From 7de653db58273835901f53b73e0bec1c5ff21f8a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maty=C3=A1=C5=A1=20Koc?= Date: Mon, 17 Jul 2017 14:22:58 +0200 Subject: [PATCH 1/7] Added CSRF check to admin login --- login.php | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/login.php b/login.php index 42acda0c..63cb29b7 100644 --- a/login.php +++ b/login.php @@ -23,10 +23,11 @@ * * fUsername * fPassword + * token * lang */ -define('POSTFIXADMIN_LOGOUT', 1); +//define('POSTFIXADMIN_LOGOUT', 1); require_once('common.php'); if($CONF['configured'] !== true) { @@ -38,6 +39,9 @@ check_db_version(); # check if the database layout is up to date (and error out if ($_SERVER['REQUEST_METHOD'] == "POST") { + + if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!'); + $lang = safepost('lang'); $fUsername = trim(safepost('fUsername')); $fPassword = safepost('fPassword'); @@ -82,6 +86,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") } } +$_SESSION['PFA_token'] = md5(uniqid(rand(), true)); + $smarty->assign ('language_selector', language_selector(), false); $smarty->assign ('smarty_template', 'login'); $smarty->assign ('logintype', 'admin'); From 019209ababc4ff002a06264bccfd1f3c77f8a7ac Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maty=C3=A1=C5=A1=20Koc?= Date: Mon, 17 Jul 2017 14:26:54 +0200 Subject: [PATCH 2/7] Added CSRF check to user login --- users/login.php | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/users/login.php b/users/login.php index 41fbd214..2e4fecac 100644 --- a/users/login.php +++ b/users/login.php @@ -27,13 +27,16 @@ */ $rel_path = '../'; -define('POSTFIXADMIN_LOGOUT', 1); +//define('POSTFIXADMIN_LOGOUT', 1); require_once("../common.php"); check_db_version(); # check if the database layout is up to date (and error out if not) if ($_SERVER['REQUEST_METHOD'] == "POST") { + + if (safepost('token') != $_SESSION['PFA_token']) die('Invalid token!'); + $lang = safepost('lang'); $fUsername = trim(safepost('fUsername')); $fPassword = safepost('fPassword'); @@ -59,6 +62,8 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") } } +$_SESSION['PFA_token'] = md5(uniqid(rand(), true)); + $smarty->assign ('language_selector', language_selector(), false); $smarty->assign ('smarty_template', 'login'); $smarty->assign ('logintype', 'user'); From 3486a5c593a050862a1a55daec2f0cdabf430b04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maty=C3=A1=C5=A1=20Koc?= Date: Mon, 17 Jul 2017 14:27:32 +0200 Subject: [PATCH 3/7] Updated comment-documentation --- users/login.php | 1 + 1 file changed, 1 insertion(+) diff --git a/users/login.php b/users/login.php index 2e4fecac..054584fc 100644 --- a/users/login.php +++ b/users/login.php @@ -23,6 +23,7 @@ * * fUsername * fPassword + * token * lang */ From e90348469252dcf5708db91b69f12fa63e978a9d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maty=C3=A1=C5=A1=20Koc?= Date: Mon, 17 Jul 2017 14:35:34 +0200 Subject: [PATCH 4/7] Links with target="_blank" should have rel="noopener" --- templates/footer.tpl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/templates/footer.tpl b/templates/footer.tpl index 56a84ca1..00693814 100644 --- a/templates/footer.tpl +++ b/templates/footer.tpl @@ -1,8 +1,8 @@ From 74c29f8a109408e9660587eb0481b8c6dafecde9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maty=C3=A1=C5=A1=20Koc?= Date: Sun, 3 Sep 2017 14:51:59 +0200 Subject: [PATCH 5/7] Handle logout in a new way (admin login) --- login.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/login.php b/login.php index 63cb29b7..841c0707 100644 --- a/login.php +++ b/login.php @@ -27,7 +27,6 @@ * lang */ -//define('POSTFIXADMIN_LOGOUT', 1); require_once('common.php'); if($CONF['configured'] !== true) { @@ -53,7 +52,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") $h = new AdminHandler; if ( $h->login($fUsername, $fPassword) ) { - session_regenerate_id(); + session_regenerate_id(true); $_SESSION['sessid'] = array(); $_SESSION['sessid']['roles'] = array(); $_SESSION['sessid']['roles'][] = 'admin'; From 9f30aa5ff4d8bd5e182e71eb04b8e4f927ea8377 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maty=C3=A1=C5=A1=20Koc?= Date: Sun, 3 Sep 2017 14:52:52 +0200 Subject: [PATCH 6/7] Handle logout in a new way (user login) --- users/login.php | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/users/login.php b/users/login.php index 054584fc..700623af 100644 --- a/users/login.php +++ b/users/login.php @@ -28,7 +28,6 @@ */ $rel_path = '../'; -//define('POSTFIXADMIN_LOGOUT', 1); require_once("../common.php"); check_db_version(); # check if the database layout is up to date (and error out if not) @@ -49,7 +48,7 @@ if ($_SERVER['REQUEST_METHOD'] == "POST") $h = new MailboxHandler(); if($h->login($fUsername, $fPassword)) { - session_regenerate_id(); + session_regenerate_id(true); $_SESSION['sessid'] = array(); $_SESSION['sessid']['roles'] = array(); $_SESSION['sessid']['roles'][] = 'user'; From 3c95ec4a0913e94cdb5d9f7ee72dfd2f07dc8808 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Maty=C3=A1=C5=A1=20Koc?= Date: Sun, 3 Sep 2017 14:55:50 +0200 Subject: [PATCH 7/7] Add CSRF token --- templates/login.tpl | 1 + 1 file changed, 1 insertion(+) diff --git a/templates/login.tpl b/templates/login.tpl index 333b3693..9ae5f04d 100644 --- a/templates/login.tpl +++ b/templates/login.tpl @@ -1,5 +1,6 @@
+