RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[SECURITY] Fixed exploit in token types

Browse Source 
Fixes an exploit due to missing check of token type used.

Fixes #1118 once merged.
This commit is contained in:
Sebastian Grewe 2013-12-27 00:21:22 +01:00
parent 0852f61ab3
commit b16d9afcad
4 changed files with 14 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
public/include/classes/invitation.class.php
View File

@ -117,7 +117,7 @@ class Invitation extends Base {
$aData['username'] = $this->user->getUserName($account_id); $aData['username'] = $this->user->getUserName($account_id);
$aData['subject'] = 'Pending Invitation'; $aData['subject'] = 'Pending Invitation';
if ($this->mail->sendMail('invitations/body', $aData)) { if ($this->mail->sendMail('invitations/body', $aData)) {
$aToken = $this->token->getToken($aData['token']); $aToken = $this->token->getToken($aData['token'], 'invitation');
if (!$this->createInvitation($account_id, $aData['email'], $aToken['id'])) if (!$this->createInvitation($account_id, $aData['email'], $aToken['id']))
return false; return false;
return true; return true;

6
public/include/classes/token.class.php
View File

@ -11,7 +11,11 @@ class Token Extends Base {
* @param name string Setting name * @param name string Setting name
* @return value string Value * @return value string Value
**/ **/
public function getToken($strToken) { public function getToken($strToken, $strType=NULL) {
if (empty($strType) || ! $iToken_id = $this->tokentype->getTypeId($strType)) {
$this->setErrorMessage('Invalid token type: ' . $strType);
return false;
}
$stmt = $this->mysqli->prepare("SELECT * FROM $this->table WHERE token = ? LIMIT 1"); $stmt = $this->mysqli->prepare("SELECT * FROM $this->table WHERE token = ? LIMIT 1");
if ($stmt && $stmt->bind_param('s', $strToken) && $stmt->execute() && $result = $stmt->get_result()) if ($stmt && $stmt->bind_param('s', $strToken) && $stmt->execute() && $result = $stmt->get_result())
return $result->fetch_assoc(); return $result->fetch_assoc();

9
public/include/classes/user.class.php
View File

@ -491,7 +491,10 @@ class User extends Base {
return false; return false;
} }
if (isset($strToken) && !empty($strToken)) { if (isset($strToken) && !empty($strToken)) {
$aToken = $this->token->getToken($strToken); if ( ! $aToken = $this->token->getToken($strToken, 'invitation')) {
$this->setErrorMessage('Unable to find token');
return false;
}
// Circle dependency, so we create our own object here // Circle dependency, so we create our own object here
$invitation = new Invitation(); $invitation = new Invitation();
$invitation->setMysql($this->mysqli); $invitation->setMysql($this->mysqli);
@ -567,7 +570,7 @@ class User extends Base {
**/ **/
public function resetPassword($token, $new1, $new2) { public function resetPassword($token, $new1, $new2) {
$this->debug->append("STA " . __METHOD__, 4); $this->debug->append("STA " . __METHOD__, 4);
if ($aToken = $this->token->getToken($token)) { if ($aToken = $this->token->getToken($token, 'password_reset')) {
if ($new1 !== $new2) { if ($new1 !== $new2) {
$this->setErrorMessage( 'New passwords do not match' ); $this->setErrorMessage( 'New passwords do not match' );
return false; return false;
@ -588,7 +591,7 @@ class User extends Base {
$this->setErrorMessage('Unable to set new password'); $this->setErrorMessage('Unable to set new password');
} }
} else { } else {
$this->setErrorMessage('Invalid token'); $this->setErrorMessage('Invalid token: ' . $this->token->getError());
} }
$this->debug->append('Failed to update password:' . $this->mysqli->error); $this->debug->append('Failed to update password:' . $this->mysqli->error);
return false; return false;

4
public/include/pages/account/confirm.inc.php
View File

@ -6,8 +6,8 @@ if (!defined('SECURITY')) die('Hacking attempt');
// Confirm an account by token // Confirm an account by token
if (!isset($_GET['token']) || empty($_GET['token'])) { if (!isset($_GET['token']) || empty($_GET['token'])) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'Missing token', 'TYPE' => 'errormsg');
} else if (!$aToken = $oToken->getToken($_GET['token'])) { } else if (!$aToken = $oToken->getToken($_GET['token'], 'confirm_email')) {
$_SESSION['POPUP'][] = array('CONTENT' => 'Unable to activate your account. Invalid token', 'TYPE' => 'errormsg'); $_SESSION['POPUP'][] = array('CONTENT' => 'Unable to activate your account. Invalid token.', 'TYPE' => 'errormsg');
} else { } else {
$user->changeLocked($aToken['account_id']); $user->changeLocked($aToken['account_id']);
$oToken->deleteToken($aToken['token']); $oToken->deleteToken($aToken['token']);