security fixes

Péter Szládovics
1 parent 4990aa7f
Showing 8 changed files with 18 additions and 11 deletions
.gitignore
INSTALL.md
README.md
lib/smbind.class.php
src/include.php
src/savepass.php
src/useradd.php
src/userwrite.php
+/config/*
+!/config
+!/config/config.php-default
 # SMBind-ng Installation Guide
-v0.91c
+v0.96a
  
 ## Requirements
  * Any kind of webserver with php usage abilities (tested on apache2, lighttpd,
 # SMBind-ng
-v0.95d
+v0.96a
  
 This is a forked project from [smbind](http://sourceforge.net/projects/smbind/).
  
@@ -14,6 +14,9 @@ This fork has many improvements, security changes and new features
  * CSS based inline graphical elements
  
 ## Security changes
+ * Remove XSS vulnerability (login screen) - 0.96a
+ * Remove SQL injection (user real name) - 0.96a
+ * More secure password handling and checking - 0.96a
  * Login with Google ReCaptcha validation
  * Password policy (JS based checking)
  * No password traffic in HTTP channel (JS based encryption)
@@ -211,7 +211,7 @@
             if (is_string($path)) {
                 $_CONF['smbind_ng'] = $path;
                 $_CONF['title'] = "SMBind-ng";
-                $_CONF['version'] = 'v0.91d';
+                $_CONF['version'] = 'v0.96a';
                 $_CONF['footer'] = $_CONF['title'] . $_CONF['version'];
                 $_CONF['marker'] = "Forked by PtY 2015(GPL)";
                 $_CONF['template'] = "default";
@@ -81,8 +81,8 @@ if(isset($_POST[&quot;recaptcha_response_field&quot;])){
       }
 }
  
-if (isset($_POST['username']) && isset($_POST['password']) && ($cap_rsp == NULL)) {
-    $session->login($_POST['username'], $_POST['password']);
+if (isset($_POST['username']) && isset($_POST['password']) && ($cap_rsp == NULL) && (strlen($_POST['password']) == 32)) {
+    $session->login(preg_replace('/[^a-zA-z0-9_\.@-]+/', '', $_POST['username']), preg_replace('/[^0-9a-f]+/', '', $_POST['password']));
 }
  
 $user = new User();
 <?php
 require_once "include.php";
  
-if ($user->getPasswordHash() == $_POST['password_old']) {
-    if ((strlen($_POST['password_one']) == 32) && ($session->isEnoughOld())) {
-        $user->set(NULL, $_POST['password_one']);
+if ($user->getPasswordHash() == preg_replace('/[^0-9a-f]+/', '', $_POST['password_old'])) {
+    if ((strlen(preg_replace('/[^a-f0-9]+/', '', $_POST['password_one'])) == 32) && ($session->isEnoughOld())) {
+        $user->set(NULL, preg_replace('/[^a-f0-9]+/', '', $_POST['password_one']));
         $_SESSION['p'] = $user->getPasswordHash();
         $smarty->assign("pagetitle", "Change password");
         $smarty->assign("template", "savepass.tpl");
@@ -2,10 +2,11 @@
 require_once "include.php";
  
 if ($user->isAdmin()) {
-    if ((strlen($_POST['password_']) == 32) &&
+    if ((strlen(preg_replace('/[^a-f0-9]+/', '', $_POST['password_'])) == 32) &&
         (isset($_POST['username_'])) &&
         (strlen($_POST['username_']) > 2)) {
-        $real = ((isset($_POST['realname'])) && ($_POST['realname'] >= '')) ? $_POST['realname'] : $_POST['username_'];
+        $cleanname = preg_replace('/[%"\'<>]+/', '', $_POST['realname']);
+        $real = ((isset($_POST['realname'])) && ($_POST['realname'] >= '') && ($_POST['realname'] == $cleanname)) ? $_POST['realname'] : $_POST['username_'];
         $urec = array(
             'id'        => 0,
             'username'  => $_POST['username_'],
@@ -4,7 +4,7 @@ require_once &quot;include.php&quot;;
 if($user->isAdmin()) {
     $adm = (isset($_POST['admin'])) ? $_POST['admin'] : '';
     $pass = (isset($_POST['password'])) ? $_POST['password'] : '';
-    $rnam = (isset($_POST['realname'])) ? $_POST['realname'] : '';
+    $rnam = ((isset($_POST['realname'])) && ($_POST['realname'] == preg_replace('/[%"\'<>]+/', '', $_POST['realname']))) ? $_POST['realname'] : '';
     $i = (isset($_GET['i'])) ? intval($_GET['i']) : 0;
     if (($i > 1)  && ($session->isEnoughOld())) {
         $smarty->assign("pagetitle", "Viewing user");