blaclists', 'action' => 'index', 'admin' => false));
if($this->Auth->User('org') != 'ADMIN') $this->redirect(array('controller' => 'blacklists', 'action' => 'index', 'admin' => false));
$this->AdminCrud->adminEdit($id);
}
@ -81,7 +81,7 @@ class WhitelistsController extends AppController {
* @throws NotFoundException
*/
public function admin_delete($id = null) {
if($this->Auth->User('org') != 'ADMIN') $this->redirect(array('controller' => 'blaclists', 'action' => 'index', 'admin' => false));
if($this->Auth->User('org') != 'ADMIN') $this->redirect(array('controller' => 'blacklists', 'action' => 'index', 'admin' => false));
$this->AdminCrud->adminDelete($id);
}

18
app/Model/Attribute.php
View File

@ -49,13 +49,13 @@ class Attribute extends AppModel {
IF (Attribute.category="Payload type", "h",
IF (Attribute.category="Attribution", "i",
IF (Attribute.category="External analysis", "j", "k"))))))))))'
); // TODO hardcoded
); // TODO hardcoded
/**
* Field Descriptions
* explanations of certain fields to be used in various views
*
* @public array
* @var array
*/
public $fieldDescriptions = array(
'signature' => array('desc' => 'Is this attribute eligible to automatically create an IDS signature (network IDS or host IDS) out of it ?'),
@ -63,8 +63,8 @@ class Attribute extends AppModel {
);
public $distributionDescriptions = array(
'Your organization only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This setting will only allow members of your organisation on your server to see it."),
'This server-only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This setting will only allow members of any organisation on your server to see it."),
'Your organization only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This setting will only allow members of your organisation on this server to see it."),
'This server-only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This setting will only allow members of any organisation on this server to see it."),
'This Community-only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "Users that are part of your MISP community will be able to see the event. This includes your own organisation, organisations on your MISP server and organisations running MISP servers that synchronise with your server. Any other organisations connected to such linked servers will be restricted from seeing the event. Use this option if you are on the central hub of your community."), // former Community
'Connected communities' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "Users that are part of your MISP community will be able to see the event. This includes all organisations on your own MISP server, all organisations on MISP servers synchronising with your server and the hosting organisations of servers that connect to those afore mentioned servers (so basically any server that is 2 hops away from your own). Any other organisations connected to linked servers that are 2 hops away from your own will be restricted from seeing the event. Use this option if your server isn't the central MISP hub of the community but is connected to it."),
'All communities' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This will share the event with all MISP communities, allowing the event to be freely propagated from one server to the next."),
@ -403,7 +403,7 @@ class Attribute extends AppModel {
public function beforeDelete($cascade = true) {
// delete attachments from the disk
$this->read(); // first read the attribute from the db
$this->read(); // first read the attribute from the db
if ($this->typeIsAttachment($this->data['Attribute']['type'])) {
// FIXME secure this filesystem access/delete by not allowing to change directories or go outside of the directory container.
// only delete the file if it exists
@ -821,7 +821,7 @@ class Attribute extends AppModel {
}
if ($this->save($this->data)) {
// attribute saved correctly in the db
// attribute saved correctly in the db
} else {
// do some?
}
@ -832,7 +832,7 @@ class Attribute extends AppModel {
$rootDir = APP . DS . "files" . DS . $eventId;
$dir = new Folder($rootDir, true);
// move the file to the correct location
$destpath = $rootDir . DS . $this->getId(); // id of the new attribute in the database
$destpath = $rootDir . DS . $this->getId(); // id of the new attribute in the database
$file = new File ($destpath);
$zipfile = new File ($destpath . '.zip');
$fileInZip = new File($rootDir . DS . $extraPath . $filename); // FIXME do sanitization of the filename
@ -843,10 +843,10 @@ class Attribute extends AppModel {
$execRetval = '';
$execOutput = array();
exec("zip -j -P infected " . $zipfile->path . ' "' . addslashes($fileInZip->path) . '"', $execOutput, $execRetval);
if ($execRetval != 0) { // not EXIT_SUCCESS
if ($execRetval != 0) { // not EXIT_SUCCESS
// do some?
};
$fileInZip->delete(); // delete the original not-zipped-file
$fileInZip->delete(); // delete the original not-zipped-file
rename($zipfile->path, $file->path); // rename the .zip to .nothing
} else {
$fileAttach = new File($fileP);

4
app/Model/Event.php
View File

@ -56,8 +56,8 @@ class Event extends AppModel {
);
public $distributionDescriptions = array(
'Your organization only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This setting will only allow members of your organisation on your server to see it."),
'This server-only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This setting will only allow members of any organisation on your server to see it."),
'Your organization only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This setting will only allow members of your organisation on this server to see it."),
'This server-only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This setting will only allow members of any organisation on this server to see it."),
'This Community-only' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "Users that are part of your MISP community will be able to see the event. This includes your own organisation, organisations on your MISP server and organisations running MISP servers that synchronise with your server. Any other organisations connected to such linked servers will be restricted from seeing the event. Use this option if you are on the central hub of your community."), // former Community
'Connected communities' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "Users that are part of your MISP community will be able to see the event. This includes all organisations on your own MISP server, all organisations on MISP servers synchronising with your server and the hosting organisations of servers that connect to those afore mentioned servers (so basically any server that is 2 hops away from your own). Any other organisations connected to linked servers that are 2 hops away from your own will be restricted from seeing the event. Use this option if your server isn't the central MISP hub of the community but is connected to it."),
'All communities' => array('desc' => 'This field determines the current distribution of the even', 'formdesc' => "This will share the event with all MISP communities, allowing the event to be freely propagated from one server to the next."),

50
app/View/Users/admin_add.ctp
View File

@ -1,25 +1,25 @@
<div class="users form">
<?php echo $this->Form->create('User');?>
<fieldset>
<legend><?php echo __('Admin Add User'); ?></legend>
<?php
echo $this->Form->input('email');
echo $this->Form->input('password');
echo $this->Form->input('confirm_password', array('type' => 'password', 'div' => array('class' => 'input password required')));
if ($currentOrg == 'ADMIN') {
echo $this->Form->input('org');
}
echo $this->Form->input('role_id', array('label' => 'Role'));
echo $this->Form->input('autoalert');
echo $this->Form->input('authkey', array('value' => $authkey));
echo $this->Form->input('nids_sid');
echo $this->Form->input('gpgkey');
?>
</fieldset>
<?php echo $this->Form->end(__('Submit'));?>
</div>
<div class="actions">
<ul>
<?php echo $this->element('actions_menu'); ?>
</ul>
</div>
<div class="users form">
<?php echo $this->Form->create('User');?>
<fieldset>
<legend><?php echo __('Admin Add User'); ?></legend>
<?php
echo $this->Form->input('email');
echo $this->Form->input('password');
echo $this->Form->input('confirm_password', array('type' => 'password', 'div' => array('class' => 'input password required')));
if ($currentOrg == 'ADMIN') {
echo $this->Form->input('org');
}
echo $this->Form->input('role_id', array('label' => 'Role'));
echo $this->Form->input('autoalert');
echo $this->Form->input('authkey', array('value' => $authkey, 'disabled' => 'disabled'));
echo $this->Form->input('nids_sid');
echo $this->Form->input('gpgkey');
?>
</fieldset>
<?php echo $this->Form->end(__('Submit'));?>
</div>
<div class="actions">
<ul>
<?php echo $this->element('actions_menu'); ?>
</ul>
</div>

58
app/View/Users/admin_edit.ctp
View File

@ -1,28 +1,30 @@
<div class="users form">
<?php echo $this->Form->create('User');?>
<fieldset>
<legend><?php echo __('Admin Edit User'); ?></legend>
<?php
echo $this->Form->input('email');
echo $this->Form->input('password');
echo $this->Form->input('confirm_password', array('type' => 'password', 'div' => array('class' => 'input password required')));
if ($currentOrg == 'ADMIN') {
echo $this->Form->input('org');
}
echo $this->Form->input('role_id', array('label' => 'Role')); // TODO ACL, User edit role_id.
echo $this->Form->input('autoalert');
echo $this->Form->input('authkey');
echo $this->Form->input('nids_sid');
echo $this->Form->input('termsaccepted');
echo $this->Form->input('change_pw', array('type' => 'checkbox', 'label' => 'Change Password'));
echo $this->Form->input('newsread');
echo $this->Form->input('gpgkey');
?>
</fieldset>
<?php echo $this->Form->end(__('Submit'));?>
</div>
<div class="actions">
<ul>
<?php echo $this->element('actions_menu'); ?>
</ul>
</div>
<div class="users form">
<?php echo $this->Form->create('User');?>
<fieldset>
<legend><?php echo __('Admin Edit User'); ?></legend>
<?php
echo $this->Form->input('email');
echo $this->Form->input('password');
echo $this->Form->input('confirm_password', array('type' => 'password', 'div' => array('class' => 'input password required')));
if ($currentOrg == 'ADMIN') {
echo $this->Form->input('org');
}
echo $this->Form->input('role_id', array('label' => 'Role')); // TODO ACL, User edit role_id.
echo $this->Form->input('autoalert');
echo $this->Form->input('authkey', array('disabled' => 'disabled'));
echo $this->Html->link('reset', array('controller' => 'users', 'action' => 'resetauthkey', $currentId));
echo ('<br><br>');
echo $this->Form->input('nids_sid');
echo $this->Form->input('termsaccepted');
echo $this->Form->input('change_pw', array('type' => 'checkbox', 'label' => 'Change Password'));
echo $this->Form->input('newsread');
echo $this->Form->input('gpgkey');
?>
</fieldset>
<?php echo $this->Form->end(__('Submit'));?>
</div>
<div class="actions">
<ul>
<?php echo $this->element('actions_menu'); ?>
</ul>
</div>

2
app/View/Users/admin_index.ctp
View File

@ -42,7 +42,7 @@ foreach ($users as $user): ?>
<?php echo h($user['User']['newsread']); ?>&nbsp;</td>
<td class="actions">
<?php
if (($isAclModifyOrg && ($user['User']['org'] == $me['org'])) || ('1' == $me['id'])) {
if (($isAclAdmin && (($user['User']['org'] == $me['org'])) || ('1' == $me['id'])) || ($me['org'] == 'ADMIN')) {
echo $this->Html->link(__('Edit'), array('admin' => true, 'action' => 'edit', $user['User']['id']), null);
echo $this->Form->postLink(__('Delete'), array('admin' => true, 'action' => 'delete', $user['User']['id']), null, __('Are you sure you want to delete # %s?', $user['User']['id']));
}?>

17
app/View/Users/view.ctp
View File

@ -1,6 +1,7 @@
<div class="users view">
<div class="actions" style="float:right;">
<ul><li><?php if ($isAclModify && ($me['org'] == $user['User']['org'] || $me['org'] == 'ADMIN')) echo $this->Html->link(__('Edit Profile', true), array('action' => 'edit', $user['User']['id'])); ?> </li></ul>
<ul><li><?php if ($isAclAdmin && ($me['org'] == $user['User']['org'] || $me['org'] == 'ADMIN')) echo $this->Html->link(__('Edit Profile', true), array('admin' => true, 'action' => 'edit', $user['User']['id'])); ?> </li></ul>
<ul><li><?php if ($me['id'] == $user['User']['id']) echo $this->Html->link(__('Edit Profile', true), array('action' => 'edit', $user['User']['id'])); ?> </li></ul>
</div>
<h2><?php echo __('User');?></h2>
<dl>
@ -61,11 +62,17 @@ if (h($user['User']['gpgkey']) != 0) {
<div class="actions">
<ul>
<?php
if ($isAclModify && ($me['org'] == $user['User']['org'] || $me['org'] == 'ADMIN')): ?>
<li><?php echo $this->Html->link(__('Edit User', true), array('action' => 'edit', $user['User']['id'])); ?></li>
if ($isAclAdmin && ($me['org'] == $user['User']['org'] || $me['org'] == 'ADMIN')) { ?>
<li><?php echo $this->Html->link(__('Edit User', true), array('admin' => true, 'action' => 'edit', $user['User']['id'])); ?></li>
<?php
} else if ($me['id'] == $user['User']['id']) {
?>
<li><?php echo $this->Html->link(__('Edit User', true), array('action' => 'edit', $user['User']['id'])); ?></li>
<?php
}
?>
<li>&nbsp;</li>
<?php
endif; ?>
<?php echo $this->element('actions_menu'); ?>
</ul>
</div>