From d43a9a4c9c604ce6df0c5f16ef5c272416969846 Mon Sep 17 00:00:00 2001
From: joebordes <joe@tsolucio.com>
Date: Fri, 24 Jun 2022 00:55:39 +0200
Subject: [PATCH] sec(SessionMgmt) regenerate sessionIDs on privilege
 escalation

---
 include/Webservices/OperationManager.php |  2 ++
 modules/Mobile/api/ws/Controller.php     |  2 ++
 modules/Mobile/api/ws/Login.php          |  2 ++
 modules/Users/Authenticate.php           |  3 +++
 webservice.php                           | 19 ++++++++++++++-----
 5 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/include/Webservices/OperationManager.php b/include/Webservices/OperationManager.php
index 20b48108ea..e7c976c768 100644
--- a/include/Webservices/OperationManager.php
+++ b/include/Webservices/OperationManager.php
@@ -142,6 +142,8 @@ public function runOperation($params, $user) {
 					return $userDetails;
 				} else {
 					coreBOS_Session::set('authenticated_user_id', $userDetails->id);
+					coreBOS_Session::saveUserID($userDetails->id, coreBOS_Session::id(), 'cbws');
+					coreBOS_Session::deleteUserID($userDetails->id, coreBOS_Session::id(), 'cbws');
 					cbEventHandler::do_action('corebos.login', array($userDetails, null, 'webservice'));
 					global $adb;
 					$webserviceObject = VtigerWebserviceObject::fromName($adb, 'Users');
diff --git a/modules/Mobile/api/ws/Controller.php b/modules/Mobile/api/ws/Controller.php
index f818c17bcc..9efb2d87d2 100644
--- a/modules/Mobile/api/ws/Controller.php
+++ b/modules/Mobile/api/ws/Controller.php
@@ -24,6 +24,8 @@ public function initActiveUser($user) {
 
 	protected function setActiveUser($user) {
 		coreBOS_Session::set('_authenticated_user_id', $user->id);
+		coreBOS_Session::saveUserID($user->id, session_id(), 'cbmb');
+		coreBOS_Session::deleteUserID($user->id, session_id(), 'cbmb');
 		$this->initActiveUser($user);
 	}
 
diff --git a/modules/Mobile/api/ws/Login.php b/modules/Mobile/api/ws/Login.php
index 7c44ca0fab..b4469070ca 100644
--- a/modules/Mobile/api/ws/Login.php
+++ b/modules/Mobile/api/ws/Login.php
@@ -53,6 +53,8 @@ public function process(crmtogo_API_Request $request) {
 			coreBOS_Session::set('language', $current_user->column_fields['language']);
 			coreBOS_Session::set('user_tz', $current_user->column_fields['time_zone']);
 			coreBOS_Session::save();
+			coreBOS_Session::saveUserID($current_user->id, session_id(), 'cbmb');
+			coreBOS_Session::deleteUserID($current_user->id, session_id(), 'cbmb');
 			$result = array();
 			$result['login'] = array(
 				'userid' => $current_user->id,
diff --git a/modules/Users/Authenticate.php b/modules/Users/Authenticate.php
index 4aa7c3d387..b872825194 100644
--- a/modules/Users/Authenticate.php
+++ b/modules/Users/Authenticate.php
@@ -42,6 +42,7 @@
 	die();
 }
 if ($focus->is_authenticated() && $focus->is_twofaauthenticated()) {
+	coreBOS_Session::regenerate();
 	//Inserting entries for audit trail during login
 	if (coreBOS_Settings::getSetting('audit_trail', false)) {
 		$date_var = $adb->formatDate(date('Y-m-d H:i:s'), true);
@@ -89,6 +90,8 @@
 	coreBOS_Session::set('vtiger_authenticated_user_theme', $authenticated_user_theme);
 	coreBOS_Session::set('authenticated_user_language', $authenticated_user_language);
 	coreBOS_Session::save();
+	coreBOS_Session::saveUserID($focus->id, session_id());
+	coreBOS_Session::deleteUserID($focus->id, session_id());
 	cbEventHandler::do_action('corebos.login', array($focus));
 
 	$log->debug("authenticated_user_language and ID: $authenticated_user_language $focus->id");
diff --git a/webservice.php b/webservice.php
index 47b919952a..a07316b559 100644
--- a/webservice.php
+++ b/webservice.php
@@ -123,23 +123,32 @@ function getRequestParamsArrayForOperation($operation) {
 			return;
 		}
 	} else {
-		$sessionId = coreBOS_Session::init(false, false, $sessionId, 'cbws');
+		$sessionExists = coreBOS_Session::sessionExists($sessionId, 'cbws,');
+		if ($sessionExists) {
+			$sessionId = coreBOS_Session::init(false, false, $sessionId, 'cbws');
+		} else {
+			$sessionId = false;
+		}
 	}
 	if (!$sessionId && !$operationManager->isPreLoginOperation()) {
 		writeErrorOutput($operationManager, new WebServiceException(WebServiceErrorCode::$AUTHREQUIRED, 'Authentication required'));
 		return;
 	}
 
-	$userid = coreBOS_Session::get('authenticated_user_id');
-	if (!$sessionId || (!$userid && !$operationManager->isPreLoginOperation())) {
+	if (!$sessionId && !$operationManager->isPreLoginOperation()) {
 		writeErrorOutput($operationManager, 'Incorrect session');
 		return;
 	}
+	$userid = coreBOS_Session::get('authenticated_user_id');
+	if (!$userid && !$operationManager->isPreLoginOperation()) {
+		writeErrorOutput($operationManager, new WebServiceException(WebServiceErrorCode::$AUTHREQUIRED, 'Authentication required'));
+		return;
+	}
 
 	$now = time();
-	coreBOS_Session::setExpire($now + GlobalVariable::getVariable('WebService_Session_Life_Span', 86400));
-	coreBOS_Session::setIdle($now + GlobalVariable::getVariable('WebService_Session_Idle_Time', 1800), true);
 	if (!empty($userid)) {
+		coreBOS_Session::setExpire($now + GlobalVariable::getVariable('WebService_Session_Life_Span', 86400));
+		coreBOS_Session::setIdle($now + GlobalVariable::getVariable('WebService_Session_Idle_Time', 1800), true);
 		$seed_user = new Users();
 		$current_user = $seed_user->retrieveCurrentUserInfoFromFile($userid);
 		if (!empty($current_user->language)) {