diff options
author | Scott Ullrich <sullrich@pfsense.org> | 2010-11-10 11:56:23 -0500 |
---|---|---|
committer | Scott Ullrich <sullrich@pfsense.org> | 2010-11-10 11:56:23 -0500 |
commit | 4fe9c2dcf1c90253b2b6a70e67b06c76ff251b35 (patch) | |
tree | de12a5d01033d4ce859e311b743d23b138b3ba12 | |
parent | daab67a170ddf38a76605e32a56874780e82b62d (diff) | |
download | pfsense-4fe9c2dcf1c90253b2b6a70e67b06c76ff251b35.zip pfsense-4fe9c2dcf1c90253b2b6a70e67b06c76ff251b35.tar.gz |
* Adding function get_configured_ip_addresses() which returns all interfaces and their configured IP address
* Add checkbox to System -> Advanced -> Admin for HTTP_REFERER checks
* Add and enforce HTTP_REFERER check if checkbox is not checked.
This will prevent HTML pages from crafting HTML GETs against the web interface and will prevent firewall admins from being "tricked" into clicking on links that may be harmful to their firewall.
-rw-r--r-- | etc/inc/auth.inc | 26 | ||||
-rw-r--r-- | etc/inc/authgui.inc | 2 | ||||
-rw-r--r-- | etc/inc/util.inc | 15 | ||||
-rw-r--r-- | usr/local/www/system_advanced_admin.php | 20 |
4 files changed, 61 insertions, 2 deletions
diff --git a/etc/inc/auth.inc b/etc/inc/auth.inc index 13ca678..e7484c1 100644 --- a/etc/inc/auth.inc +++ b/etc/inc/auth.inc @@ -86,6 +86,32 @@ if (function_exists("display_error_form") && !isset($config['system']['webgui'][ } } +// If the HTTP_REFERER is something other than ourselves then disallow. +if(!$config['system']['nohttpreferercheck']) { + if($_SERVER['HTTP_REFERER']) { + $found_host = false; + $hostname_me = $config['system']['hostname'] . "." . $config['system']['domain']; + if(stristr($_SERVER['HTTP_REFERER'], $hostname_me)) + $found_host = true; + if(!empty($config['system']['webgui']['althostnames'])) { + $althosts = explode(" ", $config['system']['webgui']['althostnames']); + foreach ($althosts as $ah) + if(stristr($ah, $hostname_me)) + $found_host = true; + } + $interface_list_ips = get_configured_ip_addresses(); + foreach($interface_list_ips as $ilips) { + $hostname_me_ip = $config['webgui']['protocol'] . "://" . $ilips; + if(stristr($hostname_me_ip, $ilips)) + $found_host = true; + } + if($found_host == false) { + display_error_form("501", "An HTTP_REFERER was detected other than what is defined in System -> Advanced (" . $_SERVER['HTTP_REFERER'] . "). You can disable this check if needed in System -> Advanced -> Admin."); + exit; + } + } +} + $groupindex = index_groups(); $userindex = index_users(); diff --git a/etc/inc/authgui.inc b/etc/inc/authgui.inc index e0bea3d..ee98f1c 100644 --- a/etc/inc/authgui.inc +++ b/etc/inc/authgui.inc @@ -261,4 +261,4 @@ if($config['virtualip']) <?php } // end function -?> +?>
\ No newline at end of file diff --git a/etc/inc/util.inc b/etc/inc/util.inc index 0551d40..4b74a7f 100644 --- a/etc/inc/util.inc +++ b/etc/inc/util.inc @@ -624,6 +624,21 @@ function get_configured_interface_with_descr($only_opt = false, $withdisabled = return $iflist; } +/* + * get_configured_ip_addresses() - Return a list of all configured + * interfaces IP Addresses + * + */ +function get_configured_ip_addresses() { + require_once("interfaces.inc"); + $ip_array = array(); + $interfaces = get_configured_interface_list(); + foreach($interfaces as $int) { + $ipaddr = get_interface_ip($int); + $ip_array[$int] = $ipaddr; + } + return $ip_array; +} /* * get_interface_list() - Return a list of all physical interfaces diff --git a/usr/local/www/system_advanced_admin.php b/usr/local/www/system_advanced_admin.php index f34d1c7..7875802 100644 --- a/usr/local/www/system_advanced_admin.php +++ b/usr/local/www/system_advanced_admin.php @@ -3,7 +3,7 @@ /* system_advanced_admin.php part of pfSense - Copyright (C) 2005-2007 Scott Ullrich + Copyright (C) 2005-2010 Scott Ullrich Copyright (C) 2008 Shrew Soft Inc @@ -56,6 +56,7 @@ $pconfig['disablehttpredirect'] = isset($config['system']['webgui']['disablehttp $pconfig['disableconsolemenu'] = isset($config['system']['disableconsolemenu']); $pconfig['noantilockout'] = isset($config['system']['webgui']['noantilockout']); $pconfig['nodnsrebindcheck'] = isset($config['system']['webgui']['nodnsrebindcheck']); +$pconfig['nohttpreferercheck'] = isset($config['system']['webgui']['nohttpreferercheck']); $pconfig['althostnames'] = $config['system']['webgui']['althostnames']; $pconfig['enableserial'] = $config['system']['enableserial']; $pconfig['enablesshd'] = $config['system']['enablesshd']; @@ -140,6 +141,11 @@ if ($_POST) { else unset($config['system']['webgui']['nodnsrebindcheck']); + if ($_POST['nohttpreferercheck'] == "yes") + $config['system']['webgui']['nohttpreferercheck'] = true; + else + unset($config['system']['webgui']['nohttpreferercheck']); + if ($_POST['althostnames']) $config['system']['webgui']['althostnames'] = $_POST['althostnames']; else @@ -360,6 +366,18 @@ function prot_change() { </td> </tr> <tr> + <td width="22%" valign="top" class="vncell"><?=gettext("Browser HTTP_REFERER enforcement"); ?></td> + <td width="78%" class="vtable"> + <input name="nohttpreferercheck" type="checkbox" id="nohttpreferercheck" value="yes" <?php if ($pconfig['nohttpreferercheck']) echo "checked"; ?> /> + <strong><?=gettext("Disable HTTP_REFERER enforcement check"); ?></strong> + <br/> + <?php echo gettext("When this is unchecked, access to the webConfigurator " . + "is protected against HTTP_REFERER redirection attempts. " . + "Check this box to disable this protection if you find that it interferes with " . + "webConfigurator access in certain corner cases such as using 3rd party scripts to interact with pfSense. More information on HTTP_REFERER is available from <a href='http://en.wikipedia.org/wiki/HTTP_referrer'>Wikipedia</a>."); ?> + </td> + </tr> + <tr> <td colspan="2" class="list" height="12"> </td> </tr> <tr> |