Expected Behavior:
App checks the existence of the conf var via isset() before using it's value..
Current Behavior:
App does not check for unset conf variable external_whois_link.
This condition would occur if external_whois_link is not set in base_conf.php
This results in the following error(s) in production
PHP Notice: Undefined variable: external_whois_link in path redacted /base_stat_ipaddr.php on line 371

File: includes/base_auth.inc.php
Class: BaseUser
Function: roleName()
Expected Behavior:
The return value should indicate that the role name is empty / does not exist.
Current Behavior:
Function does not check for an empty return from the DB.
This condition would occur if the role that a user belonged to was deleted.
This results in the following error in production
Uninitialized string offset: 0 in path redacted /includes/base_auth.inc.php on line 310
In the pages that would display a role name, nothing is displayed.

The following files in the language directory contain invalid UTF-8 characters.

languages/czech.lang.php
languages/danish.lang.php
languages/finnish.lang.php
languages/french.lang.php
languages/italian.lang.php
languages/norwegian.lang.php
languages/russian.lang.php
languages/swedish.lang.php
languages/turkish.lang.php

This was messing up code coverage report submissions.
We were getting "Malformed UTF-8 characters, possibly incorrectly encoded" errors.

Depends on: #11 Dependency Type: Soft

May be able to fix this by changing sensor.name to hostname.

• Research historical schemas to ensure that we do not break backwards compatibility.

Expected Behavior:
Sort should execute.
Current Behavior:
Partial page display followed by error message.
Database ERROR:Database ERROR:Unknown column 'sensor.name' in 'order clause'

This will support a language agnostic phrase construction routine.

Depends on: #11 Dependency Type: Hard

File: index.php
Expected Behavior:
Usernames should be case sensitive.
Current Behavior:
Usernames such as:
User
user
UsEr
are treated as the same user on login.

Link to example:
Build Environment: Travis-CI
PHP Version: 5.2x & 5.3x
PHPUnit Version: N/A
Other Info: Discovered while working #34 in the Issue11 branch #11 .

• PHP 5.2x & PHPUnit 3x the -dsafe_mode=0 option "appears" to break process isolated tests with error message RuntimeException: sh: 1: /php: not found.
• PHP 5.3x & PHPUnit 4x the -dsafe_mode=0 option isn't passed to process isolated tests, causing PHP 5.3x to throw E_DEPRECATED errors about Safe Mode.

Expected Behavior:
Tests run OK.
Current Behavior:
PHP Safe Mode Breaks unit tests that need process isolation and don't preserve global state.
Solution:
This may be fixable once we are able to complete Reevaluate Process isolation and error suppression in Unit Tests. in the Issue11 branch.
For the moment we will skip these tests on PHP < 5.4 when Safe Mode is enabled.

From the start page selecting listing for the last 24 or 72 hours selects the entire database when the hour section of the time constraint is greater then 00
Example:
Meta Criteria | time >= [ 03 / 06 / 2019 ] [ 22 : * : * ]
Selects the entire DB

Potentially related Issue from the legacy BASE Ticketing System on Sourceforge.net
https://sourceforge.net/p/secureideas/bugs/188/

Expected Behavior: No error notices in logs.
Current Behavior: App is generating the above PHP Notices in logs.

Other Info: Related Files
base_qry_main.php
base_qry_form.php

Link to example:
https://travis-ci.com/NathanGibbs3/BASE/jobs/180430045
Other Info:
This feature is available on PostgreSQL & MSSQL.
Expected Behavior:
Referential Integrity support is enabled.
Current Behavior:
This fails for PostgreSQL.
Solution:
Add underlying IDS table creation to build environment.
Will probably use some code from barnyard2

Expected Behavior:
App checks the existence of the conf var via isset() before using it's value.
Current Behavior:
App does not check for unset conf variable $colored_alerts.
This condition would occur if $colored_alerts is not set in base_conf.php
This results in the following error(s) in production
PHP Notice: Undefined variable: colored_alerts in path redacted base_stat_alerts.php

File: includes/base_auth.inc.php
Class: BaseUser
Function: Authenticate() & AuthenticateNoCookie()
Expected Behavior:
Disabled accounts are denied login.
Current Behavior:
Function does not check for disabled account.

Expected Behavior:
Can switch at runtime.
This could be part of a user's preferences if auth system is enabled.
Current Behavior:
Language is hard coded into app configuration at setup.

First we need to switch the constants based multi language support into something variable based.

The advantages:

• The ability to switch UI language at run time.
• Unit Tests that validate the completeness of all translations.

Sub Tasks

• TD Migration
• Verify Setup

Expected Behavior:
Same or similar visual results implemented via CSS.
Current Behavior:
The code produces an HTML styling hack, a nested table that visually appears as a single table with a black border 2px wide.

Expected Behavior:
App checks the existence of the conf var via isset() before using it's value..
Current Behavior:
App does not check for unset conf variable $show_expanded_query
This condition would occur if $show_expanded_query is not set in base_conf.php
This results in the following error(s) in production
PHP Notice: Undefined variable: show_expanded_query in path redacted base_qry_form.php on line 278

Expected Behavior:
Verify via headers_sent() that it is safe to execute header().
Current Behavior:
Function base_header() does not check if headers where sent before calling header() and exiting. This was contributing to Issue #5.

Expected Behavior:
PHPUnit run without any warnings as described below.
Current Behavior:
Before running Unit tests, PHPUnit prints several lines like:
PHP Deprecated: Methods with the same name as their class will not be constructors in a future version of PHP; baseCon has a deprecated constructor in /home/travis/build/NathanGibbs3/BASE/includes/base_db.inc.php on line 26
Solution:
Update the PHP Code responsible for causing this.

Expected Behavior: VerifyDBAbstractionLib() is operative under safe mode where possible.
Current Behavior: VerifyDBAbstractionLib() function is not operative under safe mode.

File: base_common.php
function GetVendor
Expected Behavior: return Vendor Name.
Current Behavior:
Returns the Vendor Name prefixed by a space character.
Found via new PHPUnit test.
Which is why testing is important.
Although this issue does not effect the usability of the software, it is a bug.

Expected Behavior:
App checks the existence of the conf var in the $GLOBALS array via in_array() before testing it's value..
Current Behavior:
Function does not check for unset conf variable $use_sig_list.
This condition would occur if $use_sig_list is not set in base_conf.php
his results in the following error(s) in production.
PHP Notice: Undefined index: use_sig_list in path redacted includes/base_state_citems.inc.php on line 459
This Issue was contributing to issue #5

Expected Behavior:
App checks for variable existence via isset() before using it's value..
Current Behavior:
App does not check for unset variable $resolve_IP. This was contributing to Issue #5.

Expected Behavior:
App checks the existence of the conf var via isset() before using it's value.
Current Behavior:
App does not check for unset conf variable $show_rows.
This condition would occur if $show_rows is not set in base_conf.php
Malformed SQL is generated & the app exits with a database error.

Expected Behavior:
App checks the existence of the conf var via isset() before using it's value.
Current Behavior:
App does not check for unset conf variable $show_previous_alert
This condition would occur if $show_previous_alert is not set in base_conf.php
This results in the following error(s) in production
PHP Notice: Undefined variable: show_previous_alert in path redacted base_stat_alerts.php on line 163

Expected Behavior:
App checks the existence of the conf var in the $GLOBALS array via in_array() before testing it's value..
Current Behavior:
Function does not check for unset conf variable $maintain_history.
This condition would occur if $maintain_history is not set in base_conf.php
This results in the following error(s) in production
PHP Notice: Undefined index: maintain_history in path redacted /includes/base_state_criteria.inc.php on line 93
PHP Notice: Undefined index: maintain_history in path redacted /includes/base_state_criteria.inc.php on line 124

Link to example:
https://travis-ci.com/NathanGibbs3/BASE/jobs/183155000
Other Info:
Travis-CI
PHP 5.2.17
PHPUnit 3.6.12
XDebug enabled via file in Repo: https://github.com/NathanGibbs3/BASE/blob/devel/tests/5.2-xdebug.ini
To Understand how XDebug is enabled, see code in: https://github.com/NathanGibbs3/BASE/blob/devel/tests/setupenv.sh
Expected Behavior:
Code Coverage Reports are generated & tests run without warnings.
Current Behavior:
After successfully running Unit tests, PHPUnit prints:
Generating code coverage report in Clover XML format ...
Followed by a bunch of Warning & Notice Errors about the code such as:
Warning: include(../base_conf.php): failed to open stream: No such file or directory in /home/travis/build/NathanGibbs3/BASE/admin/base_roleadmin.php on line 21
Warning: include(): Failed opening '../base_conf.php' for inclusion (include_path='.:/home/travis/.phpenv/versions/5.2.17/pear') in /home/travis/build/NathanGibbs3/BASE/admin/base_roleadmin.php on line 21
Notice: Undefined variable: BASE_path in /home/travis/build/NathanGibbs3/BASE/admin/base_roleadmin.php on line 22
Notice: Use of undefined constant _SOURCE - assumed '_SOURCE' in /home/travis/build/NathanGibbs3/BASE/includes/base_state_citems.inc.php on line 953
etc.
Code Coverage Reports are not generated.
Solution:
I suspect this is a PHP 5.2 related Issue.
As I've already run into other issues with the PHP 5.2 Build environment on Travis-CI.

File: base_mac_prefixes.map
Expected Behavior: Consistent vendor names.
Current Behavior: Examples
grep "Cisco" base_mac_prefixes.map | less
Returns the following

• Cisco Systems, Inc.
• Cisco Systems Inc.
• Cisco Systems
• Cisco

Grepping for "Hewlett Packard" returns similar results.
🙁

Adding the ability to disable / enable an entire role may be an idea for a future version.
This would allow finer grained access control without having to disable multiple users in a role.
Obviously, by design the Admin role could not be disabled.

Of course, right now BASE doesn't seem to lock out disabled users either.
See Issue #17

This will support a language agnostic phrase construction routine.

Depends on: #11 Dependency Type: Hard

Expected Behavior:
User Info from DB is passed through XSSPrintSafe() before being returned
Current Behavior:
Returned User info is not passed through XSSPrintSafe() immediately on retrieval from DB..

Expected Behavior:
User info from DB is passed through htmlspecialchars() before being returned.
Current Behavior:
Returned User information is not passed through htmlspecialchars() immediately on retrieval from DB..

Expected Behavior:
Display the GitHub URL. for ADODB.
Current Behavior:
Displays the Sourceforge URL for ADODB

Description

Multiple PHP remote file inclusion vulnerabilities in Basic Analysis and Security Engine (BASE) 1.4.5 allow remote attackers to execute arbitrary PHP code.

1. Via a URL in the BASE_path parameter to:
   1. base_ag_main.php
   2. base_db_setup.php
   3. base_graph_common.php
   4. base_graph_display.php
   5. base_graph_form.php
   6. base_graph_main.php
   7. base_local_rules.php
   8. base_logout.php
   9. base_main.php
   10. base_maintenance.php
   11. base_payload.php
   12. base_qry_alert.php
   13. base_qry_common.php
   14. base_qry_main.php
   15. base_stat_alerts.php
   16. base_stat_class.php
   17. base_stat_common.php
   18. base_stat_ipaddr.php
   19. base_stat_iplink.php
   20. base_stat_ports.php
   21. base_stat_sensor.php
   22. base_stat_time.php
   23. base_stat_uaddr.php
   24. base_user.php
   25. index.php
   26. admin/base_roleadmin.php
   27. admin/base_useradmin.php
   28. admin/index.php
   29. help/base_setup_help.php
   30. includes/base_action.inc.php
   31. includes/base_cache.inc.php
   32. includes/base_db.inc.php
   33. includes/base_db.inc.php
   34. includes/base_include.inc.php
   35. includes/base_output_html.inc.php
   36. includes/base_output_query.inc.php
   37. includes/base_state_criteria.inc.php
   38. includes/base_state_query.inc.php
   39. setup/base_conf_contents.php
2. GLOBALS[user_session_path] parameter to includes/base_state_common.inc.php
3. BASE_Language parameter to setup/base_conf_contents.php
4. ado_inc_php parameter to setup/setup2.php
   https://nvd.nist.gov/vuln/detail/CVE-2012-1199

When:

• We are viewing alerts matching a signature.
• We have the results displayed by port criteria..

Selecting a result and executing a Delete Selected, deletes every alert in the DB matching the port criteria regardless of the signature.

Example:

• All alerts in DB matching TCP dest port 44055 = 2966
• All alerts in DB matching UDP dest port 44055 = 1501
• All alerts in DB matching TCP or UDP dest port 44055 = 4467

Actions:

1. Select signature containing 203 alerts.
2. Display results by dest port.
3. Select 1 result item containing 95 alerts.
4. Execute a Delete Selected.

Result: 4467 Alerts deleted.

Definitely not what was expected, as we are expecting 95 alerts to be deleted.

I have run into this bug in the past, and wondered why BASE would randomly delete large swathes of my alert DB. Now I know why, as my criteria usually involved port criteria. 😄

Related Info: https://sourceforge.net/p/secureideas/discussion/404428/thread/87b62ba7/
Potentially related Issue from the legacy BASE Ticketing System on Sourceforge.net
https://sourceforge.net/p/secureideas/bugs/188/

Expected Behavior:
Values from DB are passed through htmlspecialchars() before being returned in HTML string.
Current Behavior:
Option names in returned HTML are not passed through htmlspecialchars() immediately on retrieval from DB..

Expected Behavior:
PHPUnit run without any warnings as described below.
Current Behavior:
Before running Unit tests, PHPUnit prints several lines like:
PHP Strict standards: Declaration of MultipleElementCriteria::SanitizeElement() should be compatible with BaseCriteria::SanitizeElement() in /home/travis/build/NathanGibbs3/BASE/includes/base_state_citems.inc.php on line 292
Travis-CI PHP Nightly build & Local build environment issues PHP Warning: instead of PHP Strict standards:
Solution:
Update the PHP Code responsible for causing this.

Description

base_ag_main.php in Basic Analysis and Security Engine (BASE) 1.4.5 allows remote attackers to execute arbitrary code by uploading contents of the file with an executable extension via a create action, then accessing it via a view action.
https://nvd.nist.gov/vuln/detail/CVE-2012-1198

File: base_qry_common.php
Function: DateTimeRows2sql
Line: 179

Expected Behavior: No error notices in logs.
Current Behavior:
App is generating the following PHP Notice in logs.
PHP Notice: Undefined index: mysqli path redacted base_qry_common.php on line 179

Solution: Expand array at this location

Expected Behavior:
Graphing should work.
Current Behavior:
Graphing doesn't work.

Description

Multiple SQL injection vulnerabilities in base_qry_main.php in Basic Analysis and Security Engine (BASE) 1.4.5 allow remote attackers to execute arbitrary SQL commands via the (1) ip_addr[0][1], (2) ip_addr[0][2], or (3) ip_addr[0][9] parameters.
https://nvd.nist.gov/vuln/detail/CVE-2012-1017

Expected Behavior:
App checks for variable existence via isset() before using it's value..
Current Behavior:
App does not check for unset Superglobal variable $_GET['action'] and script variable $pagebody. This was contributing to Issue #5.

Link to example(s): Still Present (devel)
First Seen: https://travis-ci.org/NathanGibbs3/BASE/jobs/537072810
Latest Build: https://travis-ci.org/NathanGibbs3/BASE/jobs/537161088
Link to example(s): Not Present ( Issue11 )
Build Environment: Travis-CI
PHP Version: 5.3x
PHPUnit Version: N/A
Other Info: PostgreSQL DB with ADODB 4.94 on branches devel & master.
Revealed via new Unit Tests related to the Issue #13 fix.
When merged into Issue11 branch, build errors not present.

Expected Behavior:
Builds complete without warnings.
Current Behavior:
Builds Issuing deprecated function warnings
Solution: Upgrade min ADODB Version tested on PHP 5.3x

Expected Behavior:
Same or similar visual results implemented via CSS.
Current Behavior:
Like #19 , the code produces an HTML styling hack, a nested table that visually appears as a single table with a black border 2px wide.
Inside this, the code produces a similar hack, a table with a grey bgcolor="#DDDDDD" border 1px wide.
The search criteria table appears as if in a single frame with a black border and grey cell padding.
👍 for visual creativity. 👎 for code clarity & maintainability. ☹️

Expected Behavior:
App checks for variable existence via isset() before using it's value.
Current Behavior:
App does not check for unset Superglobal variable $_SERVER['REQUEST_URI'].
This was contributing to Issue #5.

Expected Behavior:
Ascending & Descending Sorts should work.
Current Behavior:
The above sorts don't produce any changes in the display.

Expected Behavior: EventTiming class is used anywhere page load timing information is displayed.
Current Behavior: EventTiming is used piecemeal through out the code base.
Things to fix::

• Never called, but equivalent code is used without the benefit of language translation data.
• Initialized before necessary authentication checks are done.
  We may not stay on the current page, but be redirected to a new page that initializes a separate event timing instance.
• Initialized and never used.

REALLY, SERIOUSLY!!! ❗😞

Expected Behavior:
App checks the existence of the conf var via isset() before using it's value.
Current Behavior:
App does not check for unset conf variable $show_first_last_links.
This condition would occur if show_first_last_links is not set in base_conf.php
This results in the following error(s) in production
PHP Notice: Undefined variable: show_first_last_links in path redacted base_stat_alerts.php

Expected Behavior:
App checks the existence of the conf var in the $GLOBALS array via in_array() before testing it's value..
Current Behavior:
Function does not check for unset conf variable external_sig_link.
This condition would occur if external_sig_link is not set in base_conf.php
This results in the following error(s) in production
PHP Notice: Undefined index: external_sig_link in path redacted /includes/base_signature.inc.php on line 439
PHP Notice: Undefined index: external_sig_link in path redacted /includes/base_signature.inc.php on line 449
PHP Notice: Undefined index: external_sig_link in path redacted /includes/base_signature.inc.php on line 459

Expected Behavior:
App checks the existence of the conf var via isset() before using it's value.
Current Behavior:
App does not check for unset conf variable $show_summary_stats
This condition would occur if $show_summary_stats is not set in base_conf.php
This results in the following error(s) in production
PHP Notice: Undefined variable: show_summary_stats in path redacted base_stat_alerts.php on line 80

File(s):
admin/base_roleadmin.php
admin/base_useradmin.php
Between CGI Action create and CGI Action add.
Between CGI Action edit user/role and CGI Action update user/role.
Expected Behavior:
Anti CSRF tokens implemented.
Current Behavior:
No Anti CSRF tokens are currently implemented in these code paths.

This leaves the app vulnerable to CSRF based user/role creation & editing.

Progress:

• domain
• path
• httponly
• samesite
• secure
• timeouts.

Expected Behavior: Cookies are sent with the appropriate options set.

Current Behavior: