Merge pull request #60 from Vilican/master

Security fixes

login.php

@@ -23,10 +23,10 @@
  *
  *  fUsername
  *  fPassword
+ *  token
  *  lang
  */
 
-define('POSTFIXADMIN_LOGOUT', 1);
 require_once('common.php');
 
 if($CONF['configured'] !== true) {
@@ -38,6 +38,9 @@ check_db_version(); # check if the database layout is up to date (and error out
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+
+    if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
     $lang = safepost('lang');
     $fUsername = trim(safepost('fUsername'));
     $fPassword = safepost('fPassword');
@@ -49,7 +52,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
 
     $h = new AdminHandler;
     if ( $h->login($fUsername, $fPassword) ) {
-        session_regenerate_id();
+        session_regenerate_id(true);
         $_SESSION['sessid'] = array();
         $_SESSION['sessid']['roles'] = array();
         $_SESSION['sessid']['roles'][] = 'admin';
@@ -82,6 +85,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
     }
 }
 
+$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
+
 $smarty->assign ('language_selector', language_selector(), false);
 $smarty->assign ('smarty_template', 'login');
 $smarty->assign ('logintype', 'admin');

templates/footer.tpl

@@ -1,8 +1,8 @@
 <!-- {$smarty.template} -->
 <div id="footer">
-	<a target="_blank" href="http://postfixadmin.sf.net/">Postfix Admin {$version}</a>
+	<a target="_blank" rel="noopener" href="http://postfixadmin.sf.net/">Postfix Admin {$version}</a>
 	<span id="update-check">&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;
-	<a target="_blank" href="http://postfixadmin.sf.net/update-check.php?version={$version|escape:"url"}">{$PALANG.check_update}</a></span>
+	<a target="_blank" rel="noopener" href="http://postfixadmin.sf.net/update-check.php?version={$version|escape:"url"}">{$PALANG.check_update}</a></span>
     {if isset($smarty.session.sessid)}
         {if $smarty.session.sessid.username}
             &nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;	
@@ -11,7 +11,7 @@
     {/if}
 	{if $CONF.show_footer_text == 'YES' && $CONF.footer_link}
 		&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;
-		<a href="{$CONF.footer_link}">{$CONF.footer_text}</a>
+		<a href="{$CONF.footer_link}" rel="noopener">{$CONF.footer_text}</a>
 	{/if}
 </div>
 </div>

templates/login.tpl

@@ -1,5 +1,6 @@
 <div id="login">
 <form name="frmLogin" method="post" action="">
+<input class="flat" type="hidden" name="token" value="{$smarty.session.PFA_token|escape:"url"}" />
 <table id="login_table" cellspacing="10">
 	<tr>
 		<th colspan="2">

users/login.php

@@ -23,17 +23,20 @@
  *
  *  fUsername
  *  fPassword
+ *  token
  *  lang
  */
 
 $rel_path = '../';
-define('POSTFIXADMIN_LOGOUT', 1);
 require_once("../common.php");
 
 check_db_version(); # check if the database layout is up to date (and error out if not)
 
 if ($_SERVER['REQUEST_METHOD'] == "POST")
 {
+
+   if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!');
+
    $lang = safepost('lang');
    $fUsername = trim(safepost('fUsername'));
    $fPassword = safepost('fPassword');
@@ -45,7 +48,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
 
    $h = new MailboxHandler();
    if($h->login($fUsername, $fPassword)) {
-      session_regenerate_id();
+      session_regenerate_id(true);
       $_SESSION['sessid'] = array();
       $_SESSION['sessid']['roles'] = array();
       $_SESSION['sessid']['roles'][] = 'user';
@@ -59,6 +62,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST")
    }
 }
 
+$_SESSION['PFA_token'] = md5(uniqid(rand(), true));
+
 $smarty->assign ('language_selector', language_selector(), false);
 $smarty->assign ('smarty_template', 'login');
 $smarty->assign ('logintype', 'user');