Index: branches/2.8.x/CHANGELOG
===================================================================
--- branches/2.8.x/CHANGELOG (revision 1832)
+++ branches/2.8.x/CHANGELOG (revision 1833)
@@ -13,6 +13,8 @@
+10 Dez-2012 Build 1833 Dietmar Woellbrink (Luisehahne)
+# security fix CRLF injection/HTTP response splitting
09 Dez-2012 Build 1832 Dietmar Woellbrink (Luisehahne)
# security Application error message fix in search/search.php
05 Dez-2012 Build 1831 Dietmar Woellbrink (Luisehahne)
Index: branches/2.8.x/wb/admin/skel/themes/htt/login.htt
===================================================================
--- branches/2.8.x/wb/admin/skel/themes/htt/login.htt (revision 1832)
+++ branches/2.8.x/wb/admin/skel/themes/htt/login.htt (revision 1833)
@@ -40,10 +40,7 @@
| |
-
-
-
- |
+ |
@@ -54,7 +51,7 @@
|
-
+
|
Index: branches/2.8.x/wb/admin/interface/version.php
===================================================================
--- branches/2.8.x/wb/admin/interface/version.php (revision 1832)
+++ branches/2.8.x/wb/admin/interface/version.php (revision 1833)
@@ -51,5 +51,5 @@
// check if defined to avoid errors during installation (redirect to admin panel fails if PHP error/warnings are enabled)
if(!defined('VERSION')) define('VERSION', '2.8.3');
-if(!defined('REVISION')) define('REVISION', '1832');
+if(!defined('REVISION')) define('REVISION', '1833');
if(!defined('SP')) define('SP', '');
Index: branches/2.8.x/wb/admin/login/forgot/index.php
===================================================================
--- branches/2.8.x/wb/admin/login/forgot/index.php (revision 1832)
+++ branches/2.8.x/wb/admin/login/forgot/index.php (revision 1833)
@@ -16,8 +16,10 @@
*/
// Include the configuration file
-if(!defined('WB_URL') && file_exists(realpath('../../../config.php'))) {
- require('../../../config.php');
+$config_file = realpath('../../../config.php');
+if(file_exists($config_file) && !defined('WB_URL'))
+{
+ require_once($config_file);
}
// Include the language file
require(WB_PATH.'/languages/'.DEFAULT_LANGUAGE.'.php');
@@ -34,8 +36,9 @@
$website_title = $results['value'];
// Check if the user has already submitted the form, otherwise show it
-if(isset($_POST['email']) AND $_POST['email'] != "") {
+if(isset($_POST['email']) && is_string($_POST['email']) && $_POST['email'] != "") {
+
$email = htmlspecialchars($_POST['email'],ENT_QUOTES);
// Check if the email exists in the database
@@ -159,6 +162,7 @@
'LOGIN_DISPLAY_HIDDEN' => !$admin->is_authenticated() ? 'hidden' : '',
'LOGIN_DISPLAY_NONE' => !$admin->is_authenticated() ? 'none' : '',
'URL_HELP' => 'http://www.websitebaker.org/',
+ 'URL' => ADMIN_URL."/start/index.php",
'TEXT_NEED_TO_LOGIN' => $TEXT['NEED_TO_LOGIN']
)
);
Index: branches/2.8.x/wb/account/login_form.php
===================================================================
--- branches/2.8.x/wb/account/login_form.php (revision 1832)
+++ branches/2.8.x/wb/account/login_form.php (revision 1833)
@@ -24,8 +24,8 @@
/* -------------------------------------------------------- */
// Generate username field name
-$username_fieldname = 'username';
-$password_fieldname = 'password';
+$username_fieldname = 'username_';
+$password_fieldname = 'password_';
$output = '';
msgQueue::clear();
@@ -37,10 +37,13 @@
$username_fieldname .= $temp[$i];
$password_fieldname .= $temp[$i];
}
+} else {
+ $username_fieldname = 'username';
+ $password_fieldname = 'password';
}
$thisApp->redirect_url = (isset($thisApp->redirect_url) && ($thisApp->redirect_url!='') ? $thisApp->redirect_url : $_SESSION['HTTP_REFERER'] );
-
+//$thisApp->redirect_url = '';
$sIncludeHeadLinkCss = '';
if( is_readable(WB_PATH .'/account/frontend.css')) {
$sIncludeHeadLinkCss .= ' WB_URL,
'THEME_URL' => THEME_URL,
'TEMPLATE_URL' => TEMPLATE_DIR,
- 'HTTP_REFERER' => $_SESSION['HTTP_REFERER'],
+ 'HTTP_REFERER' => $thisApp->redirect_url,
'CSS_BLOCK' => $sIncludeHeadLinkCss,
'MESSAGE_VALUE' => '',
'ERROR_VALUE' => '',
Index: branches/2.8.x/wb/account/login.php
===================================================================
--- branches/2.8.x/wb/account/login.php (revision 1832)
+++ branches/2.8.x/wb/account/login.php (revision 1833)
@@ -70,7 +70,7 @@
$loginUrl = WB_URL.'/account/login.php';
$loginUrl .= (!empty($redirect) ? '?redirect=' .$_SESSION['HTTP_REFERER'] : '');
-$ThemeUrl = WB_URL.$wb->correct_theme_source('warning.html');
+$WarningUrl = str_replace(WB_PATH,WB_URL,$wb->correct_theme_source('warning.html'));
// Setup template object, parse vars to it, then parse it
$ThemePath = realpath(WB_PATH.$wb->correct_theme_source('loginBox.htt'));
@@ -77,7 +77,7 @@
$thisApp = new Login(
array(
"MAX_ATTEMPS" => "3",
- "WARNING_URL" => $ThemeUrl."/warning.html",
+ "WARNING_URL" => $WarningUrl,
"USERNAME_FIELDNAME" => 'username',
"PASSWORD_FIELDNAME" => 'password',
"REMEMBER_ME_OPTION" => SMART_LOGIN,
Index: branches/2.8.x/wb/account/htt/login.htt
===================================================================
--- branches/2.8.x/wb/account/htt/login.htt (revision 1832)
+++ branches/2.8.x/wb/account/htt/login.htt (revision 1833)
@@ -11,6 +11,7 @@
+
{TEXT_LOGIN}
@@ -43,10 +44,7 @@
| |
-
-
-
- |
+ |
@@ -56,7 +54,7 @@
|
-
+
|
Index: branches/2.8.x/wb/account/htt/forgot.htt
===================================================================
--- branches/2.8.x/wb/account/htt/forgot.htt (revision 1832)
+++ branches/2.8.x/wb/account/htt/forgot.htt (revision 1833)
@@ -37,7 +37,7 @@
|
-
+
|
Index: branches/2.8.x/wb/account/forgot_form.php
===================================================================
--- branches/2.8.x/wb/account/forgot_form.php (revision 1832)
+++ branches/2.8.x/wb/account/forgot_form.php (revision 1833)
@@ -17,10 +17,9 @@
/* -------------------------------------------------------- */
// Must include code to stop this file being accessed directly
-if(defined('WB_PATH') == false)
-{
- // Stop this file being access directly
- die('Cannot access this file directly
');
+if(!defined('WB_PATH')) {
+ require_once(dirname(dirname(__FILE__)).'/framework/globalExceptionHandler.php');
+ throw new IllegalFileException();
}
/* -------------------------------------------------------- */
// Check if the user has already submitted the form, otherwise show it
@@ -30,78 +29,85 @@
$redirect_url = (isset($redirect_url) && ($redirect_url!='') ? $redirect_url : $_SESSION['HTTP_REFERER'] );
$redirect = (isset($redirect_url) && ($redirect_url!='') ? '?redirect='.$redirect_url : '' );
-//print 'function '.__FUNCTION__.'( '.''.' ); basename: '.basename(__FILE__).' line: '.__LINE__.' ->
';
-//print_r( $redirect_url ); print '
';
+if(isset($_POST['email']) && is_string($_POST['email']) )
+{
-if(isset($_POST['email']) && $_POST['email'] != "" )
-{
- $email = strip_tags($_POST['email']);
- if($admin->validate_email($email) == false)
+ if($_POST['email'] != "" )
{
- $errMsg = $MESSAGE['USERS_INVALID_EMAIL'];
- $email = '';
- } else {
-// Check if the email exists in the database
- $sql = 'SELECT `user_id`,`username`,`display_name`,`email`,`last_reset`,`password` '.
- 'FROM `'.TABLE_PREFIX.'users` '.
- 'WHERE `email`=\''.$wb->add_slashes($_POST['email']).'\'';
- if(($results = $database->query($sql)))
- {
- if(($results_array = $results->fetchRow()))
- { // Get the id, username, email, and last_reset from the above db query
- // Check if the password has been reset in the last 2 hours
- if( (time() - (int)$results_array['last_reset']) < (2 * 3600) ) {
- // Tell the user that their password cannot be reset more than once per hour
- $errMsg = $MESSAGE['FORGOT_PASS_ALREADY_RESET'];
- } else {
- require_once(WB_PATH.'/framework/PasswordHash.php');
- $pwh = new PasswordHash(0, true);
- $old_pass = $results_array['password'];
- // Generate a random password then update the database with it
- $new_pass = $pwh->NewPassword();
- $sql = 'UPDATE `'.TABLE_PREFIX.'users` '.
- 'SET `password`=\''.$pwh->HashPassword($new_pass, true).'\', '.
- '`last_reset`='.time().' '.
- 'WHERE `user_id`='.(int)$results_array['user_id'];
- unset($pwh); // destroy $pwh-Object
- if($database->query($sql))
- { // Setup email to send
- $mail_to = $email;
- $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO'];
- // Replace placeholders from language variable with values
- $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}');
- $replace = array($results_array['display_name'], WEBSITE_TITLE, $results_array['username'], $new_pass);
- $mail_message = str_replace($search, $replace, $MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT']);
- // Try sending the email
- if($wb->mail(SERVER_EMAIL,$mail_to,$mail_subject,$mail_message)) {
- $message = $MESSAGE['FORGOT_PASS_PASSWORD_RESET'];
- $display_form = false;
- }else { // snd mail failed, rollback
- $sql = 'UPDATE `'.TABLE_PREFIX.'users` '.
- 'SET `password`=\''.$old_pass.'\' '.
- 'WHERE `user_id`='.(int)$results_array['user_id'];
- $database->query($sql);
- $errMsg = $MESSAGE['FORGOT_PASS_CANNOT_EMAIL'];
- }
- }else { // Error updating database
- $errMsg = $MESSAGE['RECORD_MODIFIED_FAILED'];
- if(DEBUG) {
- $message .= '
'.$database->get_error();
- $message .= '
'.$sql;
- }
- }
- }
- }else { // no record found - Email doesn't exist, so tell the user
- $errMsg = $MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND'];
- }
- } else { // Query failed
- $errMsg = 'SystemError:: Database query failed!';
- if(DEBUG) {
- $errMsg .= '
'.$database->get_error();
- $errMsg .= '
'.$sql;
- }
- }
- }
+
+ $email = strip_tags($_POST['email']);
+ if($wb->validate_email($email) == false)
+ {
+ $errMsg = $MESSAGE['USERS_INVALID_EMAIL'];
+ $email = '';
+ } else {
+ // Check if the email exists in the database
+ $sql = 'SELECT `user_id`,`username`,`display_name`,`email`,`last_reset`,`password` '.
+ 'FROM `'.TABLE_PREFIX.'users` '.
+ 'WHERE `email`=\''.$wb->add_slashes($email).'\'';
+
+ if(($results = $database->query($sql)))
+ {
+ if(($results_array = $results->fetchRow(MYSQL_ASSOC)))
+ { // Get the id, username, email, and last_reset from the above db query
+ // Check if the password has been reset in the last 2 hours
+ if( (time() - (int)$results_array['last_reset']) < (2 * 3600) ) {
+ // Tell the user that their password cannot be reset more than once per hour
+ $errMsg = $MESSAGE['FORGOT_PASS_ALREADY_RESET'];
+ } else {
+ require_once(WB_PATH.'/framework/PasswordHash.php');
+ $pwh = new PasswordHash(0, true);
+ $old_pass = $results_array['password'];
+ // Generate a random password then update the database with it
+ $new_pass = $pwh->NewPassword();
+ $sql = 'UPDATE `'.TABLE_PREFIX.'users` '.
+ 'SET `password`=\''.$pwh->HashPassword($new_pass, true).'\', '.
+ '`last_reset`='.time().' '.
+ 'WHERE `user_id`='.(int)$results_array['user_id'];
+ unset($pwh); // destroy $pwh-Object
+ if($database->query($sql))
+ { // Setup email to send
+ $mail_to = $email;
+ $mail_subject = $MESSAGE['SIGNUP2_SUBJECT_LOGIN_INFO'];
+ // Replace placeholders from language variable with values
+ $search = array('{LOGIN_DISPLAY_NAME}', '{LOGIN_WEBSITE_TITLE}', '{LOGIN_NAME}', '{LOGIN_PASSWORD}');
+ $replace = array($results_array['display_name'], WEBSITE_TITLE, $results_array['username'], $new_pass);
+ $mail_message = str_replace($search, $replace, $MESSAGE['SIGNUP2_BODY_LOGIN_FORGOT']);
+ // Try sending the email
+ if($wb->mail(SERVER_EMAIL,$mail_to,$mail_subject,$mail_message)) {
+ $message = $MESSAGE['FORGOT_PASS_PASSWORD_RESET'];
+ $display_form = false;
+ }else { // snd mail failed, rollback
+ $sql = 'UPDATE `'.TABLE_PREFIX.'users` '.
+ 'SET `password`=\''.$old_pass.'\' '.
+ 'WHERE `user_id`='.(int)$results_array['user_id'];
+ $database->query($sql);
+ $errMsg = $MESSAGE['FORGOT_PASS_CANNOT_EMAIL'];
+ }
+ }else { // Error updating database
+ $errMsg = $MESSAGE['RECORD_MODIFIED_FAILED'];
+ if(DEBUG) {
+ $message .= '
'.$database->get_error();
+ $message .= '
'.$sql;
+ }
+ }
+ }
+ }else { // no record found - Email doesn't exist, so tell the user
+ $errMsg = $MESSAGE['FORGOT_PASS_EMAIL_NOT_FOUND'];
+ }
+ } else { // Query failed
+ $errMsg = 'SystemError:: Database query failed!';
+// $errMsg = $MESSAGE['USERS_INVALID_EMAIL'];
+ if(DEBUG) {
+ $errMsg .= '
'.$database->get_error();
+ $errMsg .= '
'.$sql;
+ }
+ }
+ }
+ } else {
+ $email = '';
+ }
+
} else {
$email = '';
}
Index: branches/2.8.x/wb/framework/class.login.php
===================================================================
--- branches/2.8.x/wb/framework/class.login.php (revision 1832)
+++ branches/2.8.x/wb/framework/class.login.php (revision 1833)
@@ -46,9 +46,17 @@
$username_fieldname = 'username';
$password_fieldname = 'password';
}
- $this->username = htmlspecialchars (strtolower($this->get_post($username_fieldname)), ENT_QUOTES);
+ if( is_array($this->get_post($username_fieldname) ) ) {
+ $_POST[$username_fieldname]=implode(',',$this->get_post($username_fieldname));
+ }
+ $this->username = htmlspecialchars (strtolower( $this->get_post($username_fieldname) ), ENT_QUOTES);
+
+ if( is_array($this->get_post($password_fieldname) ) ) {
+ $_POST[$password_fieldname]=implode(',',$this->get_post($password_fieldname));
+ }
$this->password = $this->get_post($password_fieldname);
+
// Figure out if the "remember me" option has been checked
if($this->get_post('remember') == 'true') {
$this->remember = $this->get_post('remember');
@@ -60,18 +68,27 @@
$this->username_len = strlen($this->username);
$this->password_len = strlen($this->password);
}
+
+ $sServerUrl = $_SERVER['SERVER_NAME'];
+ $sServerScheme = $_SERVER['REQUEST_SCHEME'];
+ $sServerPath = $_SERVER['SCRIPT_NAME'];
// If the url is blank, set it to the default url
$this->url = $this->get_post('url');
+ $aUrl = parse_url( $this->url );
+ $this->url = isset($aRedirecthUrl['host']) &&($sServerUrl==$aUrl['host']) ? $this->url:ADMIN_URL.'/start/index.php';
if ($this->redirect_url!='') {
+ $aRedirecthUrl = parse_url( $this->redirect_url );
+ $this->redirect_url = isset($aRedirecthUrl['host']) &&($sServerUrl==$aRedirecthUrl['host']) ? $this->redirect_url:$sServerScheme.'://'.$sServerUrl;
$this->url = $this->redirect_url;
}
if(strlen($this->url) < 2) {
- $this->url = $config_array['DEFAULT_URL'];
+ $aDefaultUrl = parse_url( $this->default_url );
+ $this->default_url = isset($aDefaultUrl['host']) &&($sServerUrl==$aDefaultUrl['host']) ? $this->default_url:$sServerScheme.'://'.$sServerUrl;
+ $this->url = $this->default_url;
}
+
if($this->is_authenticated() == true) {
// User already logged-in, so redirect to default url
-// header("Location: ".$this->url);
-// exit(0);
$this->send_header($this->url);
} elseif($this->is_remembered() == true) {
// User has been "remembered"
@@ -86,8 +103,6 @@
// Check if the user exists (authenticate them)
if($this->authenticate()) {
// Authentication successful
-// header("Location: ".$this->url);
-// exit(0);
$this->send_header($this->url);
} else {
$this->message = $MESSAGE['LOGIN_AUTHENTICATION_FAILED'];
@@ -119,9 +134,6 @@
$this->password = md5($this->password);
if($this->authenticate()) {
// Authentication successful
-// echo $this->url;exit();
-// header("Location: ".$this->url);
-// exit(0);
$this->send_header($this->url);
} else {
$this->message = $MESSAGE['LOGIN_AUTHENTICATION_FAILED'];
@@ -298,6 +310,7 @@
}
$template->set_var(array(
'ACTION_URL' => $this->login_url,
+ 'URL' => $this->default_url,
'ATTEMPS' => $this->get_session('ATTEMPS'),
'USERNAME' => $this->username,
'USERNAME_FIELDNAME' => $this->username_fieldname,