Critical security issue - fix password hash

core/header.php

@@ -25,9 +25,9 @@
 }
 include 'includes.inc.php';
 
-if(empty($user)){
-    $actualLink = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
-    header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLink));
+if(empty($user) || empty($user->email)){
+    $actualLinkArray = explode('/',$_SERVER['REQUEST_URI']);
+    header("Location:".CLIENT_BASE_URL."login.php?next=".\Base64Url\Base64Url::encode($actualLinkArray[count($actualLinkArray) - 1]));
     exit();
 }
 

core/login.php

@@ -9,8 +9,8 @@
     $_COOKIE['icehrmLF'] = '';
     $user = null;
 }
-
-if (empty($user)) {
+$hashedPwd = null;
+if (empty($user) || empty($user->email)) {
 	if (!isset($_REQUEST['f']) && isset($_COOKIE['icehrmLF'])
 		&& $_REQUEST['login'] != 'no' && !isset($_REQUEST['username'])) {
 		$tempUser = new \Users\Common\Model\User();
@@ -20,8 +20,9 @@
 			sha1($tempUser->email."_".$tempUser->password) == $_COOKIE['icehrmLF']) {
 			$_REQUEST['username'] = $tempUser->username;
 			$_REQUEST['password'] = $tempUser->password;
-			$_REQUEST['hashedPwd'] = $tempUser->password;
+			$hashedPwd = $tempUser->password;
 			$_REQUEST['remember'] = true;
+            $cookieLogin = true;
 		}
 	}
 
@@ -47,22 +48,33 @@
 			}
 		}
 
-		if (!isset($_REQUEST['hashedPwd'])) {
-			$_REQUEST['hashedPwd'] = md5($_REQUEST['password']);
+		if (!isset($hashedPwd)) {
+			$hashedPwd = md5($_REQUEST['password']);
 		}
 
-
-		include 'login.com.inc.php';
-
 		if (empty($suser)) {
 			$suser = new \Users\Common\Model\User();
 			$suser->Load(
 				"(username = ? or email = ?) and password = ?",
-				array($_REQUEST['username'],$_REQUEST['username'],$_REQUEST['hashedPwd'])
+				array($_REQUEST['username'], $_REQUEST['username'], $hashedPwd)
 			);
 		}
 
-		if ($suser->password == $_REQUEST['hashedPwd'] || $ssoUserLoaded) {
+		if (empty($suser->username) || empty($suser->email)) {
+            $next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:'';
+            header("Location:".CLIENT_BASE_URL."login.php?f=1".$next);
+            exit();
+        }
+
+        $loginCsrf = \Utils\SessionUtils::getSessionObject('csrf-login');
+
+        if (!$cookieLogin && ($_REQUEST['csrf'] != $loginCsrf || empty($_REQUEST['csrf']))) {
+            $next = !empty($_REQUEST['next'])?'&next='.$_REQUEST['next']:'';
+            header("Location:".CLIENT_BASE_URL."login.php?f=1".$next);
+            exit();
+        }
+
+		if ($suser->password === $hashedPwd || $ssoUserLoaded) {
 			$user = $suser;
 			\Utils\SessionUtils::saveSessionObject('user', $user);
 			$suser->last_login = date("Y-m-d H:i:s");
@@ -88,7 +100,7 @@
 			}
 
 			if (!empty($_REQUEST['next']) && !empty(($loginRedirect = \Base64Url\Base64Url::decode($_REQUEST['next'])))) {
-			    header("Location:" . $loginRedirect);
+			    header("Location:" . CLIENT_BASE_URL.$loginRedirect);
 			    exit();
             } else {
 				if ($user->user_level == "Admin") {
@@ -340,6 +352,7 @@ function submitLogin(){
 				<?php if (!isset($_REQUEST['cp'])) {?>
 					<form id="loginForm" action="login.php" method="POST">
                         <input type="hidden" id="next" name="next" value="<?=$_REQUEST['next']?>"/>
+                        <input type="hidden" id="csrf" name="csrf" value="<?=$csrfToken?>"/>
 						<fieldset>
 							<div class="clearfix">
 								<div class="input-prepend">

core/src/Utils/SessionUtils.php

@@ -28,7 +28,8 @@ public static function unsetClientSession()
         $names = [
             "user",
             "modulePath",
-            "admin_current_profile"
+            "admin_current_profile",
+            "csrf-login"
         ];
         session_start();
         setcookie('icehrmLF', '');