From 4e06fbaf2b78c3615d0599855a72ba7e31157516 Mon Sep 17 00:00:00 2001
From: nilsteampassnet <nils@teampass.net>
Date: Fri, 17 Mar 2023 11:40:49 +0100
Subject: [PATCH] 3.0.0.23

Fix for identified CWE-285: Improper Authorization
---
 error.php                 |  2 +-
 includes/core/load.js.php |  4 ++--
 includes/core/logout.php  | 10 ++++++----
 install/css/install.css   |  8 --------
 install/upgrade.php       | 31 ++++++++++++++++++++++++++++++-
 5 files changed, 39 insertions(+), 16 deletions(-)

diff --git a/error.php b/error.php
index b5e44337c..76f55ed1b 100755
--- a/error.php
+++ b/error.php
@@ -103,7 +103,7 @@
                 <h3><i class="fa fa-warning text-danger"></i> Oops! <?php echo $errorCode; ?>.</h3>
 
                 <p>
-                    For security reason, you have been disconnected. Click to <a href="./includes/core/logout.php?user_id=" + <?php echo isset($_SESSION['user_id']) === true ? $_SESSION['user_id'] : ''; ?>>log in</a>.
+                    For security reason, you have been disconnected. Click to <a href="./includes/core/logout.php?token=" + <?php echo isset($_SESSION['key']) === true ? $_SESSION['key'] : ''; ?>>log in</a>.
                 </p>
 
             </div>
diff --git a/includes/core/load.js.php b/includes/core/load.js.php
index c22b0a691..5905f481c 100755
--- a/includes/core/load.js.php
+++ b/includes/core/load.js.php
@@ -482,7 +482,7 @@ function(data) {
                 document.location.href = "index.php?page=profile";
             } else if ($(this).data('name') === 'logout') {
                 // Logout directly to login form
-                window.location.href = "./includes/core/logout.php?user_id=" + <?php echo $_SESSION['user_id']; ?>
+                window.location.href = "./includes/core/logout.php?token=<?php echo $_SESSION['key']; ?>";
             }
         }
     });
@@ -1674,7 +1674,7 @@ function(data) {
                         }
                     );
 
-                    window.location.href = "./includes/core/logout.php?user_id=" + <?php echo $_SESSION['user_id']; ?>
+                    window.location.href = "./includes/core/logout.php?token=" + <?php echo $_SESSION['key']; ?>
                 } else if (store.get('teampassUser').admin_user_password) {
                     // now select if sending by email
                     $('#dialog-admin-change-user-password-info').html('<i class="fas fa-envelope-open-text fa-lg warning mr-2"></i><?php echo langHdl('information'); ?><br><br>'+
diff --git a/includes/core/logout.php b/includes/core/logout.php
index a68b1821c..99a2f31fd 100755
--- a/includes/core/logout.php
+++ b/includes/core/logout.php
@@ -38,10 +38,11 @@
 // Update table by deleting ID
 if (isset($_SESSION['user_id']) === true && empty($_SESSION['user_id']) === false) {
     $user_id = $_SESSION['user_id'];
-} elseif (isset($get['user_id']) === true && empty($get['user_id']) === false) {
-    $user_id = $get['user_id'];
+} elseif (isset($get['token']) === true && empty($get['token']) === false) {
+    $user_token = $get['token'];
 } else {
     $user_id = '';
+    $user_token = '';
 }
 
 if (empty($user_id) === false && isset($_SESSION['CPM']) === true) {
@@ -65,8 +66,9 @@
             'timestamp' => '',
             'session_end' => '',
         ],
-        'id=%i',
-        $user_id
+        'id=%i || key_tempo=%s',
+        $user_id,
+        $user_token
     );
     //Log into DB the user's disconnection
     if (isset($SETTINGS['log_connections']) === true
diff --git a/install/css/install.css b/install/css/install.css
index 8ba5a27f9..3b50c52f2 100755
--- a/install/css/install.css
+++ b/install/css/install.css
@@ -121,11 +121,3 @@ h5 {
 .hidden {
   display: none;
 }
-
-.center-screen {
-	position:absolute;
-	top:50%;
-	left: 50%;
-	margin-right: -50%;
-	transform: translate(-50%, -50%);
-}
\ No newline at end of file
diff --git a/install/upgrade.php b/install/upgrade.php
index b07964958..54b7265e1 100755
--- a/install/upgrade.php
+++ b/install/upgrade.php
@@ -276,7 +276,36 @@ function getSettingValue($val)
                     <div class="card-header">
                         <h5>DataBase Informations</h5>
                     </div>
-                    <div class="card-body">';
+                    <div class="card-body">
+                        <!--<div class="form-group">
+                            <label>Host</label>
+                            <input type="text" class="form-control" name="db_host" id="db_host" class="ui-widget" value="'.DB_HOST.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Database name</label>
+                            <input type="text" class="form-control" name="db_name" id="db_name" class="ui-widget" value="'.DB_NAME.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Login</label>
+                            <input type="text" class="form-control" name="db_user" id="db_user" class="ui-widget" value="'.DB_USER.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Password</label>
+                            <input type="text" class="form-control" name="db_pw" id="db_pw" class="ui-widget" value="'.$visible_pwd.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Prefix</label>
+                            <input type="text" class="form-control" name="db_prefix" id="db_prefix" class="ui-widget" value="'.DB_PREFIX.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Port</label>
+                            <input type="text" class="form-control" name="db_port" id="db_port" class="ui-widget" value="'.DB_PORT.'">
+                        </div>-->';
 
     // check if all database  info are available
     if ($dbSettings === true) {