Merge branch 'ent-9592-Problema-de-seguridad-con-la-gestion-de-sesiones-Limited-Authentication-bypass-in-ajax-php' into 'develop'

fixed vulnerability Ref pandora_enterprise#9592 See merge request artica/pandorafms!5176
2022-10-20 12:10:59 +00:00 · 2022-10-20 12:10:59 +00:00 · a276eb4dba
parent 6657052308 f87737a093
commit a276eb4dba
6 changed files with 28 additions and 3 deletions
--- a/pandora_console/ajax.php
+++ b/pandora_console/ajax.php
@ -110,12 +110,13 @@ $auth_class = io_safe_output(
 $page = (string) get_parameter('page');
 $page = safe_url_extraclean($page);
 $page .= '.php';
+$page = realpath($page);
 $public_hash = get_parameter('auth_hash', false);
 $public_login = false;


 if (false === ((bool) get_parameter('doLogin', false) === true
-    && $page === 'include/rest-api/index.php')
+    && $page === realpath('include/rest-api/index.php'))
 ) {
    // Check user.
    if (class_exists($auth_class) === false || $public_hash === false) {
--- a/pandora_console/extras/delete_files/delete_files.txt
+++ b/pandora_console/extras/delete_files/delete_files.txt
@ -1666,3 +1666,4 @@ godmode/um_client/vendor/sebastian/object-enumerator
 godmode/um_client/vendor/sebastian
 godmode/um_client/vendor
 update_manager_client/resources/styles/pandora.css
+enterprise/meta/general/upload_head_image.php
--- a/pandora_console/extras/mr/58.sql
+++ b/pandora_console/extras/mr/58.sql
@ -1,5 +1,7 @@
 START TRANSACTION;

+ALTER TABLE `tusuario` ADD COLUMN `auth_token_secret` VARCHAR(45) DEFAULT NULL;
+
 ALTER TABLE `tmodule_inventory` ADD COLUMN `script_mode` INT NOT NULL DEFAULT 2;
 ALTER TABLE `tmodule_inventory` ADD COLUMN `script_path` VARCHAR(1000) DEFAULT '';

--- a/pandora_console/include/lib/User.php
+++ b/pandora_console/include/lib/User.php
@ -128,7 +128,7 @@ class User implements PublicLogin
    {
        $user = new self($data);

-        if ($user === null) {
+        if ($user->idUser === null) {
            return false;
        }

@ -188,6 +188,14 @@ class User implements PublicLogin
            $config['public_access'] = false;
        }

+        if (empty($other_secret) === true) {
+            $auth_token_secret = db_get_value('auth_token_secret', 'tusuario', 'id_user', $config['id_user']);
+
+            if (empty($auth_token_secret) === false) {
+                $other_secret = $auth_token_secret;
+            }
+        }
+
        // Build a hash to check.
        $hashCheck = self::generatePublicHash($other_secret);
        if ($hashCheck === $hash) {
--- a/pandora_console/include/rest-api/index.php
+++ b/pandora_console/include/rest-api/index.php
@ -66,7 +66,19 @@ if ($doLogin === true) {
        ]
    ) === true
    ) {
-        echo json_encode(['auth_hash' => User::generatePublicHash()]);
+        $newGeneratedSecret = bin2hex(openssl_random_pseudo_bytes(15));
+
+        $res_update = update_user(
+            $id_user,
+            ['auth_token_secret' => $newGeneratedSecret]
+        );
+
+        if ($res_update === false) {
+            http_response_code(404);
+            return;
+        }
+
+        echo json_encode(['auth_hash' => User::generatePublicHash($newGeneratedSecret)]);
    } else {
        db_pandora_audit(
            AUDIT_LOG_ACL_VIOLATION,
--- a/pandora_console/pandoradb.sql
+++ b/pandora_console/pandoradb.sql
@ -1309,6 +1309,7 @@ CREATE TABLE IF NOT EXISTS `tusuario` (
  `integria_user_level_pass` VARCHAR(45),
  `allowed_ip_active` TINYINT UNSIGNED DEFAULT 0,
  `allowed_ip_list` TEXT,
+  `auth_token_secret` VARCHAR(45) DEFAULT NULL,
  CONSTRAINT `fk_filter_id` FOREIGN KEY (`id_filter`) REFERENCES tevent_filter (`id_filter`) ON DELETE SET NULL,
  UNIQUE KEY `id_user` (`id_user`)
 ) ENGINE=InnoDB DEFAULT CHARSET=UTF8MB4;