Péter Szládovics / smbind-ng · Commits

Commit d593f51baac400e72d93fbfd1002ba334584f8b2

Authored by Péter Szládovics
1 parent 4990aa7f

security fixes

Inline Side-by-side
Showing 8 changed files with 18 additions and 11 deletions
.gitignore 0 → 100644
  View file @d593f51
  1 +/config/*
  2 +!/config
  3 +!/config/config.php-default
INSTALL.md
  View file @d593f51
1 # SMBind-ng Installation Guide 1 # SMBind-ng Installation Guide
2 -v0.91c 2 +v0.96a
3 3
4 ## Requirements 4 ## Requirements
5 * Any kind of webserver with php usage abilities (tested on apache2, lighttpd, 5 * Any kind of webserver with php usage abilities (tested on apache2, lighttpd,
README.md
  View file @d593f51
1 # SMBind-ng 1 # SMBind-ng
2 -v0.95d 2 +v0.96a
3 3
4 This is a forked project from [smbind](http://sourceforge.net/projects/smbind/). 4 This is a forked project from [smbind](http://sourceforge.net/projects/smbind/).
5 5
@@ -14,6 +14,9 @@ This fork has many improvements, security changes and new features @@ -14,6 +14,9 @@ This fork has many improvements, security changes and new features
14 * CSS based inline graphical elements 14 * CSS based inline graphical elements
15 15
16 ## Security changes 16 ## Security changes
  17 + * Remove XSS vulnerability (login screen) - 0.96a
  18 + * Remove SQL injection (user real name) - 0.96a
  19 + * More secure password handling and checking - 0.96a
17 * Login with Google ReCaptcha validation 20 * Login with Google ReCaptcha validation
18 * Password policy (JS based checking) 21 * Password policy (JS based checking)
19 * No password traffic in HTTP channel (JS based encryption) 22 * No password traffic in HTTP channel (JS based encryption)
lib/smbind.class.php
  View file @d593f51
@@ -211,7 +211,7 @@ @@ -211,7 +211,7 @@
211 if (is_string($path)) { 211 if (is_string($path)) {
212 $_CONF['smbind_ng'] = $path; 212 $_CONF['smbind_ng'] = $path;
213 $_CONF['title'] = "SMBind-ng"; 213 $_CONF['title'] = "SMBind-ng";
214 - $_CONF['version'] = 'v0.91d'; 214 + $_CONF['version'] = 'v0.96a';
215 $_CONF['footer'] = $_CONF['title'] . $_CONF['version']; 215 $_CONF['footer'] = $_CONF['title'] . $_CONF['version'];
216 $_CONF['marker'] = "Forked by PtY 2015(GPL)"; 216 $_CONF['marker'] = "Forked by PtY 2015(GPL)";
217 $_CONF['template'] = "default"; 217 $_CONF['template'] = "default";
src/include.php
  View file @d593f51
@@ -81,8 +81,8 @@ if(isset($_POST["recaptcha_response_field"])){ @@ -81,8 +81,8 @@ if(isset($_POST["recaptcha_response_field"])){
81 } 81 }
82 } 82 }
83 83
84 -if (isset($_POST['username']) && isset($_POST['password']) && ($cap_rsp == NULL)) {  
85 - $session->login($_POST['username'], $_POST['password']); 84 +if (isset($_POST['username']) && isset($_POST['password']) && ($cap_rsp == NULL) && (strlen($_POST['password']) == 32)) {
  85 + $session->login(preg_replace('/[^a-zA-z0-9_\.@-]+/', '', $_POST['username']), preg_replace('/[^0-9a-f]+/', '', $_POST['password']));
86 } 86 }
87 87
88 $user = new User(); 88 $user = new User();
src/savepass.php
  View file @d593f51
1 <?php 1 <?php
2 require_once "include.php"; 2 require_once "include.php";
3 3
4 -if ($user->getPasswordHash() == $_POST['password_old']) {  
5 - if ((strlen($_POST['password_one']) == 32) && ($session->isEnoughOld())) {  
6 - $user->set(NULL, $_POST['password_one']); 4 +if ($user->getPasswordHash() == preg_replace('/[^0-9a-f]+/', '', $_POST['password_old'])) {
  5 + if ((strlen(preg_replace('/[^a-f0-9]+/', '', $_POST['password_one'])) == 32) && ($session->isEnoughOld())) {
  6 + $user->set(NULL, preg_replace('/[^a-f0-9]+/', '', $_POST['password_one']));
7 $_SESSION['p'] = $user->getPasswordHash(); 7 $_SESSION['p'] = $user->getPasswordHash();
8 $smarty->assign("pagetitle", "Change password"); 8 $smarty->assign("pagetitle", "Change password");
9 $smarty->assign("template", "savepass.tpl"); 9 $smarty->assign("template", "savepass.tpl");
src/useradd.php
  View file @d593f51
@@ -2,10 +2,11 @@ @@ -2,10 +2,11 @@
2 require_once "include.php"; 2 require_once "include.php";
3 3
4 if ($user->isAdmin()) { 4 if ($user->isAdmin()) {
5 - if ((strlen($_POST['password_']) == 32) && 5 + if ((strlen(preg_replace('/[^a-f0-9]+/', '', $_POST['password_'])) == 32) &&
6 (isset($_POST['username_'])) && 6 (isset($_POST['username_'])) &&
7 (strlen($_POST['username_']) > 2)) { 7 (strlen($_POST['username_']) > 2)) {
8 - $real = ((isset($_POST['realname'])) && ($_POST['realname'] >= '')) ? $_POST['realname'] : $_POST['username_']; 8 + $cleanname = preg_replace('/[%"\'<>]+/', '', $_POST['realname']);
  9 + $real = ((isset($_POST['realname'])) && ($_POST['realname'] >= '') && ($_POST['realname'] == $cleanname)) ? $_POST['realname'] : $_POST['username_'];
9 $urec = array( 10 $urec = array(
10 'id' => 0, 11 'id' => 0,
11 'username' => $_POST['username_'], 12 'username' => $_POST['username_'],
src/userwrite.php
  View file @d593f51
@@ -4,7 +4,7 @@ require_once &quot;include.php&quot;; @@ -4,7 +4,7 @@ require_once &quot;include.php&quot;;
4 if($user->isAdmin()) { 4 if($user->isAdmin()) {
5 $adm = (isset($_POST['admin'])) ? $_POST['admin'] : ''; 5 $adm = (isset($_POST['admin'])) ? $_POST['admin'] : '';
6 $pass = (isset($_POST['password'])) ? $_POST['password'] : ''; 6 $pass = (isset($_POST['password'])) ? $_POST['password'] : '';
7 - $rnam = (isset($_POST['realname'])) ? $_POST['realname'] : ''; 7 + $rnam = ((isset($_POST['realname'])) && ($_POST['realname'] == preg_replace('/[%"\'<>]+/', '', $_POST['realname']))) ? $_POST['realname'] : '';
8 $i = (isset($_GET['i'])) ? intval($_GET['i']) : 0; 8 $i = (isset($_GET['i'])) ? intval($_GET['i']) : 0;
9 if (($i > 1) && ($session->isEnoughOld())) { 9 if (($i > 1) && ($session->isEnoughOld())) {
10 $smarty->assign("pagetitle", "Viewing user"); 10 $smarty->assign("pagetitle", "Viewing user");