Critical security issue - fix password hash
This commit is contained in:
gamonoid
@@ -25,9 +25,9 @@ if (!defined('MODULE_NAME')) {
|
|||||||
}
|
}
|
||||||
include 'includes.inc.php';
|
include 'includes.inc.php';
|
||||||
|
|
||||||
if(empty($user)){
|
if(empty($user) || empty($user->email)){
|
||||||
$actualLink = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
|
$actualLinkArray = explode('/',$_SERVER['REQUEST_URI']);
|
||||||
header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLink));
|
header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLinkArray[count($actualLinkArray) - 1]));
|
||||||
exit();
|
exit();
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@@ -1,2 +0,0 @@
|
|||||||
<?php
|
|
||||||
?>
|
|
||||||
@@ -9,8 +9,8 @@ if (isset($_REQUEST['logout'])) {
|
|||||||
$_COOKIE['icehrmLF'] = '';
|
$_COOKIE['icehrmLF'] = '';
|
||||||
$user = null;
|
$user = null;
|
||||||
}
|
}
|
||||||
|
$hashedPwd = null;
|
||||||
if (empty($user)) {
|
if (empty($user) || empty($user->email)) {
|
||||||
if (!isset($_REQUEST['f']) && isset($_COOKIE['icehrmLF'])
|
if (!isset($_REQUEST['f']) && isset($_COOKIE['icehrmLF'])
|
||||||
&& $_REQUEST['login'] != 'no' && !isset($_REQUEST['username'])) {
|
&& $_REQUEST['login'] != 'no' && !isset($_REQUEST['username'])) {
|
||||||
$tempUser = new \Users\Common\Model\User();
|
$tempUser = new \Users\Common\Model\User();
|
||||||
@@ -20,8 +20,9 @@ if (empty($user)) {
|
|||||||
sha1($tempUser->email."_".$tempUser->password) == $_COOKIE['icehrmLF']) {
|
sha1($tempUser->email."_".$tempUser->password) == $_COOKIE['icehrmLF']) {
|
||||||
$_REQUEST['username'] = $tempUser->username;
|
$_REQUEST['username'] = $tempUser->username;
|
||||||
$_REQUEST['password'] = $tempUser->password;
|
$_REQUEST['password'] = $tempUser->password;
|
||||||
$_REQUEST['hashedPwd'] = $tempUser->password;
|
$hashedPwd = $tempUser->password;
|
||||||
$_REQUEST['remember'] = true;
|
$_REQUEST['remember'] = true;
|
||||||
|
$cookieLogin = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -47,22 +48,33 @@ if (empty($user)) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!isset($_REQUEST['hashedPwd'])) {
|
if (!isset($hashedPwd)) {
|
||||||
$_REQUEST['hashedPwd'] = md5($_REQUEST['password']);
|
$hashedPwd = md5($_REQUEST['password']);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
include 'login.com.inc.php';
|
|
||||||
|
|
||||||
if (empty($suser)) {
|
if (empty($suser)) {
|
||||||
$suser = new \Users\Common\Model\User();
|
$suser = new \Users\Common\Model\User();
|
||||||
$suser->Load(
|
$suser->Load(
|
||||||
"(username = ? or email = ?) and password = ?",
|
"(username = ? or email = ?) and password = ?",
|
||||||
array($_REQUEST['username'],$_REQUEST['username'],$_REQUEST['hashedPwd'])
|
array($_REQUEST['username'], $_REQUEST['username'], $hashedPwd)
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
if ($suser->password == $_REQUEST['hashedPwd'] || $ssoUserLoaded) {
|
if (empty($suser->username) || empty($suser->email)) {
|
||||||
|
$next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:'';
|
||||||
|
header("Location:".CLIENT_BASE_URL."login.php?f=1".$next);
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
|
$loginCsrf = \Utils\SessionUtils::getSessionObject('csrf-login');
|
||||||
|
|
||||||
|
if (!$cookieLogin && ($_REQUEST['csrf'] != $loginCsrf || empty($_REQUEST['csrf']))) {
|
||||||
|
$next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:'';
|
||||||
|
header("Location:".CLIENT_BASE_URL."login.php?f=1".$next);
|
||||||
|
exit();
|
||||||
|
}
|
||||||
|
|
||||||
|
if ($suser->password === $hashedPwd || $ssoUserLoaded) {
|
||||||
$user = $suser;
|
$user = $suser;
|
||||||
\Utils\SessionUtils::saveSessionObject('user', $user);
|
\Utils\SessionUtils::saveSessionObject('user', $user);
|
||||||
$suser->last_login = date("Y-m-d H:i:s");
|
$suser->last_login = date("Y-m-d H:i:s");
|
||||||
@@ -88,7 +100,7 @@ if (empty($user)) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!empty($_REQUEST['next']) && !empty(($loginRedirect = \Base64Url\Base64Url::decode($_REQUEST['next'])))) {
|
if (!empty($_REQUEST['next']) && !empty(($loginRedirect = \Base64Url\Base64Url::decode($_REQUEST['next'])))) {
|
||||||
header("Location:" . $loginRedirect);
|
header("Location:" . CLIENT_BASE_URL.$loginRedirect);
|
||||||
exit();
|
exit();
|
||||||
} else {
|
} else {
|
||||||
if ($user->user_level == "Admin") {
|
if ($user->user_level == "Admin") {
|
||||||
@@ -340,6 +352,7 @@ $logoFileUrl = \Classes\UIManager::getInstance()->getCompanyLogoUrl();
|
|||||||
<?php if (!isset($_REQUEST['cp'])) {?>
|
<?php if (!isset($_REQUEST['cp'])) {?>
|
||||||
<form id="loginForm" action="login.php" method="POST">
|
<form id="loginForm" action="login.php" method="POST">
|
||||||
<input type="hidden" id="next" name="next" value="<?=$_REQUEST['next']?>"/>
|
<input type="hidden" id="next" name="next" value="<?=$_REQUEST['next']?>"/>
|
||||||
|
<input type="hidden" id="csrf" name="csrf" value="<?=$csrfToken?>"/>
|
||||||
<fieldset>
|
<fieldset>
|
||||||
<div class="clearfix">
|
<div class="clearfix">
|
||||||
<div class="input-prepend">
|
<div class="input-prepend">
|
||||||
|
|||||||
@@ -28,7 +28,8 @@ class SessionUtils
|
|||||||
$names = [
|
$names = [
|
||||||
"user",
|
"user",
|
||||||
"modulePath",
|
"modulePath",
|
||||||
"admin_current_profile"
|
"admin_current_profile",
|
||||||
|
"csrf-login"
|
||||||
];
|
];
|
||||||
session_start();
|
session_start();
|
||||||
setcookie('icehrmLF', '');
|
setcookie('icehrmLF', '');
|
||||||
|
|||||||
Reference in New Issue
Block a user