From b87691371faed454432817d01e9b6f2e372b442d Mon Sep 17 00:00:00 2001 From: Sebastian Grewe Date: Sun, 26 Jan 2014 17:41:27 +0100 Subject: [PATCH] [SECURITY] Path disclosure and redirects * [SECURITY] Do not disclose paths with wrong query arguments in API * [SECURITY] Removed $to redirect after login Fixes #1596 once merged. --- public/include/classes/api.class.php | 4 +++- public/include/classes/user.class.php | 1 + public/include/pages/login.inc.php | 4 ++-- 3 files changed, 6 insertions(+), 3 deletions(-) diff --git a/public/include/classes/api.class.php b/public/include/classes/api.class.php index 888a059e..336ba2bc 100644 --- a/public/include/classes/api.class.php +++ b/public/include/classes/api.class.php @@ -43,7 +43,9 @@ class Api extends Base { * Check user access level to the API call **/ function checkAccess($user_id, $get_id=NULL) { - if ( ! $this->user->isAdmin($user_id) && (!empty($get_id) && $get_id != $user_id)) { + if (!empty($get_id) && is_array($get_id)) die("Access denied"); + if (is_array($user_id)) die("Access denied"); + if ( ! $this->user->isAdmin($user_id) && (!empty($get_id) && $get_id != $user_id || !is_int($user_id))) { // User is NOT admin and tries to access an ID that is not their own header("HTTP/1.1 401 Unauthorized"); die("Access denied"); diff --git a/public/include/classes/user.class.php b/public/include/classes/user.class.php index 07ec6b2d..65b8f94a 100644 --- a/public/include/classes/user.class.php +++ b/public/include/classes/user.class.php @@ -457,6 +457,7 @@ class User extends Base { **/ public function checkApiKey($key) { $this->debug->append("STA " . __METHOD__, 4); + if (!is_string($key)) return false; $stmt = $this->mysqli->prepare("SELECT api_key, id FROM $this->table WHERE api_key = ? LIMIT 1"); if ($this->checkStmt($stmt) && $stmt->bind_param("s", $key) && $stmt->execute() && $stmt->bind_result($api_key, $id) && $stmt->fetch()) { if ($api_key === $key) diff --git a/public/include/pages/login.inc.php b/public/include/pages/login.inc.php index 4d44b338..ee4e47d4 100644 --- a/public/include/pages/login.inc.php +++ b/public/include/pages/login.inc.php @@ -27,9 +27,9 @@ if ($setting->getValue('maintenance') && !$user->isAdmin($user->getUserIdByEmail if (!$setting->getValue('recaptcha_enabled') || !$setting->getValue('recaptcha_enabled_logins') || ($setting->getValue('recaptcha_enabled') && $setting->getValue('recaptcha_enabled_logins') && $rsp->is_valid)) { if (!$config['csrf']['enabled'] || $config['csrf']['enabled'] && $csrftoken->valid) { if ($user->checkLogin(@$_POST['username'], @$_POST['password']) ) { - empty($_POST['to']) ? $to = $_SERVER['SCRIPT_NAME'] : $to = $_POST['to']; $port = ($_SERVER["SERVER_PORT"] == "80" or $_SERVER["SERVER_PORT"] == "443") ? "" : (":".$_SERVER["SERVER_PORT"]); - $location = @$_SERVER['HTTPS'] === true ? 'https://' . $_SERVER['SERVER_NAME'] . $port . $to : 'http://' . $_SERVER['SERVER_NAME'] . $port . $to; + $location = @$_SERVER['HTTPS'] === true ? 'https://' : 'http://'; + $location .= $_SERVER['SERVER_NAME'] . $port . $_SERVER['SCRIPT_NAME'] . '?page=dashboard'; if (!headers_sent()) header('Location: ' . $location); exit(''); } else {