3.0.0.23

Fix for identified CWE-285: Improper Authorization
nilsteampassnet · Mar 17, 2023 · 4e06fba · 4e06fba
1 parent 4cd9b4b
commit 4e06fba
Show file tree

Hide file tree

Showing 5 changed files with 39 additions and 16 deletions.
diff --git a/error.php b/error.php
@@ -103,7 +103,7 @@
                 <h3><i class="fa fa-warning text-danger"></i> Oops! <?php echo $errorCode; ?>.</h3>
 
                 <p>
-                    For security reason, you have been disconnected. Click to <a href="./includes/core/logout.php?user_id=" + <?php echo isset($_SESSION['user_id']) === true ? $_SESSION['user_id'] : ''; ?>>log in</a>.
+                    For security reason, you have been disconnected. Click to <a href="./includes/core/logout.php?token=" + <?php echo isset($_SESSION['key']) === true ? $_SESSION['key'] : ''; ?>>log in</a>.
                 </p>
 
             </div>

diff --git a/includes/core/load.js.php b/includes/core/load.js.php
@@ -482,7 +482,7 @@ function(data) {
                 document.location.href = "index.php?page=profile";
             } else if ($(this).data('name') === 'logout') {
                 // Logout directly to login form
-                window.location.href = "./includes/core/logout.php?user_id=" + <?php echo $_SESSION['user_id']; ?>
+                window.location.href = "./includes/core/logout.php?token=<?php echo $_SESSION['key']; ?>";
             }
         }
     });
@@ -1674,7 +1674,7 @@ function(data) {
                         }
                     );
 
-                    window.location.href = "./includes/core/logout.php?user_id=" + <?php echo $_SESSION['user_id']; ?>
+                    window.location.href = "./includes/core/logout.php?token=" + <?php echo $_SESSION['key']; ?>
                 } else if (store.get('teampassUser').admin_user_password) {
                     // now select if sending by email
                     $('#dialog-admin-change-user-password-info').html('<i class="fas fa-envelope-open-text fa-lg warning mr-2"></i><?php echo langHdl('information'); ?><br><br>'+

diff --git a/includes/core/logout.php b/includes/core/logout.php
@@ -38,10 +38,11 @@
 // Update table by deleting ID
 if (isset($_SESSION['user_id']) === true && empty($_SESSION['user_id']) === false) {
     $user_id = $_SESSION['user_id'];
-} elseif (isset($get['user_id']) === true && empty($get['user_id']) === false) {
-    $user_id = $get['user_id'];
+} elseif (isset($get['token']) === true && empty($get['token']) === false) {
+    $user_token = $get['token'];
 } else {
     $user_id = '';
+    $user_token = '';
 }
 
 if (empty($user_id) === false && isset($_SESSION['CPM']) === true) {
@@ -65,8 +66,9 @@
             'timestamp' => '',
             'session_end' => '',
         ],
-        'id=%i',
-        $user_id
+        'id=%i || key_tempo=%s',
+        $user_id,
+        $user_token
     );
     //Log into DB the user's disconnection
     if (isset($SETTINGS['log_connections']) === true

diff --git a/install/css/install.css b/install/css/install.css
@@ -121,11 +121,3 @@ h5 {
 .hidden {
   display: none;
 }
-
-.center-screen {
-	position:absolute;
-	top:50%;
-	left: 50%;
-	margin-right: -50%;
-	transform: translate(-50%, -50%);
-}
diff --git a/install/upgrade.php b/install/upgrade.php
@@ -276,7 +276,36 @@ function getSettingValue($val)
                     <div class="card-header">
                         <h5>DataBase Informations</h5>
                     </div>
-                    <div class="card-body">';
+                    <div class="card-body">
+                        <!--<div class="form-group">
+                            <label>Host</label>
+                            <input type="text" class="form-control" name="db_host" id="db_host" class="ui-widget" value="'.DB_HOST.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Database name</label>
+                            <input type="text" class="form-control" name="db_name" id="db_name" class="ui-widget" value="'.DB_NAME.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Login</label>
+                            <input type="text" class="form-control" name="db_user" id="db_user" class="ui-widget" value="'.DB_USER.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Password</label>
+                            <input type="text" class="form-control" name="db_pw" id="db_pw" class="ui-widget" value="'.$visible_pwd.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Prefix</label>
+                            <input type="text" class="form-control" name="db_prefix" id="db_prefix" class="ui-widget" value="'.DB_PREFIX.'">
+                        </div>
+                        
+                        <div class="form-group">
+                            <label>Port</label>
+                            <input type="text" class="form-control" name="db_port" id="db_port" class="ui-widget" value="'.DB_PORT.'">
+                        </div>-->';
 
     // check if all database  info are available
     if ($dbSettings === true) {