RanchiMall/php-mpos
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[SECURITY] Path disclosure and redirects

Browse Source 
* [SECURITY] Do not disclose paths with wrong query arguments in API
* [SECURITY] Removed $to redirect after login

Fixes #1596 once merged.
This commit is contained in:
Sebastian Grewe 2014-01-26 17:41:27 +01:00
parent 0d2895f517
commit b87691371f
3 changed files with 6 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
public/include/classes/api.class.php
View File

@ -43,7 +43,9 @@ class Api extends Base {
* Check user access level to the API call
**/
function checkAccess($user_id, $get_id=NULL) {
if ( ! $this->user->isAdmin($user_id) && (!empty($get_id) && $get_id != $user_id)) {
if (!empty($get_id) && is_array($get_id)) die("Access denied");
if (is_array($user_id)) die("Access denied");
if ( ! $this->user->isAdmin($user_id) && (!empty($get_id) && $get_id != $user_id || !is_int($user_id))) {
// User is NOT admin and tries to access an ID that is not their own
header("HTTP/1.1 401 Unauthorized");
die("Access denied");

1
public/include/classes/user.class.php
View File

@ -457,6 +457,7 @@ class User extends Base {
**/
public function checkApiKey($key) {
$this->debug->append("STA " . __METHOD__, 4);
if (!is_string($key)) return false;
$stmt = $this->mysqli->prepare("SELECT api_key, id FROM $this->table WHERE api_key = ? LIMIT 1");
if ($this->checkStmt($stmt) && $stmt->bind_param("s", $key) && $stmt->execute() && $stmt->bind_result($api_key, $id) && $stmt->fetch()) {
if ($api_key === $key)

4
public/include/pages/login.inc.php
View File

@ -27,9 +27,9 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail
if (!$setting->getValue('recaptcha_enabled') || !$setting->getValue('recaptcha_enabled_logins') || ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins') && $rsp->is_valid)) {
if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) {
if ($user->checkLogin(@$_POST['username'], @$_POST['password']) ) {
empty($_POST['to']) ? $to = $_SERVER['SCRIPT_NAME'] : $to = $_POST['to'];
$port = ($_SERVER["SERVER_PORT"] == "80" or $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]);
$location = @$_SERVER['HTTPS'] === true ? 'https://' . $_SERVER['SERVER_NAME'] . $port . $to : 'http://' . $_SERVER['SERVER_NAME'] . $port . $to;
$location = @$_SERVER['HTTPS'] === true ? 'https://' : 'http://';
$location .= $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'] . '?page=dashboard';
if (!headers_sent()) header('Location: ' . $location);
exit('<meta http-equiv="refresh" content="0; url=' . htmlspecialchars($location) . '"/>');
} else {