+diff -Nru acidlab-0.9.6b20.orig/acid_qry_alert.php acidlab-0.9.6b20/acid_qry_alert.php
+--- acidlab-0.9.6b20.orig/acid_qry_alert.php 2005-10-31 00:29:57.000000000 +0100
++++ acidlab-0.9.6b20/acid_qry_alert.php 2005-10-31 00:29:08.000000000 +0100
+@@ -100,7 +100,7 @@
+ * get the (sid,cid) back from $caller
+ */
+ if ( $submit == "Selected" )
+- $submit = ImportHTTPVar("caller");
++ $submit = ImportHTTPVar("caller"); /* Do not filter this call, will get filtered in GetQueryResultID */
+ else
+ $caller = $submit;
+
+diff -Nru acidlab-0.9.6b20.orig/acid_qry_main.php acidlab-0.9.6b20/acid_qry_main.php
+--- acidlab-0.9.6b20.orig/acid_qry_main.php 2005-10-31 00:29:57.000000000 +0100
++++ acidlab-0.9.6b20/acid_qry_main.php 2005-10-30 23:54:25.000000000 +0100
+@@ -71,7 +71,7 @@
+ $cs = new CriteriaState("acid_qry_main.php", "&new=1&submit=Query+DB");
+
+ $new = ImportHTTPVar("new", VAR_DIGIT);
+- $submit = ImportHTTPVar("submit");
++ $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
+
+ /* Code to correct 'interesting' (read: unexplained) browser behavior */
+
+diff -Nru acidlab-0.9.6b20.orig/acid_state_common.inc acidlab-0.9.6b20/acid_state_common.inc
+--- acidlab-0.9.6b20.orig/acid_state_common.inc 2005-10-31 00:29:57.000000000 +0100
++++ acidlab-0.9.6b20/acid_state_common.inc 2005-10-31 00:04:00.000000000 +0100
+@@ -102,8 +102,6 @@
+ ************************************************************************/
+ function CleanVariable($item, $valid_data, $exception = "")
+ {
+- return $item;
+-
+ /* Check the exception value list first */
+ if ( $exception != "" )
+ {
+@@ -279,4 +277,73 @@
+ echo "\n";
+ }
+
++/* ***********************************************************************
++ * Function: checkAlpha()
++ *
++ * @doc Checks that all characteres are alphanumeric. Returns ERROR if they
++ * are not and the values themselves if they are.
++ *
++ * @param $var_value value of the variable to test
++ *
++ *
++ ************************************************************************/
++function checkAlpha ($var_value)
++{
++ if (ereg('[^a-zA-z0-9]', $var_value)) {
++ return "ERROR";
++ }
++ return $var_value;
++}
++
++/* ***********************************************************************
++ * Function: checkNum()
++ *
++ * @doc Checks that all characteres are numeric. Returns ERROR if they
++ * are not and the values themselves if they are.
++ *
++ * @param $var_value value of the variable to test
++ *
++ *
++ ************************************************************************/
++function checkNum ($var_value)
++{
++ if (ereg('[^0-9]', $var_value)) {
++ return "ERROR";
++ }
++ return $var_value;
++}
++
++/* ***********************************************************************
++ * Function: filterSql()
++ *
++ * @doc Filters the input string so that it can be safely used in SQL queries.
++ *
++ * @param $var_value value of the variable to filter
++ *
++ *
++ ************************************************************************/
++function filterSql ($var_value)
++{
++ /* This is the default, so strip slashes in case the server is configured with this
++ to prevent double quoting */
++ if (get_magic_quotes_gpc()) {
++ $var_value = stripslashes($var_value);
++ }
++ if (!is_numeric($var_value)) {
++ if ($db->DB_type == "mysql") {
++ if(version_compare(phpversion(),"4.3.0")=="-1") {
++ $var_value = mysql_escape_string($var_value);
++ } else {
++ $var_value = mysql_real_escape_string($var_value);
++ }
++ } else {
++ /* In other databases, strip the following: \ _ % () {} - ; others are quoted */
++ $var_value = ereg_replace ("[\\_%\(\){}-;,]", "", $var_value);
++ $var_value = addslashes ($var_value);
++ }
++ }
++ return $var_value;
++}
++
++
+ ?>
+diff -Nru acidlab-0.9.6b20.orig/acid_stat_ipaddr.php acidlab-0.9.6b20/acid_stat_ipaddr.php
+--- acidlab-0.9.6b20.orig/acid_stat_ipaddr.php 2005-10-31 00:29:57.000000000 +0100
++++ acidlab-0.9.6b20/acid_stat_ipaddr.php 2005-10-31 00:09:48.000000000 +0100
+@@ -28,10 +28,10 @@
+ $cs = new CriteriaState("acid_stat_ipaddr.php");
+ $cs->ReadState();
+
+- $ip = ImportHTTPVar("ip");
+- $netmask = ImportHTTPVar("netmask");
+- $action = ImportHTTPVar("action");
+- $submit = ImportHTTPVar("submit");
++ $ip = ImportHTTPVar("ip", VAR_DIGIT | VAR_PERIOD);
++ $netmask = ImportHTTPVar("netmask", VAR_DIGIT);
++ $action = ImportHTTPVar("action", VAR_ALPHA);
++ $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
+
+ $page_title = $ip.'/'.$netmask;
+ PrintACIDSubHeader($page_title, $page_title, $cs->GetBackLink());
+diff -Nru acidlab-0.9.6b20.orig/acid_stat_iplink.php acidlab-0.9.6b20/acid_stat_iplink.php
+--- acidlab-0.9.6b20.orig/acid_stat_iplink.php 2005-10-31 00:29:57.000000000 +0100
++++ acidlab-0.9.6b20/acid_stat_iplink.php 2005-10-31 00:13:10.000000000 +0100
+@@ -30,7 +30,7 @@
+ $qs->AddCannedQuery("most_frequent", $freq_num_alerts, "Most Frequent Alerts", "occur_d");
+ $qs->AddCannedQuery("last_alerts", $last_num_ualerts, "Last Alerts", "last_d");
+
+- $submit = ImportHTTPVar("submit");
++ $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
+ $qs->MoveView($submit); /* increment the view if necessary */
+
+ $page_title = "IP Links";
+diff -Nru acidlab-0.9.6b20.orig/acid_stat_ports.php acidlab-0.9.6b20/acid_stat_ports.php
+--- acidlab-0.9.6b20.orig/acid_stat_ports.php 2002-02-05 20:55:56.000000000 +0100
++++ acidlab-0.9.6b20/acid_stat_ports.php 2005-10-31 00:15:56.000000000 +0100
+@@ -39,9 +39,9 @@
+ $qs->AddCannedQuery("most_frequent", $freq_num_uports, "Most Frequent Ports", "occur_d");
+ $qs->AddCannedQuery("last_ports", $last_num_uports, "Last Ports", "last_d");
+
+- $submit = ImportHTTPVar("submit");
+- $port_type = ImportHTTPVar("port_type");
+- $proto = ImportHTTPVar("proto");
++ $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
++ $port_type = ImportHTTPVar("port_type", VAR_DIGIT);
++ $proto = ImportHTTPVar("proto", VAR_DIGIT);
+
+ $qs->MoveView($submit); /* increment the view if necessary */
+
+diff -Nru acidlab-0.9.6b20.orig/acid_stat_time.php acidlab-0.9.6b20/acid_stat_time.php
+--- acidlab-0.9.6b20.orig/acid_stat_time.php 2005-10-31 00:29:57.000000000 +0100
++++ acidlab-0.9.6b20/acid_stat_time.php 2005-10-31 00:21:31.000000000 +0100
+@@ -114,9 +114,9 @@
+ include_once ("acid_stat_common.php");
+ include_once ("acid_qry_common.php");
+
+- $time_sep = ImportHTTPVar("time_sep");
+- $time = ImportHTTPVar("time");
+- $submit = ImportHTTPVar("submit");
++ $time_sep = ImportHTTPVar("time_sep", VAR_ALPHA);
++ $time = ImportHTTPVar("time", VAR_DIGIT);
++ $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
+
+ $cs = new CriteriaState("acid_stat_alerts.php");
+ $cs->ReadState();
+diff -Nru acidlab-0.9.6b20.orig/acid_stat_uaddr.php acidlab-0.9.6b20/acid_stat_uaddr.php
+--- acidlab-0.9.6b20.orig/acid_stat_uaddr.php 2005-10-31 00:29:57.000000000 +0100
++++ acidlab-0.9.6b20/acid_stat_uaddr.php 2005-10-31 00:24:17.000000000 +0100
+@@ -28,8 +28,8 @@
+ include_once("acid_common.php");
+ include_once("acid_qry_common.php");
+
+- $addr_type = ImportHTTPVar("addr_type");
+- $submit = ImportHTTPVar("submit");
++ $addr_type = ImportHTTPVar("addr_type", VAR_DIGIT);
++ $submit = ImportHTTPVar("submit", VAR_ALPHA | VAR_SPACE);
+
+ $et = new EventTiming($debug_time_mode);
+ $cs = new CriteriaState("acid_stat_uaddr.php", "&addr_type=$addr_type");
diff -Nru acidlab-0.9.6b20/debian/changelog acidlab-0.9.6b20-10.1/debian/changelog
--- acidlab-0.9.6b20/debian/changelog 2005-10-31 17:54:26.000000000 +0100
+++ acidlab-0.9.6b20-10.1/debian/changelog 2005-11-01 09:54:13.000000000 +0100
@@ -1,3 +1,14 @@
+acidlab (0.9.6b20-10.1) sarge; urgency=high
+
+ * Patch [013] SECURITY fix:
+ - Add proper filtering in all ImportHTTP variables using either the new
+ functions to check for numeric/alphanumeric chars or the filterSql()
+ function to prevent SQL injection attacks. This patch fixes CVE-2005-3325
+ but also other attack vectors not mentioned in the initial advisory
+ (http://www.frsirt.com/english/advisories/2005/2188)
+
+ -- Javier Fernandez-Sanguino Pen~a