Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fixed security issue reported by huntr.dev: Session cookie missed the…
… "secure" flag. Thanks for reporting!
  • Loading branch information
azett committed Oct 23, 2021
1 parent f4209dc commit e2a6bf1
Show file tree
Hide file tree
Showing 5 changed files with 138 additions and 139 deletions.
3 changes: 1 addition & 2 deletions defaults.php
Expand Up @@ -120,10 +120,9 @@
}
$serverport = "false";
// Unterstützung für Apache und IIS
ini_set('session.cookie_secure', 1);
if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
$serverport = "https://";
// Uses a secure connection (HTTPS) if possible
ini_set('session.cookie_secure', 1);
} else {
$serverport = "http://";
}
Expand Down
177 changes: 90 additions & 87 deletions fp-includes/core/core.cookie.php
@@ -1,138 +1,141 @@
<?php

function cookie_setup() {

global $fp_config;

// md5(BLOG_BASEURL);

if ( !defined('COOKIEHASH') )
define('COOKIEHASH', $fp_config['general']['blogid']);

if ( !defined('USER_COOKIE') )
define('USER_COOKIE', 'fpuser_'. COOKIEHASH);
if ( !defined('PASS_COOKIE') )
define('PASS_COOKIE', 'fppass_'. COOKIEHASH);
if ( !defined('SESS_COOKIE') )
define('SESS_COOKIE', 'fpsess_'. COOKIEHASH);

if ( !defined('COOKIEPATH') )
define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', BLOG_BASEURL ) );
if ( !defined('SITECOOKIEPATH') )
define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', BLOG_BASEURL ) );
if ( !defined('COOKIE_DOMAIN') )
define('COOKIE_DOMAIN', false);


global $fp_config;

// md5(BLOG_BASEURL);

if (!defined('COOKIEHASH'))
define('COOKIEHASH', $fp_config ['general'] ['blogid']);

if (!defined('USER_COOKIE'))
define('USER_COOKIE', 'fpuser_' . COOKIEHASH);
if (!defined('PASS_COOKIE'))
define('PASS_COOKIE', 'fppass_' . COOKIEHASH);
if (!defined('SESS_COOKIE'))
define('SESS_COOKIE', 'fpsess_' . COOKIEHASH);

if (!defined('COOKIEPATH'))
define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', BLOG_BASEURL));
if (!defined('SITECOOKIEPATH'))
define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', BLOG_BASEURL));
if (!defined('COOKIE_DOMAIN'))
define('COOKIE_DOMAIN', false);
if (!defined('COOKIE_SECURE'))
define('COOKIE_SECURE', true);
}

if ( !function_exists('wp_get_cookie_login') ):
function wp_get_cookie_login() {
if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) )
return false;
if (!function_exists('wp_get_cookie_login')) :

return array('login' => $_COOKIE[USER_COOKIE], 'password' => $_COOKIE[PASS_COOKIE]);
}
function wp_get_cookie_login() {
if (empty($_COOKIE [USER_COOKIE]) || empty($_COOKIE [PASS_COOKIE]))
return false;

return array(
'login' => $_COOKIE [USER_COOKIE],
'password' => $_COOKIE [PASS_COOKIE]
);
}

endif;


function cookie_set($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
if ( !$already_md5 )
$password = md5( md5($password) ); // Double hash the password in the cookie.
if (!$already_md5)
$password = md5(md5($password)); // Double hash the password in the cookie.

if ( empty($home) )
if (empty($home))
$cookiepath = COOKIEPATH;
else
$cookiepath = preg_replace('|https?://[^/]+|i', '', $home . '/' );
$cookiepath = preg_replace('|https?://[^/]+|i', '', $home . '/');

if ( empty($siteurl) ) {
if (empty($siteurl)) {
$sitecookiepath = SITECOOKIEPATH;
$cookiehash = COOKIEHASH;
} else {
$sitecookiepath = preg_replace('|https?://[^/]+|i', '', $siteurl . '/' );
$sitecookiepath = preg_replace('|https?://[^/]+|i', '', $siteurl . '/');
$cookiehash = md5($siteurl);
}

if ( $remember )
if ($remember)
$expire = time() + 31536000;
else
$expire = 0;

setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);
setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);
setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);

if ( $cookiepath != $sitecookiepath ) {
setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);
setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);
if ($cookiepath != $sitecookiepath) {
setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
}
}

function cookie_clear() {
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
}

if (!function_exists('wp_login')) :

if ( !function_exists('wp_login') ) :
function wp_login($username, $password, $already_md5 = false) {
global $wpdb, $error;
function wp_login($username, $password, $already_md5 = false) {
global $wpdb, $error;

$username = sanitize_user($username);
$username = sanitize_user($username);

if ( '' == $username )
return false;
if ('' == $username)
return false;

if ( '' == $password ) {
$error = __('<strong>ERROR</strong>: The password field is empty.');
return false;
}
if ('' == $password) {
$error = __('<strong>ERROR</strong>: The password field is empty.');
return false;
}

$login = get_userdatabylogin($username);
//$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");
$login = get_userdatabylogin($username);
// $login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");

if (!$login) {
$error = __('<strong>ERROR</strong>: Invalid username.');
return false;
} else {
// If the password is already_md5, it has been double hashed.
// Otherwise, it is plain text.
if ( ($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
return true;
} else {
$error = __('<strong>ERROR</strong>: Incorrect password.');
$pwd = '';
if (!$login) {
$error = __('<strong>ERROR</strong>: Invalid username.');
return false;
} else {
// If the password is already_md5, it has been double hashed.
// Otherwise, it is plain text.
if (($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password))) {
return true;
} else {
$error = __('<strong>ERROR</strong>: Incorrect password.');
$pwd = '';
return false;
}
}
}
}
endif;

if ( !function_exists('is_user_logged_in') ) :
function is_user_logged_in() {
$user = wp_get_current_user();
if (!function_exists('is_user_logged_in')) :

if ( $user->id == 0 )
return false;
function is_user_logged_in() {
$user = wp_get_current_user();

return true;
}
if ($user->id == 0)
return false;

return true;
}
endif;

if ( !function_exists('auth_redirect') ) :
function auth_redirect() {
// Checks if a user is logged in, if not redirects them to the login page
if ( (!empty($_COOKIE[USER_COOKIE]) &&
!wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) ||
(empty($_COOKIE[USER_COOKIE])) ) {
nocache_headers();
if (!function_exists('auth_redirect')) :

function auth_redirect() {
// Checks if a user is logged in, if not redirects them to the login page
if ((!empty($_COOKIE [USER_COOKIE]) && !wp_login($_COOKIE [USER_COOKIE], $_COOKIE [PASS_COOKIE], true)) || (empty($_COOKIE [USER_COOKIE]))) {
nocache_headers();

wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
exit();
wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER ['REQUEST_URI']));
exit();
}
}
}
endif;


?>
73 changes: 35 additions & 38 deletions fp-includes/core/core.session.php
@@ -1,44 +1,41 @@
<?php



function sess_setup() {
if (SESSION_PATH != '')
session_save_path(SESSION_PATH);

session_name(SESS_COOKIE);

session_start();

}


function sess_add($key, $val) {
$_SESSION[$key] = $val;
}


function sess_remove($key) {
if (isset($_SESSION[$key])) {
$oldval=$_SESSION[$key];
unset($_SESSION[$key]);
return $oldval;
}
}

function sess_get($key) {
if (isset($_SESSION[$key]))
return $_SESSION[$key];
else return false;
function sess_setup() {
if (SESSION_PATH != '')
session_save_path(SESSION_PATH);

session_name(SESS_COOKIE);
setcookie(SESS_COOKIE, '', 0, '', COOKIE_DOMAIN, COOKIE_SECURE);

session_start();
}

function sess_add($key, $val) {
$_SESSION [$key] = $val;
}

function sess_remove($key) {
if (isset($_SESSION [$key])) {
$oldval = $_SESSION [$key];
unset($_SESSION [$key]);
return $oldval;
}

function sess_close() {
unset($_SESSION);
if (isset($_COOKIE[session_name()])) {
setcookie(session_name(), '', time()-42000, '/');
session_set_cookie_params(-42000);
}
session_destroy();
}

function sess_get($key) {
if (isset($_SESSION [$key]))
return $_SESSION [$key];
else
return false;
}

function sess_close() {
unset($_SESSION);
if (isset($_COOKIE [session_name()])) {
setcookie(session_name(), '', time() - 42000, '/', COOKIE_SECURE);
session_set_cookie_params(-42000);
}
session_destroy();
}

?>
8 changes: 4 additions & 4 deletions fp-includes/core/core.users.php
Expand Up @@ -64,8 +64,8 @@ function user_login($userid, $pwd, $params = null) {
if ($loggedin) {
// session_regenerate_id();
$expire = time() + 31536000;
setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN);
setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN);
setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
}

return $loggedin;
Expand All @@ -76,8 +76,8 @@ function user_logout() {

if (user_loggedin()) {

setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
}

$loggedin = false;
Expand Down
16 changes: 8 additions & 8 deletions fp-includes/core/core.wp-pluggable-funcs.php
Expand Up @@ -290,23 +290,23 @@ function wp_setcookie($username, $password, $already_md5 = false, $home = '', $s
$cookiehash = md5($siteurl);
}

setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath);
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath);
setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath, COOKIE_SECURE);
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath, COOKIE_SECURE);

if ($cookiepath != $sitecookiepath) {
setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath);
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath);
setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath, COOKIE_SECURE);
setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath, COOKIE_SECURE);
}
}
endif;

if (!function_exists('wp_clearcookie')) :

function wp_clearcookie() {
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH);
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH);
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH);
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH);
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE);
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE);
setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE);
setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE);
}
endif;

Expand Down

0 comments on commit e2a6bf1

Please sign in to comment.