dbxe
/
fusionpbx
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Update login.php 

Possible vulnerability in password reset not taking chances removing the code until it has been analyzed and fixed.
This commit is contained in:
FusionPBX 2016-07-29 03:22:27 -06:00 committed by GitHub
parent e7c813a559
commit 3b438f5d0e
1 changed files with 22 additions and 269 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

251
resources/login.php
View File

@ -17,7 +17,7 @@
The Initial Developer of the Original Code is
Mark J Crane <markjcrane@fusionpbx.com>
Portions created by the Initial Developer are Copyright (C) 2008-2012
Portions created by the Initial Developer are Copyright (C) 2008-2016
the Initial Developer. All Rights Reserved.
Contributor(s):
@ -28,119 +28,6 @@
$language = new text;
$text = $language->get(null,'core/user_settings');
//get action, if any
if (isset($_REQUEST['action'])) {
$action = check_str($_REQUEST['action']);
}
//retrieve parse reset key
if ($action == 'define') {
$key = $_GET['key'];
$key_part = explode('|', decrypt($_SESSION['login']['password_reset_key']['text'], $key));
$username = $key_part[0];
$domain_uuid = $key_part[1];
$password_submitted = $key_part[2];
//get current salt, see if same as submitted salt
$sql = "select password from v_users where domain_uuid = '".$domain_uuid."' and username = '".$username."'";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetch(PDO::FETCH_NAMED);
$password_current = $result['password'];
unset($prep_statement, $result);
//set flag
$password_reset = ($username != '' && $domain_uuid == $_SESSION['domain_uuid'] && $password_submitted == $password_current) ? true : false;
}
//send password reset link
if ($action == 'request') {
if (valid_email($_REQUEST['email'])) {
$_SESSION["message_delay"] = 2500;
$email = check_str($_REQUEST['email']);
//see if email exists
$sql = "select ";
$sql .= "u.username, ";
$sql .= "u.password ";
$sql .= "from ";
$sql .= "v_users as u, ";
$sql .= "v_contact_emails as e ";
$sql .= "where ";
$sql .= "e.domain_uuid = u.domain_uuid ";
$sql .= "and e.contact_uuid = u.contact_uuid ";
$sql .= "and e.email_address = '".$email."' ";
$sql .= "and e.domain_uuid = '".$_SESSION['domain_uuid']."' ";
$prep_statement = $db->prepare(check_sql($sql));
$prep_statement->execute();
$result = $prep_statement->fetch(PDO::FETCH_NAMED);
unset($prep_statement);
if ($result['username'] != '') {
//generate reset link
$key = encrypt($_SESSION['login']['password_reset_key']['text'], $result['username'].'|'.$_SESSION['domain_uuid'].'|'.$result['password']);
$reset_link = "https://".$_SESSION['domain_name'].PROJECT_PATH."/login.php?action=define&key=".urlencode($key);
$eml_body = "<a href='".$reset_link."' class='login_link'>".$reset_link."</a>";
//send reset link
if (!send_email($email, $text['label-reset_link'], $eml_body)) {
$_SESSION["message_mood"] = 'negative';
$_SESSION["message"] = $eml_error;
}
else {
$_SESSION["message"] = $text['message-reset_link_sent'];
}
}
else {
//not found
$_SESSION["message_mood"] = 'negative';
$_SESSION["message"] = $text['message-invalid_email'];
}
}
else {
//not found
$_SESSION["message_mood"] = 'negative';
$_SESSION["message"] = $text['message-invalid_email'];
}
}
//reset password
if ($action == 'reset') {
$authorized_username = check_str($_REQUEST['au']);
$username = check_str($_REQUEST['username']);
$password_new = check_str($_REQUEST['password_new']);
$password_repeat = check_str($_REQUEST['password_repeat']);
if ($username != '' &&
$authorized_username == md5($_SESSION['login']['password_reset_key']['text'].$username) &&
$password_new != '' &&
$password_repeat != '' &&
$password_new == $password_repeat
) {
if (!check_password_strength($password_new, $text)) {
$password_reset = true;
}
else {
$salt = generate_password('20', '4');
$sql = "update v_users set ";
$sql .= "password = '".md5($salt.$password_new)."', ";
$sql .= "salt = '".$salt."' ";
$sql .= "where domain_uuid = '".$_SESSION['domain_uuid']."' ";
$sql .= "and username = '".$username."' ";
$db->exec(check_sql($sql));
$_SESSION["message"] = $text['message-password_reset'];
$password_reset = false;
}
}
else {
//not found
$_SESSION["message_mood"] = 'negative';
$_SESSION["message"] = $text['message-invalid_username_mismatch_passwords'];
$password_reset = true;
}
}
//get the http values and set as variables
$path = check_str($_GET["path"]);
$msg = check_str($_GET["msg"]);
@ -196,24 +83,6 @@
}
//show the content
echo "<script>";
echo " var speed = 350;";
echo " function toggle_password_reset(hide_id, show_id, focus_id) {";
echo " if (focus_id == undefined) { focus_id = ''; }";
echo " $('#'+hide_id).slideToggle(speed, function() {";
echo " $('#'+show_id).slideToggle(speed, function() {";
echo " if (focus_id != '') {";
echo " $('#'+focus_id).focus();";
echo " }";
echo " });";
echo " });";
echo " }";
echo "</script>";
echo "<br />\n";
if (!$password_reset) {
echo "<div id='login_form'>\n";
echo "<form name='login' method='post' action='".$_SESSION['login']['destination']['url']."'>\n";
echo "<input type='hidden' name='path' value='".$path."'>\n";
@ -236,127 +105,11 @@
}
}
echo "<input type='submit' id='btn_login' class='btn' style='width: 100px; margin-top: 15px;' value='".$text['button-login']."'>\n";
if (
function_exists('mcrypt_encrypt') &&
$_SESSION['login']['password_reset_key']['text'] != '' &&
$_SESSION['email']['smtp_host']['var'] != ''
) {
echo "<br><br><a class='login_link' onclick=\"toggle_password_reset('login_form','request_form','email');\">".$text['label-reset_password']."</a>";
}
echo "</form>";
echo "<script>document.getElementById('username').focus();</script>";
echo "</div>";
echo "<div id='request_form' style='display: none;'>\n";
echo "<form name='request' method='post' action=''>\n";
echo "<input type='hidden' name='action' value='request'>\n";
echo "<input type='text' class='txt login' style='text-align: center; min-width: 200px; width: 200px; margin-bottom: 8px;' name='email' id='email' placeholder=\"".$text['label-email_address']."\"><br />\n";
echo "<input type='submit' id='btn_reset' class='btn' style='width: 100px; margin-top: 15px;' value='".$text['button-reset']."'>\n";
echo "<br><br><a class='login_link' onclick=\"toggle_password_reset('request_form','login_form','username');\">".$text['label-cancel']."</a>";
echo "</form>";
echo "</div>";
}
else {
echo "<script>\n";
echo " function compare_passwords() {\n";
echo " if (document.getElementById('password') === document.activeElement || document.getElementById('password_confirm') === document.activeElement) {\n";
echo " if ($('#password').val() != '' || $('#password_confirm').val() != '') {\n";
echo " if ($('#password').val() != $('#password_confirm').val()) {\n";
echo " $('#password').removeClass('formfld_highlight_good');\n";
echo " $('#password_confirm').removeClass('formfld_highlight_good');\n";
echo " $('#password').addClass('formfld_highlight_bad');\n";
echo " $('#password_confirm').addClass('formfld_highlight_bad');\n";
echo " }\n";
echo " else {\n";
echo " $('#password').removeClass('formfld_highlight_bad');\n";
echo " $('#password_confirm').removeClass('formfld_highlight_bad');\n";
echo " $('#password').addClass('formfld_highlight_good');\n";
echo " $('#password_confirm').addClass('formfld_highlight_good');\n";
echo " }\n";
echo " }\n";
echo " }\n";
echo " else {\n";
echo " $('#password').removeClass('formfld_highlight_bad');\n";
echo " $('#password_confirm').removeClass('formfld_highlight_bad');\n";
echo " $('#password').removeClass('formfld_highlight_good');\n";
echo " $('#password_confirm').removeClass('formfld_highlight_good');\n";
echo " }\n";
echo " }\n";
$req['length'] = $_SESSION['security']['password_length']['numeric'];
$req['number'] = ($_SESSION['security']['password_number']['boolean'] == 'true') ? true : false;
$req['lowercase'] = ($_SESSION['security']['password_lowercase']['boolean'] == 'true') ? true : false;
$req['uppercase'] = ($_SESSION['security']['password_uppercase']['boolean'] == 'true') ? true : false;
$req['special'] = ($_SESSION['security']['password_special']['boolean'] == 'true') ? true : false;
echo " function check_password_strength(pwd) {\n";
echo " if ($('#password').val() != '' || $('#password_confirm').val() != '') {\n";
echo " var msg_errors = [];\n";
if (is_numeric($req['length']) && $req['length'] != 0) {
echo " var re = /.{".$req['length'].",}/;\n"; //length
echo " if (!re.test(pwd)) { msg_errors.push('".$req['length']."+ ".$text['label-characters']."'); }\n";
}
if ($req['number']) {
echo " var re = /(?=.*[\d])/;\n"; //number
echo " if (!re.test(pwd)) { msg_errors.push('1+ ".$text['label-numbers']."'); }\n";
}
if ($req['lowercase']) {
echo " var re = /(?=.*[a-z])/;\n"; //lowercase
echo " if (!re.test(pwd)) { msg_errors.push('1+ ".$text['label-lowercase_letters']."'); }\n";
}
if ($req['uppercase']) {
echo " var re = /(?=.*[A-Z])/;\n"; //uppercase
echo " if (!re.test(pwd)) { msg_errors.push('1+ ".$text['label-uppercase_letters']."'); }\n";
}
if ($req['special']) {
echo " var re = /(?=.*[\W])/;\n"; //special
echo " if (!re.test(pwd)) { msg_errors.push('1+ ".$text['label-special_characters']."'); }\n";
}
echo " if (msg_errors.length > 0) {\n";
echo " var msg = '".$text['message-password_requirements'].": ' + msg_errors.join(', ');\n";
echo " display_message(msg, 'negative', '6000');\n";
echo " return false;\n";
echo " }\n";
echo " else {\n";
echo " return true;\n";
echo " }\n";
echo " }\n";
echo " else {\n";
echo " return true;\n";
echo " }\n";
echo " }\n";
echo " function show_strenth_meter() {\n";
echo " $('#pwstrength_progress').slideDown();\n";
echo " }\n";
echo "</script>\n";
echo "<span id='reset_form'>\n";
echo "<form name='reset' id='frm' method='post' action=''>\n";
echo "<input type='hidden' name='action' value='reset'>\n";
echo "<input type='hidden' name='au' value='".md5($_SESSION['login']['password_reset_key']['text'].$username)."'>\n";
echo "<input type='text' class='txt login' style='text-align: center; min-width: 200px; width: 200px; margin-bottom: 8px;' name='username' id='username' placeholder=\"".$text['label-username']."\"><br />\n";
echo "<input type='password' class='txt login' style='text-align: center; min-width: 200px; width: 200px; margin-bottom: 4px;' name='password_new' id='password' autocomplete='off' placeholder=\"".$text['label-new_password']."\" onkeypress='show_strenth_meter();' onfocus='compare_passwords();' onkeyup='compare_passwords();' onblur='compare_passwords();'><br />\n";
echo "<div id='pwstrength_progress' class='pwstrength_progress pwstrength_progress_password_reset'></div>";
echo "<input type='password' class='txt login' style='text-align: center; min-width: 200px; width: 200px; margin-top: 4px; margin-bottom: 8px;' name='password_repeat' id='password_confirm' autocomplete='off' placeholder=\"".$text['label-repeat_password']."\" onfocus='compare_passwords();' onkeyup='compare_passwords();' onblur='compare_passwords();'><br />\n";
echo "<input type='button' class='btn' style='width: 100px; margin-top: 15px;' value='".$text['button-save']."' onclick=\"if (check_password_strength(document.getElementById('password').value)) { submit_form(); }\">\n";
echo "<br><br><a class='login_link' onclick=\"document.location.href='login.php';\">".$text['label-cancel']."</a>";
echo "</form>";
echo "<script>\n";
echo " document.getElementById('username').focus();\n";
// convert password fields to text
echo " function submit_form() {\n";
echo " $('input:password').css('visibility','hidden');\n";
echo " $('input:password').attr({type:'text'});\n";
echo " $('form#frm').submit();\n";
echo " }\n";
echo "</script>\n";
echo "</span>";
}
//add the footer
$default_login = true;
include "resources/footer.php";