SECURITY: Enforce redirect to login page

remocrevo · remocrevo · commit bbc25261c29d · 2016-05-05T08:50:02.000-04:00
Thanks to Ian Walls for reporting this issue. NOTE: This affects all modules, not just the Resources module. From his report: The ajax scripts (ajax_htmldata.php and ajax_processing.php) are not authenticated. Thus, as a malicious user on the open internet with only the domain name and path of a CORAL install, I can not only read usernames and passwords for database platforms (if added by the institution), but also delete resources from the database and run arbitrary code. Examples: * Read accounts: curl 'http://coraldemo.library.tamu.edu/resources/ajax_htmldata.php?action=getAccountDetails&resourceID=27' * Delete a resource: curl 'http://coraldemo.library.tamu.edu/resources/ajax_processing.php?action=deleteResource&resourceID=27' * Upload a malicious script: curl 'http://coraldemo.library.tamu.edu/resources/ajax_processing.php?action=uploadAttachment' -H 'Content-Type: multipart/form-data' -F 'myfile=@/home/user/Desktop/myevilscript.php' This commit simply causes the script to exit after attempting to forward to the login page, to prevent any further data from being sent to disobedient browsers (such as curl). A patch file is also included. Signed-off-by: Remington Steed <rjs7@calvin.edu>
diff --git a/install/SECURITY-Enforce-redirect-to-login-page.patch b/install/SECURITY-Enforce-redirect-to-login-page.patch
@@ -0,0 +1,21 @@
+diff --git a/user.php b/user.php
+index ef68901..1fe9e83 100755
+--- a/user.php
++++ b/user.php
+@@ -57,6 +57,8 @@ if ($config->settings->authModule == 'Y'){
+ 		$authURL = $util->getCORALURL() . "auth/" . $addURL . htmlentities($_SERVER['REQUEST_URI']);
+ 		header('Location: ' . $authURL, true);
+ 
++		exit; //PREVENT SECURITY HOLE
++
+ 	}
+ 
+ 
+@@ -110,6 +112,7 @@ if ($loginID){
+ 	//if the user doesn't exist in database we need to redirect them to a page to give instructions on how to be added
+ 	if ($user->privilegeID == ""){
+ 		header('Location: not_avail.php');
++		exit; //PREVENT SECURITY HOLE
+ 	}
+ }
+ 
diff --git a/user.php b/user.php
@@ -57,6 +57,8 @@
 		$authURL = $util->getCORALURL() . "auth/" . $addURL . htmlentities($_SERVER['REQUEST_URI']);
 		header('Location: ' . $authURL, true);
 
+		exit; //PREVENT SECURITY HOLE
+
 	}
 
 
@@ -110,6 +112,7 @@
 	//if the user doesn't exist in database we need to redirect them to a page to give instructions on how to be added
 	if ($user->privilegeID == ""){
 		header('Location: not_avail.php');
+		exit; //PREVENT SECURITY HOLE
 	}
 }
 

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,8 @@`
`57`	`57`	`$authURL = $util->getCORALURL() . "auth/" . $addURL . htmlentities($_SERVER['REQUEST_URI']);`
`58`	`58`	`header('Location: ' . $authURL, true);`
`59`	`59`
	`60`	`+ exit; //PREVENT SECURITY HOLE`
	`61`	`+`
`60`	`62`	`}`
`61`	`63`
`62`	`64`
`@@ -110,6 +112,7 @@`
`110`	`112`	`//if the user doesn't exist in database we need to redirect them to a page to give instructions on how to be added`
`111`	`113`	`if ($user->privilegeID == ""){`
`112`	`114`	`header('Location: not_avail.php');`
	`115`	`+ exit; //PREVENT SECURITY HOLE`
`113`	`116`	`}`
`114`	`117`	`}`
`115`	`118`