From c5d197e221b3e7d47fadadbea2e0f46949857371 Mon Sep 17 00:00:00 2001 From: Oscar Poels Date: Mon, 11 Jan 2021 14:05:42 +0100 Subject: [PATCH 1/8] complexify session_id to prevent brut force #82 --- appliance/updates/5.3.11.sql | 1 + login.php | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) create mode 100644 appliance/updates/5.3.11.sql diff --git a/appliance/updates/5.3.11.sql b/appliance/updates/5.3.11.sql new file mode 100644 index 00000000..43cd27d5 --- /dev/null +++ b/appliance/updates/5.3.11.sql @@ -0,0 +1 @@ +ALTER TABLE sessions modify session_id char(25); \ No newline at end of file diff --git a/login.php b/login.php index f79065b7..af12e9ae 100644 --- a/login.php +++ b/login.php @@ -259,7 +259,7 @@ function display_login(){ $usrlimit = $usersql[0]["user_limitation"]; // Create session ID - $sessid=rand(); + $sessid=$key = substr(strtolower(md5(microtime().rand(1000, 9999))), 0, 25); sql($database_eonweb,"INSERT INTO sessions (session_id,user_id) VALUES (?,?)", array($sessid, $usrid)); // Send cookie From 1a86c58fc5503a6f3707c6a68b6ed27b20d5cd2d Mon Sep 17 00:00:00 2001 From: Oscar Poels Date: Wed, 13 Jan 2021 16:19:00 +0100 Subject: [PATCH 2/8] modify database to bring new session_id --- appliance/eonweb.spec | 5 +++++ login.php | 2 +- 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/appliance/eonweb.spec b/appliance/eonweb.spec index 84d227c9..fea55ee7 100644 --- a/appliance/eonweb.spec +++ b/appliance/eonweb.spec @@ -62,6 +62,8 @@ case "$1" in systemctl restart httpd # Update EON 5.3.8 /usr/bin/chown apache:apache /srv/eyesofnetwork/eonweb/module/admin_itsm/uploaded_file + # Update EON 5.3.11 + /usr/bin/mysql -u root --password=root66 eonweb < %{eonconfdir}/updates/5.3.11.sql 2>/dev/null ;; esac @@ -77,6 +79,9 @@ rm -rf %{buildroot} %config(noreplace) %{_sysconfdir}/httpd/conf.d/%{name}.conf %changelog +* Mon Jan 11 2021 Oscar POELS - 5.3-11.eon +- fix security issue with sessions_id by renforcing generation to prevent force brut + * Tue Dec 08 2020 Sebastien DAVOULT - 5.3-10.eon - fix issue when we trying to rename rules in Advance Notifier #81 - fix gathering SQL Response in Advance Notifier #80 diff --git a/login.php b/login.php index af12e9ae..f79065b7 100644 --- a/login.php +++ b/login.php @@ -259,7 +259,7 @@ function display_login(){ $usrlimit = $usersql[0]["user_limitation"]; // Create session ID - $sessid=$key = substr(strtolower(md5(microtime().rand(1000, 9999))), 0, 25); + $sessid=rand(); sql($database_eonweb,"INSERT INTO sessions (session_id,user_id) VALUES (?,?)", array($sessid, $usrid)); // Send cookie From 08349ca937c2ae6bd94681a3a30cf1bd51dc6403 Mon Sep 17 00:00:00 2001 From: Oscar Poels Date: Wed, 13 Jan 2021 16:29:03 +0100 Subject: [PATCH 3/8] fix complexify session_id --- login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/login.php b/login.php index f79065b7..ab328484 100644 --- a/login.php +++ b/login.php @@ -259,7 +259,7 @@ function display_login(){ $usrlimit = $usersql[0]["user_limitation"]; // Create session ID - $sessid=rand(); + $sessid= substr(strtolower(md5(microtime().rand(1000, 9999))), 0, 25); sql($database_eonweb,"INSERT INTO sessions (session_id,user_id) VALUES (?,?)", array($sessid, $usrid)); // Send cookie From eba48a26cfa2af4b7964c5be818bdabd9433ea36 Mon Sep 17 00:00:00 2001 From: Julien1498 <53144809+Julien1498@users.noreply.github.com> Date: Tue, 23 Feb 2021 13:43:03 +0100 Subject: [PATCH 4/8] :bug: Fix complexity of session_id --- login.php | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/login.php b/login.php index ab328484..71b35d11 100644 --- a/login.php +++ b/login.php @@ -259,7 +259,7 @@ function display_login(){ $usrlimit = $usersql[0]["user_limitation"]; // Create session ID - $sessid= substr(strtolower(md5(microtime().rand(1000, 9999))), 0, 25); + $sessid = session_id(); sql($database_eonweb,"INSERT INTO sessions (session_id,user_id) VALUES (?,?)", array($sessid, $usrid)); // Send cookie From 526dc5d697546d9b93b9f54b8eb7194d926b0171 Mon Sep 17 00:00:00 2001 From: Julien1498 <53144809+Julien1498@users.noreply.github.com> Date: Tue, 23 Feb 2021 13:43:06 +0100 Subject: [PATCH 5/8] Edit database to bring new session_id --- appliance/updates/5.3.11.sql | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/appliance/updates/5.3.11.sql b/appliance/updates/5.3.11.sql index 43cd27d5..7a3666c9 100644 --- a/appliance/updates/5.3.11.sql +++ b/appliance/updates/5.3.11.sql @@ -1 +1 @@ -ALTER TABLE sessions modify session_id char(25); \ No newline at end of file +ALTER TABLE sessions modify session_id char(30); From bc4dd2bd0789b4bdeb39936d1be2949fb99ad0f1 Mon Sep 17 00:00:00 2001 From: Julien1498 <53144809+Julien1498@users.noreply.github.com> Date: Tue, 23 Feb 2021 13:48:03 +0100 Subject: [PATCH 6/8] :lock: Check if the file extension is correct #87 --- module/admin_itsm/function_itsm.php | 21 ++++++++++++--------- 1 file changed, 12 insertions(+), 9 deletions(-) diff --git a/module/admin_itsm/function_itsm.php b/module/admin_itsm/function_itsm.php index cf883e7a..ce427046 100644 --- a/module/admin_itsm/function_itsm.php +++ b/module/admin_itsm/function_itsm.php @@ -26,18 +26,21 @@ * @return boolean */ function upload_file($url, $file, $dir="uploaded_file"){ + $path_part = pathinfo($file["name"]); if(preg_match('#[\x00-\x1F\x7F-\x9F/\\\\]#', basename($file["name"]))){ return false; }else{ - $path_file = __DIR__."/".$dir."/".basename($file["name"]); - if(file_exists($path_file)){ - unlink($path_file); - } + if($path_part['extension'] == "json" || $path_part['extension'] == "xml"){ + $path_file = __DIR__."/".$dir."/".basename($file["name"]); + if(file_exists($path_file)){ + unlink($path_file); + } - $path_file = __DIR__."/".$dir."/".basename($file["name"]); - - if(move_uploaded_file($file["tmp_name"], $path_file)){ - return true; + $path_file = __DIR__."/".$dir."/".basename($file["name"]); + + if(move_uploaded_file($file["tmp_name"], $path_file)){ + return true; + } } return false; } @@ -199,4 +202,4 @@ function get_all_events(){ -?> \ No newline at end of file +?> From 6d1be13ba36fedfc8cdcbe9c30e99d4e0ca7db1b Mon Sep 17 00:00:00 2001 From: Julien1498 <53144809+Julien1498@users.noreply.github.com> Date: Fri, 12 Mar 2021 17:09:48 +0100 Subject: [PATCH 7/8] =?UTF-8?q?=F0=9F=94=92=20Fix=20database=20session=5Fi?= =?UTF-8?q?d=20#87?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- appliance/eonweb.sql | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/appliance/eonweb.sql b/appliance/eonweb.sql index 50b28808..d698b77e 100644 --- a/appliance/eonweb.sql +++ b/appliance/eonweb.sql @@ -226,14 +226,15 @@ LOCK TABLES `logs` WRITE; UNLOCK TABLES; -- --- Table structure for table `sessions` +-- Table structure for table ` +` -- DROP TABLE IF EXISTS `sessions`; /*!40101 SET @saved_cs_client = @@character_set_client */; /*!40101 SET character_set_client = utf8 */; CREATE TABLE `sessions` ( - `session_id` int(11) NOT NULL, + `session_id` char(30) NOT NULL, `user_id` int(11) NOT NULL, PRIMARY KEY (`session_id`) ) ENGINE=MyISAM DEFAULT CHARSET=latin1; From 58290af6f360dbe0335fd21060112aab68286f72 Mon Sep 17 00:00:00 2001 From: Julien1498 <53144809+Julien1498@users.noreply.github.com> Date: Fri, 12 Mar 2021 17:15:45 +0100 Subject: [PATCH 8/8] =?UTF-8?q?=F0=9F=92=A1=20Fix=20comment?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- appliance/eonweb.sql | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/appliance/eonweb.sql b/appliance/eonweb.sql index d698b77e..8d5ecaa1 100644 --- a/appliance/eonweb.sql +++ b/appliance/eonweb.sql @@ -226,8 +226,7 @@ LOCK TABLES `logs` WRITE; UNLOCK TABLES; -- --- Table structure for table ` -` +-- Table structure for table `sessions` -- DROP TABLE IF EXISTS `sessions`;