From 28ae0b9ef419086f36f1d88deb503f26d1c05bfc Mon Sep 17 00:00:00 2001
From: Andre Lorbach <alorbach@adiscon.com>
Date: Thu, 22 Apr 2021 09:39:59 +0200
Subject: [PATCH] login: Fix XSS issue if "Debug Userlogin" is enabled.

The username field was vulnerable against XSS attacks.
However this only affected POST data, so creating a URL with Querystring
for a XSS attack would not work.
---
 ChangeLog                       |  6 ++++++
 src/include/functions_users.php |  2 +-
 src/login.php                   | 24 +++++++++---------------
 3 files changed, 16 insertions(+), 16 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index c633d5e..f967de0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,4 +1,10 @@
 ---------------------------------------------------------------------------
+Version 4.1.12 (stable), 2021-04-29
+---------------------------------------------------------------------------
+- Secured username field against XSS attacks, thanks for reporting to:
+  Michael Strametz of SySS Cyber Security GmbH (Austria).
+- UserDB: Allow NULL value for defaultfilter fields, updated to v13
+---------------------------------------------------------------------------
 Version 4.1.11 (stable), 2020-07-09
 - ThirdParty: Updated jpgraph to 4.3.1 (2020-04-24)
 - Thanks to Javier Pastor for the following fixes and changes: 
diff --git a/src/include/functions_users.php b/src/include/functions_users.php
index 216947d..b84cabe 100644
--- a/src/include/functions_users.php
+++ b/src/include/functions_users.php
@@ -283,7 +283,7 @@ function CheckUserLogin( $username, $password )
 		}
 		*/
 		if ( GetConfigSetting("DebugUserLogin", 0) == 1 )
-			DieWithFriendlyErrorMsg( "Debug Error: Could not find user '" . $username . "' <br><br><B>Sessionarray</B> <pre>" . var_export($_SESSION, true) . "</pre>");
+			DieWithFriendlyErrorMsg( "Debug Error: Could not find user '" . htmlspecialchars($username) . "' <br><br><B>Sessionarray</B> <pre>" . var_export($_SESSION, true) . "</pre>");
 			
 		// Default return false
 		return false;
diff --git a/src/login.php b/src/login.php
index acbbe31..6475040 100644
--- a/src/login.php
+++ b/src/login.php
@@ -65,8 +65,7 @@ else
 	$szRedir = "index.php"; // Default
 $szRedir = SecureRedirect($szRedir); 
 
-if ( isset($_POST['op']) && $_POST['op'] == "login" )
-{
+if ( isset($_POST['op']) && $_POST['op'] == "login" ) {
 	// Perform login!
 	if ( $_POST['op'] == "login" )
 	{
@@ -74,29 +73,24 @@ if ( isset($_POST['op']) && $_POST['op'] == "login" )
 			 (isset($_POST['uname']) && strlen($_POST['uname']) > 0) 
 				&& 
 			 (isset($_POST['pass']) && strlen($_POST['pass']) > 0)
-			)
-		{
-			// Set Username and password
-			$content['uname'] = DB_RemoveBadChars($_POST['uname']);
-			$content['pass'] = $_POST['pass']; // RAW Copy of password string, otherwise passwords with special characters can be broken. 
+			) {
+			// Copy Username and password for template system
+			$content['uname'] = htmlspecialchars(DB_RemoveBadChars($_POST['uname'])); // URL Decode the username to avoid XSS issues!
+			$content['pass'] = htmlspecialchars($_POST['pass']); // RAW Copy of password string, otherwise passwords with special characters can be broken.
 
-			if ( !CheckUserLogin( $content['uname'], $content['pass']) )
-			{
+			// Use raw properties for database login check
+			if ( !CheckUserLogin( DB_RemoveBadChars($_POST['uname']), $_POST['pass']) ) {
 				$content['ISERROR'] = "true";
 				$content['ERROR_MSG'] = $content['LN_LOGIN_ERRWRONGPASSWORD'];
 			}
 			else
 				RedirectPage( urldecode($szRedir) );
-		}
-		else
-		{
+		} else {
 			$content['ISERROR'] = "true";
 			$content['ERROR_MSG'] = $content['LN_LOGIN_USERPASSMISSING'];
 		}
 	}
-}
-else if ( isset($_GET['op']) && $_GET['op'] == "logoff" )
-{
+} else if ( isset($_GET['op']) && $_GET['op'] == "logoff" ) {
 	// logoff in this case
 	DoLogOff();
 }