From 0b2389c6bd371fa88c11a673a8fd9dc7c876b003 Mon Sep 17 00:00:00 2001 From: slackero Date: Wed, 1 Sep 2021 08:58:44 +0200 Subject: [PATCH] Improve the security of the backend session --- filebrowser.php | 3 +- fileinfo.php | 3 +- include/inc_act/act_download.php | 3 +- include/inc_lib/checklogin.inc.php | 69 ++++++++++++++---------------- include/inc_lib/default.inc.php | 11 +++-- include/inc_lib/general.inc.php | 5 ++- login.php | 2 + 7 files changed, 52 insertions(+), 44 deletions(-) diff --git a/filebrowser.php b/filebrowser.php index ed6c444ef..aaed2cd0b 100644 --- a/filebrowser.php +++ b/filebrowser.php @@ -31,7 +31,8 @@ if( empty($_SESSION["wcs_user_lang"]) ) { - session_destroy(); + $_SESSION = array(); + @session_destroy(); headerRedirect(PHPWCMS_URL, 401); } else { diff --git a/fileinfo.php b/fileinfo.php index 6463f7f32..c7cc93084 100644 --- a/fileinfo.php +++ b/fileinfo.php @@ -16,7 +16,8 @@ require_once PHPWCMS_ROOT.'/include/inc_lib/helper.session.php'; if(empty($_SESSION["wcs_user_lang"])) { - session_destroy(); + $_SESSION = array(); + @session_destroy(); headerRedirect($phpwcms['site'].$phpwcms["root"]); } else { require 'include/inc_lang/backend/en/lang.ext.inc.php'; diff --git a/include/inc_act/act_download.php b/include/inc_act/act_download.php index 63e0335f7..f3d48353e 100644 --- a/include/inc_act/act_download.php +++ b/include/inc_act/act_download.php @@ -87,7 +87,8 @@ if($err): - session_destroy(); + $_SESSION = array(); + @session_destroy(); ?> diff --git a/include/inc_lib/checklogin.inc.php b/include/inc_lib/checklogin.inc.php index c87561b55..31a8e6214 100644 --- a/include/inc_lib/checklogin.inc.php +++ b/include/inc_lib/checklogin.inc.php @@ -11,51 +11,48 @@ // obligate check for phpwcms constants if (!defined('PHPWCMS_ROOT')) { - die("You Cannot Access This Script Directly, Have a Nice Day."); + die("You Cannot Access This Script Directly, Have a Nice Day."); } // Updating user list relative to login time or delay login // -------------------------------------------------------- -$sql = "UPDATE ".DB_PREPEND."phpwcms_userlog SET "; -$sql .= "logged_in=0, logged_change='".time()."' "; -$sql .= "WHERE logged_in=1 AND (".time()."-logged_change) > ".intval($phpwcms["max_time"]); +$sql = 'UPDATE ' . DB_PREPEND . 'phpwcms_userlog SET '; +$sql .= 'logged_in=0, logged_change=' . time() . ' WHERE '; +$sql .= 'logged_in=1 AND (' . time() . '-logged_change) > ' . intval($phpwcms['max_time']); _dbQuery($sql, 'UPDATE'); -if(!empty($_SESSION["wcs_user"])) { - - $sql = "SELECT COUNT(*) FROM ".DB_PREPEND."phpwcms_userlog "; - $sql .= "WHERE logged_user="._dbEscape($_SESSION["wcs_user"])." AND "; - $sql .= "logged_in=1"; - - if(!PHPWCMS_GDPR_MODE && !empty($phpwcms['Login_IPcheck'])) { - $sql .= " AND logged_ip="._dbEscape(getRemoteIP()); - } - - if(!($check = _dbQuery($sql, 'COUNT'))) { - - unset($_SESSION["wcs_user"]); - - } else { - - $sql = "UPDATE ".DB_PREPEND."phpwcms_userlog SET "; - $sql .= "logged_change=".time()." WHERE "; - $sql .= "logged_user="._dbEscape($_SESSION["wcs_user"])." AND logged_in=1"; - _dbQuery($sql, 'UPDATE'); - - } +if (!empty($_SESSION["wcs_user"])) { + + $sql = 'SELECT COUNT(*) FROM ' . DB_PREPEND . 'phpwcms_userlog '; + $sql .= 'WHERE logged_user=' . _dbEscape($_SESSION['wcs_user']) . ' AND '; + $sql .= 'logged_in=1'; + + if (!PHPWCMS_GDPR_MODE && !empty($phpwcms['Login_IPcheck'])) { + $sql .= " AND logged_ip=" . _dbEscape(getRemoteIP()); + } + + if (!($check = _dbQuery($sql, 'COUNT'))) { + $_SESSION['wcs_user'] = ''; + unset($_SESSION['wcs_user']); + } else { + $sql = 'UPDATE ' . DB_PREPEND . 'phpwcms_userlog SET '; + $sql .= 'logged_change=' . time() . ' WHERE '; + $sql .= 'logged_user=' . _dbEscape($_SESSION['wcs_user']) . ' AND logged_in=1'; + _dbQuery($sql, 'UPDATE'); + } } -if(empty($_SESSION["wcs_user"])) { +if (empty($_SESSION["wcs_user"])) { - @session_destroy(); + $_SESSION = array(); + @session_destroy(); - if(!empty($_SERVER['QUERY_STRING'])) { - $ref_url = '?ref='.rawurlencode(PHPWCMS_URL.'phpwcms.php?'.xss_clean($_SERVER['QUERY_STRING'])); - } else { - $ref_url = ''; - } + if (!empty($_SERVER['QUERY_STRING'])) { + $ref_url = '?ref=' . rawurlencode(PHPWCMS_URL . 'phpwcms.php?' . xss_clean($_SERVER['QUERY_STRING'])); + } else { + $ref_url = ''; + } - headerRedirect(PHPWCMS_URL.get_login_file().$ref_url, 401); - -} + headerRedirect(PHPWCMS_URL . get_login_file() . $ref_url, 401); +} \ No newline at end of file diff --git a/include/inc_lib/default.inc.php b/include/inc_lib/default.inc.php index 0281fca4f..65c00c758 100755 --- a/include/inc_lib/default.inc.php +++ b/include/inc_lib/default.inc.php @@ -968,7 +968,7 @@ function _initSession() { session_start(); } if (empty($_SESSION['phpwcmsSessionInit']) && function_exists("session_regenerate_id")) { - session_regenerate_id(); + session_regenerate_id(true); $_SESSION['phpwcmsSessionInit'] = true; } @@ -1212,7 +1212,7 @@ function phpwcms_getUserAgent($USER_AGENT = '') { } } - return $GLOBALS['phpwcms'][$index] = array( + $GLOBALS['phpwcms'][$index] = array( 'agent' => $agent, 'version' => intval($ver), 'platform' => $platform, @@ -1222,7 +1222,12 @@ function phpwcms_getUserAgent($USER_AGENT = '') { 'engine' => $engine, 'pixelratio' => $pixelratio, 'webp' => $webp, + 'lang' => isset($_SERVER['HTTP_ACCEPT_LANGUAGE']) ? $_SERVER['HTTP_ACCEPT_LANGUAGE'] : $GLOBALS['phpwcms']["default_lang"] ); + + $GLOBALS['phpwcms'][$index]['hash'] = md5(implode('', $GLOBALS['phpwcms'][$index]) . getRemoteIP()); + + return $GLOBALS['phpwcms'][$index]; } /** @@ -1286,7 +1291,7 @@ function checkLoginCount() { $check = 0; if (!empty($_SESSION["wcs_user"])) { $sql = "SELECT COUNT(*) FROM " . DB_PREPEND . "phpwcms_userlog WHERE logged_user=" . _dbEscape($_SESSION["wcs_user"]) . " AND logged_in=1"; - if (!empty($phpwcms['Login_IPcheck'])) { + if (!PHPWCMS_GDPR_MODE && !empty($phpwcms['Login_IPcheck'])) { $sql .= " AND logged_ip=" . _dbEscape(getRemoteIP()); } $check = _dbCount($sql); diff --git a/include/inc_lib/general.inc.php b/include/inc_lib/general.inc.php index 0fc384939..2f534f738 100755 --- a/include/inc_lib/general.inc.php +++ b/include/inc_lib/general.inc.php @@ -2014,14 +2014,15 @@ function checkLogin($mode = 'REDIRECT') { $sql .= "WHERE logged_in=1 AND (" . time() . "-logged_change) > " . intval($GLOBALS['phpwcms']["max_time"]); _dbQuery($sql, 'UPDATE'); checkLoginCount(); - if (empty($_SESSION["wcs_user"])) { + if (empty($_SESSION['wcs_user']) || empty($_SESSION['PHPWCMS_BROWSER_HASH']) || $_SESSION['PHPWCMS_BROWSER_HASH'] !== $GLOBALS['phpwcms']['USER_AGENT']['hash']) { + $_SESSION = array(); @session_destroy(); if (!empty($_SERVER['QUERY_STRING'])) { $ref_url = '?ref=' . rawurlencode(PHPWCMS_URL . 'phpwcms.php?' . xss_clean($_SERVER['QUERY_STRING'])); } else { $ref_url = ''; } - if ($mode == 'REDIRECT') { + if ($mode === 'REDIRECT') { // check again if user was logged in and this is a valid redirect request $sql = 'SELECT COUNT(*) FROM ' . DB_PREPEND . 'phpwcms_userlog WHERE '; $sql .= "logged_ip=" . _dbEscape(PHPWCMS_GDPR_MODE ? getAnonymizedIp() : getRemoteIP()) . " AND "; diff --git a/login.php b/login.php index 4e006aad3..3bfc4e8a4 100644 --- a/login.php +++ b/login.php @@ -243,6 +243,8 @@ } + $_SESSION['PHPWCMS_BROWSER_HASH'] = $phpwcms['USER_AGENT']['hash']; + headerRedirect($backend_redirect . get_token_get_string() . '&' . session_name().'='.session_id()); } else {