Skip to content

Commit

Permalink
Critical security issue - fix password hash
Browse files Browse the repository at this point in the history
  • Loading branch information
gamonoid committed Jun 14, 2018
1 parent 51e3569 commit 025a828
Show file tree
Hide file tree
Showing 4 changed files with 29 additions and 17 deletions.
6 changes: 3 additions & 3 deletions core/header.php
Original file line number Diff line number Diff line change
Expand Up @@ -25,9 +25,9 @@
}
include 'includes.inc.php';

if(empty($user)){
$actualLink = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLink));
if(empty($user) || empty($user->email)){
$actualLinkArray = explode('/',$_SERVER['REQUEST_URI']);
header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLinkArray[count($actualLinkArray) - 1]));
exit();
}

Expand Down
2 changes: 0 additions & 2 deletions core/login.com.inc.php

This file was deleted.

35 changes: 24 additions & 11 deletions core/login.php
Original file line number Diff line number Diff line change
Expand Up @@ -9,8 +9,8 @@
$_COOKIE['icehrmLF'] = '';
$user = null;
}

if (empty($user)) {
$hashedPwd = null;
if (empty($user) || empty($user->email)) {
if (!isset($_REQUEST['f']) && isset($_COOKIE['icehrmLF'])
&& $_REQUEST['login'] != 'no' && !isset($_REQUEST['username'])) {
$tempUser = new \Users\Common\Model\User();
Expand All @@ -20,8 +20,9 @@
sha1($tempUser->email."_".$tempUser->password) == $_COOKIE['icehrmLF']) {
$_REQUEST['username'] = $tempUser->username;
$_REQUEST['password'] = $tempUser->password;
$_REQUEST['hashedPwd'] = $tempUser->password;
$hashedPwd = $tempUser->password;
$_REQUEST['remember'] = true;
$cookieLogin = true;
}
}

Expand All @@ -47,22 +48,33 @@
}
}

if (!isset($_REQUEST['hashedPwd'])) {
$_REQUEST['hashedPwd'] = md5($_REQUEST['password']);
if (!isset($hashedPwd)) {
$hashedPwd = md5($_REQUEST['password']);
}


include 'login.com.inc.php';

if (empty($suser)) {
$suser = new \Users\Common\Model\User();
$suser->Load(
"(username = ? or email = ?) and password = ?",
array($_REQUEST['username'],$_REQUEST['username'],$_REQUEST['hashedPwd'])
array($_REQUEST['username'], $_REQUEST['username'], $hashedPwd)
);
}

if ($suser->password == $_REQUEST['hashedPwd'] || $ssoUserLoaded) {
if (empty($suser->username) || empty($suser->email)) {
$next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:'';
header("Location:".CLIENT_BASE_URL."login.php?f=1".$next);
exit();
}

$loginCsrf = \Utils\SessionUtils::getSessionObject('csrf-login');

if (!$cookieLogin && ($_REQUEST['csrf'] != $loginCsrf || empty($_REQUEST['csrf']))) {
$next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:'';
header("Location:".CLIENT_BASE_URL."login.php?f=1".$next);
exit();
}

if ($suser->password === $hashedPwd || $ssoUserLoaded) {
$user = $suser;
\Utils\SessionUtils::saveSessionObject('user', $user);
$suser->last_login = date("Y-m-d H:i:s");
Expand All @@ -88,7 +100,7 @@
}

if (!empty($_REQUEST['next']) && !empty(($loginRedirect = \Base64Url\Base64Url::decode($_REQUEST['next'])))) {
header("Location:" . $loginRedirect);
header("Location:" . CLIENT_BASE_URL.$loginRedirect);
exit();
} else {
if ($user->user_level == "Admin") {
Expand Down Expand Up @@ -340,6 +352,7 @@ function submitLogin(){
<?php if (!isset($_REQUEST['cp'])) {?>
<form id="loginForm" action="login.php" method="POST">
<input type="hidden" id="next" name="next" value="<?=$_REQUEST['next']?>"/>
<input type="hidden" id="csrf" name="csrf" value="<?=$csrfToken?>"/>
<fieldset>
<div class="clearfix">
<div class="input-prepend">
Expand Down
3 changes: 2 additions & 1 deletion core/src/Utils/SessionUtils.php
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,8 @@ public static function unsetClientSession()
$names = [
"user",
"modulePath",
"admin_current_profile"
"admin_current_profile",
"csrf-login"
];
session_start();
setcookie('icehrmLF', '');
Expand Down

0 comments on commit 025a828

Please sign in to comment.