ThaMunsta/itflow
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

This Update will break your login as we updated the password hash from MD5 to a salted hash using hash_password and password_verify techniques, fixed an unauthenticated persistent XSS Vulnerbility which would affect if someone spoofed their IP with a javascript code and then a logged in read the logs. The flaw was discovered by @bambilol #214 also fixed some other bugs.

Browse Source
This commit is contained in:
johnnyq
2021-12-13 12:21:55 -05:00
parent ed2dfa1b74
commit 4604280efe
5 changed files with 28 additions and 27 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
functions.php
View File

@@ -283,9 +283,9 @@ function formatPhoneNumber($phoneNumber) {
} }
//SESSION FINGERPRINT //SESSION FINGERPRINT
$session_ip = get_ip(); $session_ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
$session_os = get_os(); $session_os = strip_tags(mysqli_real_escape_string($mysqli,get_os()));
$session_browser = get_web_browser(); $session_browser = strip_tags(mysqli_real_escape_string($mysqli,get_web_browser()));
$session_device = get_device(); $session_device = strip_tags(mysqli_real_escape_string($mysqli,get_device()));
?> ?>

33
login.php
View File

@@ -11,10 +11,10 @@ if(!file_exists('config.php')){
<?php <?php
$ip = get_ip(); $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
$os = get_os(); $os = strip_tags(mysqli_real_escape_string($mysqli,get_os()));
$browser = get_web_browser(); $browser = strip_tags(mysqli_real_escape_string($mysqli,get_web_browser()));
$device = get_device(); $device = strip_tags(mysqli_real_escape_string($mysqli,get_device()));
?> ?>
@@ -24,17 +24,18 @@ session_start();
if(isset($_POST['login'])){ if(isset($_POST['login'])){
$username = mysqli_real_escape_string($mysqli,$_POST['username']); $username = strip_tags(mysqli_real_escape_string($mysqli,$_POST['username']));
$plain_password = $_POST['password']; $password = $_POST['password'];
$password = md5($_POST['password']); $current_code = strip_tags(mysqli_real_escape_string($mysqli,$_POST['current_code']));
$current_code = mysqli_real_escape_string($mysqli,$_POST['current_code']);
if(!empty($current_code)){ if(!empty($current_code)){
$current_code = mysqli_real_escape_string($mysqli,$_POST['current_code']); $current_code = strip_tags(mysqli_real_escape_string($mysqli,$_POST['current_code']));
} }
$sql = mysqli_query($mysqli,"SELECT * FROM users WHERE user_email = '$username' AND user_password = '$password'"); $sql = mysqli_query($mysqli,"SELECT * FROM users WHERE user_email = '$username'");
$row = mysqli_fetch_array($sql);
if(mysqli_num_rows($sql) == 1){
$row = mysqli_fetch_array($sql); if(password_verify($password, $row['user_password'])){
$token = $row['user_token']; $token = $row['user_token'];
$_SESSION['user_id'] = $row['user_id']; $_SESSION['user_id'] = $row['user_id'];
$_SESSION['user_name'] = $row['user_name']; $_SESSION['user_name'] = $row['user_name'];
@@ -74,9 +75,9 @@ if(isset($_POST['login'])){
"; ";
} }
} }
}else{ }else{
mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = '$user_name failed to log in', log_ip = '$ip', log_user_agent = '$os - $browser - $device', log_created_at = NOW()"); mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Login', log_action = 'Failed', log_description = '$username failed to log in', log_ip = '$ip', log_user_agent = '$os - $browser - $device', log_created_at = NOW()");
$response = " $response = "
<div class='alert alert-danger'> <div class='alert alert-danger'>
@@ -125,7 +126,7 @@ if(isset($_POST['login'])){
</div> </div>
</div> </div>
<div class="input-group mb-3"> <div class="input-group mb-3">
<input type="password" class="form-control" placeholder="Password" name="password" value="<?php if(!empty($token_field)){ echo $plain_password; } ?>" required> <input type="password" class="form-control" placeholder="Password" name="password" value="<?php if(!empty($token_field)){ echo $password; } ?>" required>
<div class="input-group-append"> <div class="input-group-append">
<div class="input-group-text"> <div class="input-group-text">
<span class="fas fa-lock"></span> <span class="fas fa-lock"></span>

4
logs.php
View File

@@ -154,8 +154,8 @@ $num_rows = mysqli_fetch_row(mysqli_query($mysqli,"SELECT FOUND_ROWS()"));
$log_id = $row['log_id']; $log_id = $row['log_id'];
$log_type = $row['log_type']; $log_type = $row['log_type'];
$log_action = $row['log_action']; $log_action = $row['log_action'];
$log_description = $row['log_description']; $log_description = htmlentities($row['log_description']);
$log_ip = $row['log_ip']; $log_ip = htmlentities($row['log_ip']);
$log_user_agent = $row['log_user_agent']; $log_user_agent = $row['log_user_agent'];
$log_created_at = $row['log_created_at']; $log_created_at = $row['log_created_at'];
$user_id = $row['user_id']; $user_id = $row['user_id'];

8
post.php
View File

@@ -34,7 +34,7 @@ if(isset($_POST['add_user'])){
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email'])));
$password = md5($_POST['password']); $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
$company = intval($_POST['company']); $company = intval($_POST['company']);
$level = intval($_POST['level']); $level = intval($_POST['level']);
@@ -163,7 +163,7 @@ if(isset($_POST['edit_user'])){
mysqli_query($mysqli,"UPDATE users SET user_name = '$name', user_email = '$email', user_updated_at = NOW() WHERE user_id = $user_id"); mysqli_query($mysqli,"UPDATE users SET user_name = '$name', user_email = '$email', user_updated_at = NOW() WHERE user_id = $user_id");
if(!empty($new_password)){ if(!empty($new_password)){
$new_password = md5($new_password); $new_password = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli,"UPDATE users SET user_password = '$new_password' WHERE user_id = $user_id"); mysqli_query($mysqli,"UPDATE users SET user_password = '$new_password' WHERE user_id = $user_id");
} }
@@ -235,7 +235,7 @@ if(isset($_POST['edit_profile'])){
mysqli_query($mysqli,"UPDATE users SET user_name = '$name', user_email = '$email', user_updated_at = NOW() WHERE user_id = $user_id"); mysqli_query($mysqli,"UPDATE users SET user_name = '$name', user_email = '$email', user_updated_at = NOW() WHERE user_id = $user_id");
if(!empty($new_password)){ if(!empty($new_password)){
$new_password = md5($new_password); $new_password = password_hash($new_password, PASSWORD_DEFAULT);
mysqli_query($mysqli,"UPDATE users SET user_password = '$new_password' WHERE user_id = $user_id"); mysqli_query($mysqli,"UPDATE users SET user_password = '$new_password' WHERE user_id = $user_id");
} }
@@ -252,7 +252,7 @@ if(isset($_POST['edit_user_companies'])){
$user_id = intval($_POST['user_id']); $user_id = intval($_POST['user_id']);
$companies = mysqli_real_escape_string($mysqli,$_POST['companies']); $companies = mysqli_real_escape_string($mysqli,$_POST['companies']);
//Turn the Array into a string with , seperation //Turn the Array into a string with , seperation
$companies_imploded = implode(",",$companies); $companies_imploded = implode(",",$companies);

2
setup.php
View File

@@ -391,7 +391,7 @@ if(isset($_POST['add_user'])){
$name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name']))); $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
$email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email']))); $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email'])));
$password = md5($_POST['password']); $password = password_hash($_POST['password'], PASSWORD_DEFAULT);
mysqli_query($mysqli,"INSERT INTO users SET user_name = '$name', user_email = '$email', user_password = '$password', user_created_at = NOW()"); mysqli_query($mysqli,"INSERT INTO users SET user_name = '$name', user_email = '$email', user_password = '$password', user_created_at = NOW()");