RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request #1646 from xisi/security-logging

Browse Source 
[ADDITION] Basic security logging
This commit is contained in:
Sebastian Grewe 2014-02-04 08:05:13 -08:00
commit 43e1c44def
15 changed files with 149 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -11,6 +11,7 @@
# Logs
/cronjobs/logs/*.txt
/cronjobs/logs/*.txt.*.gz
/logs/*
# Test configs
public/include/config/global.inc.scrypt.php

3
.htaccess Normal file
View File

@ -0,0 +1,3 @@
ErrorDocument 404 /public/index.php?page=error&action=404
RedirectMatch 404 /logs(/|$)
Options -Indexes

1
logs/README.md Normal file
View File

@ -0,0 +1 @@
hi

6
public/include/admin_checks.php
View File

@ -15,6 +15,12 @@ if (@$_SESSION['USERDATA']['is_admin'] && $user->isAdmin(@$_SESSION['USERDATA'][
}
// setup checks
// logging
if ($config['logging']['enabled']) {
if (!is_writable($config['logging']['path'])) {
$error[] = "Logging is enabled but we can't write in the logging path";
}
}
// check if memcache isn't available but enabled in config -> error
if (!class_exists('Memcached') && $config['memcache']['enabled']) {
$error[] = "You have memcache enabled in your config and it's not available. Install the package on your system.";

1
public/include/autoloader.inc.php
View File

@ -12,6 +12,7 @@ if (empty($config['algorithm']) || $config['algorithm'] == 'scrypt') {
// Default classes
require_once(CLASS_DIR . '/debug.class.php');
require_once(INCLUDE_DIR . '/lib/KLogger.php');
require_once(CLASS_DIR . '/logger.class.php');
if ($config['mysql_filter']) {
require_once(CLASS_DIR . '/strict.class.php');
}

3
public/include/classes/base.class.php
View File

@ -19,6 +19,9 @@ class Base {
public function setDebug($debug) {
$this->debug = $debug;
}
public function setLog($log) {
$this->log = $log;
}
public function setMysql($mysqli) {
$this->mysqli = $mysqli;
}

3
public/include/classes/invitation.class.php
View File

@ -114,12 +114,14 @@ class Invitation extends Base {
}
$aData['username'] = $this->user->getUserName($account_id);
$aData['subject'] = 'Pending Invitation';
$this->log->log("info", $this->user->getUserName($account_id)." sent an invitation from [".$_SERVER['REMOTE_ADDR']."]");
if ($this->mail->sendMail('invitations/body', $aData)) {
$aToken = $this->token->getToken($aData['token'], 'invitation');
if (!$this->createInvitation($account_id, $aData['email'], $aToken['id']))
return false;
return true;
} else {
$this->log->log("warn", $this->user->getUserName($account_id)." sent an invitation but the mailing failed from [".$_SERVER['REMOTE_ADDR']."]");
$this->setErrorMessage($this->getErrorMsg('E0028'));
}
$this->setErrorMessage($this->getErrorMsg('E0029'));
@ -130,6 +132,7 @@ class Invitation extends Base {
// Instantiate class
$invitation = new invitation();
$invitation->setDebug($debug);
$invitation->setLog($log);
$invitation->setMysql($mysqli);
$invitation->setMail($mail);
$invitation->setUser($user);

29
public/include/classes/logger.class.php Normal file
View File

@ -0,0 +1,29 @@
<?php
class Logger {
private $KLogger;
private $logging = false;
public function __construct($config) {
if ($config['logging']['enabled'] && $config['logging']['level'] > 0) {
$this->KLogger = new KLogger($config['logging']['path']."/".$config['logging']['file'], $config['logging']['level']);
$this->logging = true;
}
}
public function log($type, $message) {
if ($this->logging) {
switch ($type) {
case 'info':
$this->KLogger->LogInfo($message);
break;
case 'warn':
$this->KLogger->LogWarn($message);
break;
}
return true;
} else {
return true;
}
}
}
$log = new Logger($config);
?>

2
public/include/classes/notification.class.php
View File

@ -120,6 +120,7 @@ class Notification extends Mail {
$this->setErrorMessage($this->getErrorMsg('E0047', $failed));
return $this->sqlError();
}
$this->log->log("info", "User $account_id updated notification settings from [".$_SERVER['REMOTE_ADDR']."]");
return true;
}
@ -154,6 +155,7 @@ class Notification extends Mail {
$notification = new Notification();
$notification->setDebug($debug);
$notification->setLog($log);
$notification->setMysql($mysqli);
$notification->setSmarty($smarty);
$notification->setConfig($config);

11
public/include/classes/payout.class.php
View File

@ -41,8 +41,16 @@ class Payout Extends Base {
if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['withdraw']) {
$tValid = $this->token->isTokenValid($account_id, $strToken, 7);
if ($tValid) {
$this->token->deleteToken($strToken);
$delete = $this->token->deleteToken($strToken);
if ($delete) {
return true;
} else {
$this->log->log("info", "User $account_id requested manual payout but the token deletion failed from [".$_SERVER['REMOTE_ADDR']."]");
$this->setErrorMessage('Unable to delete token');
return false;
}
} else {
$this->log->log("info", "User $account_id requested manual payout using an invalid token from [".$_SERVER['REMOTE_ADDR']."]");
$this->setErrorMessage('Invalid token');
return false;
}
@ -67,6 +75,7 @@ class Payout Extends Base {
$oPayout = new Payout();
$oPayout->setDebug($debug);
$oPayout->setLog($log);
$oPayout->setMysql($mysqli);
$oPayout->setConfig($config);
$oPayout->setToken($oToken);

99
public/include/classes/user.class.php
View File

@ -69,14 +69,17 @@ class User extends Base {
}
public function changeNoFee($id) {
$field = array('name' => 'no_fees', 'type' => 'i', 'value' => !$this->isNoFee($id));
$this->log->log("warn", $this->getUserName($id)." changed no_fees to ".$this->isNoFee($id)." from [".$_SERVER['REMOTE_ADDR']."]");
return $this->updateSingle($id, $field);
}
public function setLocked($id, $value) {
$field = array('name' => 'is_locked', 'type' => 'i', 'value' => $value);
$this->log->log("warn", $this->getUserName($id)." changed is_locked to $value from [".$_SERVER['REMOTE_ADDR']."]");
return $this->updateSingle($id, $field);
}
public function changeAdmin($id) {
$field = array('name' => 'is_admin', 'type' => 'i', 'value' => !$this->isAdmin($id));
$this->log->log("warn", $this->getUserName($id)." changed is_admin to ".$this->isAdmin($id)." from [".$_SERVER['REMOTE_ADDR']."]");
return $this->updateSingle($id, $field);
}
public function setUserFailed($id, $value) {
@ -145,6 +148,9 @@ class User extends Base {
$lastLoginTime = $this->getLastLogin($uid);
$this->updateLoginTimestamp($uid);
$getIPAddress = $this->getUserIp($uid);
if ($getIPAddress !== $_SERVER['REMOTE_ADDR']) {
$this->log->log("warn", "$username has logged in with a different IP [".$_SERVER['REMOTE_ADDR']."] saved is [$getIPAddress]");
}
$setIPAddress = $this->setUserIp($uid, $_SERVER['REMOTE_ADDR']);
$this->createSession($username, $getIPAddress, $lastLoginTime);
if ($setIPAddress) {
@ -172,11 +178,13 @@ class User extends Base {
}
}
$this->setErrorMessage("Invalid username or password");
$this->log->log("info", "$username failed login from [".$_SERVER['REMOTE_ADDR']."]");
if ($id = $this->getUserId($username)) {
$this->incUserFailed($id);
// Check if this account should be locked
if (isset($this->config['maxfailed']['login']) && $this->getUserFailed($id) >= $this->config['maxfailed']['login']) {
$this->setLocked($id, 1);
$this->log->log("warn", "$username locked via failed logins from [".$_SERVER['REMOTE_ADDR']."] saved is [".$this->getUserIp($this->getUserId($username))."]");
if ($token = $this->token->createToken('account_unlock', $id)) {
$aData['token'] = $token;
$aData['username'] = $username;
@ -203,17 +211,19 @@ class User extends Base {
$pin_hash = $this->getHash($pin);
if ($stmt->bind_param('is', $userId, $pin_hash) && $stmt->execute() && $stmt->bind_result($row_pin) && $stmt->fetch()) {
$this->setUserPinFailed($userId, 0);
return $pin_hash === $row_pin;
return ($pin_hash === $row_pin);
}
$this->log->log("info", $this->getUserName($userId)." incorrect pin from [".$_SERVER['REMOTE_ADDR']."]");
$this->incUserPinFailed($userId);
// Check if this account should be locked
if (isset($this->config['maxfailed']['pin']) && $this->getUserPinFailed($userId) >= $this->config['maxfailed']['pin']) {
$this->setLocked($userId, 1);
$this->log->log("warn", $this->getUserName($userId)." was locked via incorrect pins from [".$_SERVER['REMOTE_ADDR']."]");
if ($token = $this->token->createToken('account_unlock', $userId)) {
$username = $this->getUserName($userId);
$aData['token'] = $token;
$aData['username'] = $username;
$aData['email'] = $this->getUserEmail($username);;
$aData['email'] = $this->getUserEmail($username);
$aData['subject'] = 'Account auto-locked';
$this->mail->sendMail('notifications/locked', $aData);
}
@ -234,17 +244,19 @@ class User extends Base {
$newpin = $this->getHash($newpin);
$aData['subject'] = 'PIN Reset Request';
$stmt = $this->mysqli->prepare("UPDATE $this->table SET pin = ? WHERE ( id = ? AND pass = ? )");
if ($this->checkStmt($stmt) && $stmt->bind_param('sis', $newpin, $userID, $current) && $stmt->execute()) {
if ($stmt->errno == 0 && $stmt->affected_rows === 1) {
if ($this->mail->sendMail('pin/reset', $aData)) {
$this->log->log("info", $this->getUserName($userID)." was sent a pin reset from [".$_SERVER['REMOTE_ADDR']."]");
return true;
} else {
$this->log->log("warn", $this->getUserName($userID)." request a pin reset but the mailing failed from [".$_SERVER['REMOTE_ADDR']."]");
$this->setErrorMessage('Unable to send mail to your address');
return false;
}
}
}
$this->log->log("warn", $this->getUserName($userID)." incorrect pin reset attempt from [".$_SERVER['REMOTE_ADDR']."]");
$this->setErrorMessage( 'Unable to generate PIN, current password incorrect?' );
return false;
}
@ -319,14 +331,17 @@ class User extends Base {
default:
$aData['subject'] = '';
}
$this->log->log("info", $this->getUserName($userID)." was sent a $strType token from [".$_SERVER['REMOTE_ADDR']."]");
if ($this->mail->sendMail('notifications/'.$strType, $aData)) {
return true;
} else {
$this->setErrorMessage('Failed to send the notification');
$this->log->log("warn", $this->getUserName($userID)." requested a $strType token but the mailing failed from [".$_SERVER['REMOTE_ADDR']."]");
return false;
}
}
$this->setErrorMessage('A request has already been sent to your e-mail address. Please wait 10 minutes for it to expire.');
$this->log->log("warn", $this->getUserName($userID)." attempted to request multiple $strType tokens from [".$_SERVER['REMOTE_ADDR']."]");
$this->setErrorMessage('A request has already been sent to your e-mail address. Please wait an hour for it to expire.');
return false;
}
@ -351,25 +366,34 @@ class User extends Base {
}
$current = $this->getHash($current);
$new = $this->getHash($new1);
if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['changepw']) {
$tValid = $this->token->isTokenValid($userID, $strToken, 6);
if ($tValid) {
if ($this->token->deleteToken($strToken)) {
$this->log->log("info", $this->getUserName($userID)." deleted change password token from [".$_SERVER['REMOTE_ADDR']."]");
// token deleted, continue
} else {
$this->log->log("warn", $this->getUserName($userID)." change password token failed to delete from [".$_SERVER['REMOTE_ADDR']."]");
$this->setErrorMessage('Token deletion failed');
return false;
}
} else {
$this->log->log("warn", $this->getUserName($userID)." attempted to use an invalid change password token from [".$_SERVER['REMOTE_ADDR']."]");
$this->setErrorMessage('Invalid token');
return false;
}
}
$stmt = $this->mysqli->prepare("UPDATE $this->table SET pass = ? WHERE ( id = ? AND pass = ? )");
if ($this->checkStmt($stmt)) {
$stmt->bind_param('sis', $new, $userID, $current);
$stmt->execute();
if ($stmt->errno == 0 && $stmt->affected_rows === 1) {
// twofactor - consume the token if it is enabled and valid
if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['changepw']) {
$tValid = $this->token->isTokenValid($userID, $strToken, 6);
if ($tValid) {
$this->token->deleteToken($strToken);
} else {
$this->setErrorMessage('Invalid token');
return false;
}
}
$this->log->log("info", $this->getUserName($userID)." updated password from [".$_SERVER['REMOTE_ADDR']."]");
return true;
}
$stmt->close();
}
$this->log->log("warn", $this->getUserName($userID)." incorrect password update attempt from [".$_SERVER['REMOTE_ADDR']."]");
$this->setErrorMessage( 'Unable to update password, current password wrong?' );
return false;
}
@ -434,20 +458,30 @@ class User extends Base {
$threshold = min($this->config['ap_threshold']['max'], max(0, floatval($threshold)));
$donate = min(100, max(0, floatval($donate)));
// We passed all validation checks so update the account
$stmt = $this->mysqli->prepare("UPDATE $this->table SET coin_address = ?, ap_threshold = ?, donate_percent = ?, email = ?, is_anonymous = ? WHERE id = ?");
if ($this->checkStmt($stmt) && $stmt->bind_param('sddsii', $address, $threshold, $donate, $email, $is_anonymous, $userID) && $stmt->execute())
// twofactor - consume the token if it is enabled and valid
if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['details']) {
$tValid = $this->token->isTokenValid($userID, $strToken, 5);
if ($tValid) {
$this->token->deleteToken($strToken);
// twofactor - consume the token if it is enabled and valid
if ($this->config['twofactor']['enabled'] && $this->config['twofactor']['options']['details']) {
$tValid = $this->token->isTokenValid($userID, $strToken, 5);
if ($tValid) {
if ($this->token->deleteToken($strToken)) {
$this->log->log("info", $this->getUserName($userID)." deleted account update token for [".$_SERVER['REMOTE_ADDR']."]");
} else {
$this->setErrorMessage('Invalid token');
$this->setErrorMessage('Token deletion failed');
$this->log->log("warn", $this->getUserName($userID)." updated their account details but token deletion failed from [".$_SERVER['REMOTE_ADDR']."]");
return false;
}
} else {
$this->setErrorMessage('Invalid token');
$this->log->log("warn", $this->getUserName($userID)." attempted to use an invalid token account update token from [".$_SERVER['REMOTE_ADDR']."]");
return false;
}
}
// We passed all validation checks so update the account
$stmt = $this->mysqli->prepare("UPDATE $this->table SET coin_address = ?, ap_threshold = ?, donate_percent = ?, email = ?, is_anonymous = ? WHERE id = ?");
if ($this->checkStmt($stmt) && $stmt->bind_param('sddsii', $address, $threshold, $donate, $email, $is_anonymous, $userID) && $stmt->execute()) {
$this->log->log("info", $this->getUserName($userID)." updated their account details from [".$_SERVER['REMOTE_ADDR']."]");
return true;
}
// Catchall
$this->setErrorMessage('Failed to update your account');
$this->debug->append('Account update failed: ' . $this->mysqli->error);
@ -507,6 +541,9 @@ class User extends Base {
$_SESSION['AUTHENTICATED'] = '1';
// $this->user from checkUserPassword
$_SESSION['USERDATA'] = $this->user;
if ($this->config['protect_session_state']) {
$_SESSION['STATE'] = md5($_SESSION['USERDATA']['username'].$_SESSION['USERDATA']['id'].$_SERVER['HTTP_USER_AGENT']);
}
}
/**
@ -542,7 +579,7 @@ class User extends Base {
$port = ($_SERVER["SERVER_PORT"] == "80" || $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
$pushto = $_SERVER['SCRIPT_NAME'].'?page=login';
$location = (@$_SERVER['HTTPS'] == 'on') ? 'https://' . $_SERVER['SERVER_NAME'] . $port . $pushto : 'http://' . $_SERVER['SERVER_NAME'] . $port . $pushto;
// if (!headers_sent()) header('Location: ' . $location);
if (!headers_sent()) header('Location: ' . $location);
exit('<meta http-equiv="refresh" content="0; url=' . $location . '"/>');
}
@ -661,6 +698,7 @@ class User extends Base {
$invitation = new Invitation();
$invitation->setMysql($this->mysqli);
$invitation->setDebug($this->debug);
$invitation->setLog($this->log);
$invitation->setUser($this);
$invitation->setConfig($this->config);
if (!$invitation->setActivated($aToken['id'])) {
@ -669,6 +707,7 @@ class User extends Base {
}
if (!$this->token->deleteToken($strToken)) {
$this->setErrorMessage('Unable to remove used token');
$this->log->log("warn", "$username tried to register but the token failed to delete [".$_SERVER['REMOTE_ADDR']."]");
return false;
}
}
@ -789,6 +828,11 @@ class User extends Base {
}
$aData['username'] = $this->getUserName($this->getUserId($username, true));
$aData['subject'] = 'Password Reset Request';
if ($_SERVER['REMOTE_ADDR'] !== $this->getUserIp($this->getUserId($username, true))) {
$this->log->log("warn", "$username requested password reset from [".$_SERVER['REMOTE_ADDR']."] saved is [".$this->getUserIp($this->getUserId($username, true))."]");
} else {
$this->log->log("info", "$username requested password reset from [".$_SERVER['REMOTE_ADDR']."] saved is [".$this->getUserIp($this->getUserId($username, true))."]");
}
if ($this->mail->sendMail('password/reset', $aData)) {
return true;
} else {
@ -809,10 +853,12 @@ public function isAuthenticated($logout=true) {
$this->debug->append("STA " . __METHOD__, 4);
if (@$_SESSION['AUTHENTICATED'] == true &&
!$this->isLocked($_SESSION['USERDATA']['id']) &&
$this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR']
$this->getUserIp($_SESSION['USERDATA']['id']) == $_SERVER['REMOTE_ADDR'] &&
(!$this->config['protect_session_state'] || ($this->config['protect_session_state'] && $_SESSION['STATE'] == md5($_SESSION['USERDATA']['username'].$_SESSION['USERDATA']['id'].$_SERVER['HTTP_USER_AGENT'])))
) return true;
// Catchall
if ($logout == true) $this->logoutUser($_SERVER['REQUEST_URI']);
$this->log->log("warn", "Forcing logout, user is locked or IP changed mid session from [".$_SERVER['REMOTE_ADDR']."] [hijack attempt?]");
if ($logout == true) $this->logoutUser();
return false;
}
@ -853,6 +899,7 @@ public function isAuthenticated($logout=true) {
// Make our class available automatically
$user = new User();
$user->setDebug($debug);
$user->setLog($log);
$user->setMysql($mysqli);
$user->setSalt($config['SALT']);
$user->setSmarty($smarty);

13
public/include/config/security.inc.dist.php
View File

@ -4,10 +4,21 @@ $defflip = (!cfip()) ? exit(header('HTTP/1.1 401 Unauthorized')) : 1;
/**
* Misc
* Extra security settings
*
*
**/
$config['https_only'] = false;
$config['mysql_filter'] = true;
$config['protect_session_state'] = false;
/**
* Logging
* Log security issues - 0 = disabled, 2 = everything, 3 = warnings only
*
*/
$config['logging']['enabled'] = true;
$config['logging']['level'] = 3;
$config['logging']['path'] = realpath(BASEPATH.'../logs');
$config['logging']['file'] = date('Y-m-d').'.security.log';
/**
* Memcache Rate Limiting

5
public/include/pages/account/edit.inc.php
View File

@ -72,10 +72,10 @@ if ($user->isAuthenticated()) {
}
}
else {
if ( @$_POST['do'] && (!$checkpin = $user->checkPin($_SESSION['USERDATA']['id'], @$_POST['authPin']))) {
if ( @$_POST['do'] && !$user->checkPin($_SESSION['USERDATA']['id'], @$_POST['authPin'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Invalid PIN. ' . ($config['maxfailed']['pin'] - $user->getUserPinFailed($_SESSION['USERDATA']['id'])) . ' attempts remaining.', 'TYPE' => 'errormsg');
} else {
if (isset($_POST['unlock']) && isset($_POST['utype']) && $checkpin) {
if (isset($_POST['unlock']) && isset($_POST['utype'])) {
$validtypes = array('account_edit','change_pw','withdraw_funds');
$isvalid = in_array($_POST['utype'],$validtypes);
if ($isvalid) {
@ -99,6 +99,7 @@ if ($user->isAuthenticated()) {
} else {
$aBalance = $transaction->getBalance($_SESSION['USERDATA']['id']);
$dBalance = $aBalance['confirmed'];
$user->log->log("info", $_SESSION['USERDATA']['username']." requesting manual payout from [".$_SERVER['REMOTE_ADDR']."]");
if ($dBalance > $config['txfee_manual']) {
if (!$oPayout->isPayoutActive($_SESSION['USERDATA']['id'])) {
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {

1
public/include/pages/admin/settings.inc.php
View File

@ -8,6 +8,7 @@ if (!$user->isAuthenticated() || !$user->isAdmin($_SESSION['USERDATA']['id'])) {
}
if (@$_REQUEST['do'] == 'save' && !empty($_REQUEST['data'])) {
$user->log->log("warn", @$_SESSION['USERDATA']['username']." changed admin settings from [".$_SERVER['REMOTE_ADDR']."]");
foreach($_REQUEST['data'] as $var => $value) {
$setting->setValue($var, $value);
}

2
public/index.php
View File

@ -59,12 +59,12 @@ if ($config['memcache']['enabled'] && $config['mc_antidos']['enabled']) {
$session_start = @session_start();
session_set_cookie_params(time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
if (!$session_start) {
$log->log("info", "Forcing session id regeneration for ".$_SERVER['REMOTE_ADDR']." [hijack attempt?]");
session_destroy();
session_regenerate_id(true);
session_start();
}
@setcookie(session_name(), session_id(), time()+$config['cookie']['duration'], $config['cookie']['path'], $config['cookie']['domain'], $config['cookie']['secure'], $config['cookie']['httponly']);
// Rate limiting
if ($config['memcache']['enabled'] && $config['mc_antidos']['enabled']) {
$skip_check = false;