From 025a8283ab5d679ff99a6b82398e4c8efed1ad9d Mon Sep 17 00:00:00 2001 From: gamonoid Date: Thu, 14 Jun 2018 03:40:21 +0200 Subject: [PATCH] Critical security issue - fix password hash --- core/header.php | 6 +++--- core/login.com.inc.php | 2 -- core/login.php | 35 ++++++++++++++++++++++----------- core/src/Utils/SessionUtils.php | 3 ++- 4 files changed, 29 insertions(+), 17 deletions(-) delete mode 100644 core/login.com.inc.php diff --git a/core/header.php b/core/header.php index d2ded4d4..64dbf4fc 100644 --- a/core/header.php +++ b/core/header.php @@ -25,9 +25,9 @@ if (!defined('MODULE_NAME')) { } include 'includes.inc.php'; -if(empty($user)){ - $actualLink = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]"; - header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLink)); +if(empty($user) || empty($user->email)){ + $actualLinkArray = explode('/',$_SERVER['REQUEST_URI']); + header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLinkArray[count($actualLinkArray) - 1])); exit(); } diff --git a/core/login.com.inc.php b/core/login.com.inc.php deleted file mode 100644 index acb6c354..00000000 --- a/core/login.com.inc.php +++ /dev/null @@ -1,2 +0,0 @@ - diff --git a/core/login.php b/core/login.php index f8e02609..dc999eae 100644 --- a/core/login.php +++ b/core/login.php @@ -9,8 +9,8 @@ if (isset($_REQUEST['logout'])) { $_COOKIE['icehrmLF'] = ''; $user = null; } - -if (empty($user)) { +$hashedPwd = null; +if (empty($user) || empty($user->email)) { if (!isset($_REQUEST['f']) && isset($_COOKIE['icehrmLF']) && $_REQUEST['login'] != 'no' && !isset($_REQUEST['username'])) { $tempUser = new \Users\Common\Model\User(); @@ -20,8 +20,9 @@ if (empty($user)) { sha1($tempUser->email."_".$tempUser->password) == $_COOKIE['icehrmLF']) { $_REQUEST['username'] = $tempUser->username; $_REQUEST['password'] = $tempUser->password; - $_REQUEST['hashedPwd'] = $tempUser->password; + $hashedPwd = $tempUser->password; $_REQUEST['remember'] = true; + $cookieLogin = true; } } @@ -47,22 +48,33 @@ if (empty($user)) { } } - if (!isset($_REQUEST['hashedPwd'])) { - $_REQUEST['hashedPwd'] = md5($_REQUEST['password']); + if (!isset($hashedPwd)) { + $hashedPwd = md5($_REQUEST['password']); } - - include 'login.com.inc.php'; - if (empty($suser)) { $suser = new \Users\Common\Model\User(); $suser->Load( "(username = ? or email = ?) and password = ?", - array($_REQUEST['username'],$_REQUEST['username'],$_REQUEST['hashedPwd']) + array($_REQUEST['username'], $_REQUEST['username'], $hashedPwd) ); } - if ($suser->password == $_REQUEST['hashedPwd'] || $ssoUserLoaded) { + if (empty($suser->username) || empty($suser->email)) { + $next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:''; + header("Location:".CLIENT_BASE_URL."login.php?f=1".$next); + exit(); + } + + $loginCsrf = \Utils\SessionUtils::getSessionObject('csrf-login'); + + if (!$cookieLogin && ($_REQUEST['csrf'] != $loginCsrf || empty($_REQUEST['csrf']))) { + $next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:''; + header("Location:".CLIENT_BASE_URL."login.php?f=1".$next); + exit(); + } + + if ($suser->password === $hashedPwd || $ssoUserLoaded) { $user = $suser; \Utils\SessionUtils::saveSessionObject('user', $user); $suser->last_login = date("Y-m-d H:i:s"); @@ -88,7 +100,7 @@ if (empty($user)) { } if (!empty($_REQUEST['next']) && !empty(($loginRedirect = \Base64Url\Base64Url::decode($_REQUEST['next'])))) { - header("Location:" . $loginRedirect); + header("Location:" . CLIENT_BASE_URL.$loginRedirect); exit(); } else { if ($user->user_level == "Admin") { @@ -340,6 +352,7 @@ $logoFileUrl = \Classes\UIManager::getInstance()->getCompanyLogoUrl();
+
diff --git a/core/src/Utils/SessionUtils.php b/core/src/Utils/SessionUtils.php index b3b81da1..0ac4162b 100644 --- a/core/src/Utils/SessionUtils.php +++ b/core/src/Utils/SessionUtils.php @@ -28,7 +28,8 @@ class SessionUtils $names = [ "user", "modulePath", - "admin_current_profile" + "admin_current_profile", + "csrf-login" ]; session_start(); setcookie('icehrmLF', '');