Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
fix: introduced security fixes (#263)
- dologin.php - validating user input and introduced CSRF token check
- logging.php - preventing direct access to this file, which means redirecting to index.php when directly hitting this include file, (repeated for other exten. / include / etc. files), and optimized logging features
- actionMessages.php and errorHandling.php same as logging.php
- library/exten-* files - preventing direct access to these files, generalized the approach of looking for known file locations, improved user input validation (params such as limit, etc.), improved output (escaping logfile output, etc.)
- in library/exten-server_info.php - i also have added new commands for retrieving network information and system distro/version
- opendb.php - general code optimization (TODO prevent direct access to this file)
- sessions.php - introduced new session handling (TODO prevent direct access to this file)
- login.php - removed the default username hardcoded in the form, added the csrf_token
- rep-* - user input validation, code optimization
  • Loading branch information
filippolauria committed Oct 12, 2022
1 parent 765fb6a commit 3d11f37
Show file tree
Hide file tree
Showing 21 changed files with 1,141 additions and 1,125 deletions.
173 changes: 91 additions & 82 deletions include/config/logging.php
@@ -1,107 +1,116 @@
<?php
/*********************************************************************
* Name: logging.php
* Author: Liran tal <liran.tal@gmail.com>
*
* This file is used for controlling the logging actions
*
*********************************************************************/


/*
* It is important to understand that when logging.php is included in
* a page AFTER an include for config_read.php it gains access to all
* of the variables it's scope including the $configValues[....] because
* it was included just before it.
*
* But it should be noticed that these variables are only accessible
* in the scope of the general or main block of php code and are
* not accessible from functions, so we can't just use $configValues[...]
* variables from within logMessageNotice() or any other function
* and so we must use them here as references.
*
* The relevant variables are:
*
* $operator
* $_SERVER["SCRIPT_NAME"]
* $configValues['CONFIG_LOG_FILE']
*
*/
*********************************************************************************************************
* daloRADIUS - RADIUS Web Platform
* Copyright (C) 2007 - Liran Tal <liran@enginx.com> All Rights Reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*********************************************************************************************************
* Description: This file is used for controlling the logging actions
*
* Authors: Liran Tal <liran@enginx.com>
* Filippo Lauria <filippo.lauria@iit.cnr.it>
*
*********************************************************************************************************
*/

if ($configValues['CONFIG_LOG_PAGES'] == "yes") {
if (isset($log)) {
$msgNotice = $operator . " " . $log;
logMessage("NOTICE", $msgNotice, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]);
}
// prevent this file to be directly accessed
if (strpos($_SERVER['PHP_SELF'], '/include/config/logging.php') !== false) {
header("Location: ../../index.php");
exit;
}

/*
* It is important to understand that when logging.php is included in
* a page AFTER an include for config_read.php it gains access to all
* of the variables it's scope including the $configValues[....] because
* it was included just before it.
*
* But it should be noticed that these variables are only accessible
* in the scope of the general or main block of php code and are
* not accessible from functions, so we can't just use $configValues[...]
* variables from within logMessageNotice() or any other function
* and so we must use them here as references.
*
* The relevant variables are:
*
* $operator
* $_SERVER["SCRIPT_NAME"]
* $configValues['CONFIG_LOG_FILE']
*
*/

/*
* @param $type The message type, for example, NOTICE, DEBUG, ERROR, ACTION, etc...
* @param $msg The message string which should be logged to the file
* @param $logFile The full path for the filename to write logs to
* @param $currPage The current page that we included from
* @return $table The table name, either radcheck or radreply
*/
function logMessage($type, $msg, $logFile, $currPage) {
$date = date('M d G:i:s');
$msgString = $date . " " . $type . " " . $msg . " " . $currPage;

if ($configValues['CONFIG_LOG_QUERIES'] == "yes") {
if (isset($logQuery)) {
$msgQuery = $operator . " " . $logQuery;
logMessage("QUERY", $msgQuery, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]);
}
$fp = fopen($logFile, "a");
if ($fp) {
fwrite($fp, $msgString . "\n");
fclose($fp);
return;
}

echo "<div>"
. '<span style="color: red">error: could not open the file for writing: <strong>'
. $logFile . "</strong></span><br>"
. "Check file permissions. The file should be writable by the webserver's user/group"
. "</div>";
}

$logger_work = array();

if ($configValues['CONFIG_LOG_PAGES'] == "yes" && isset($log) && !empty($log)) {
$logger_work['NOTICE'] = "$operator $log";
}

if ($configValues['CONFIG_LOG_ACTIONS'] == "yes") {
if (isset($logAction)) {
$msgAction = $operator . " " . $logAction;
logMessage("ACTION", $msgAction, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]);
}
if ($configValues['CONFIG_LOG_QUERIES'] == "yes" && isset($logQuery) && !empty($logQuery)) {
$logger_work['QUERIES'] = "$operator $logQuery";
}


/********************************************************************************
if ($configValues['CONFIG_LOG_ACTIONS'] == "yes" && isset($logAction) && !empty($logAction)) {
$logger_work['ACTIONS'] = "$operator $logAction";
}

/*
********************************************************************************
* evaluating whether we need to debug SQL queries to the database as well.
* $logDebugSQL is set for each $sql = "query statement..." on the actual page
* in the following form: $logDebugSQL += $sql . "\n";
*
********************************************************************************/
if ($configValues['CONFIG_DEBUG_SQL'] == "yes") {
if (isset($logDebugSQL)) {
$msgDebugSQL = "- SQL -" . " " . $logDebugSQL . " on page: ";
logMessage("DEBUG", $msgDebugSQL, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]);
}
********************************************************************************
*/
if ($configValues['CONFIG_DEBUG_SQL'] == "yes" && isset($logDebugSQL) && !empty($logDebugSQL)) {
$logger_work['DEBUG'] = "- SQL -" . " " . $logDebugSQL . " on page: ";
}

/* the continuation of the CONFIG_DEBUG_SQL actually, this prints to the page
* being viewed */
if ($configValues['CONFIG_DEBUG_SQL_ONPAGE'] == "yes") {
if (isset($logDebugSQL)) {
echo "<br/><br/>";
echo "Debugging SQL Queries: <br/>";
echo $logDebugSQL;
echo "<br/><br/>";
}
foreach ($logger_work as $type => $message) {
logMessage($type, $message, $configValues['CONFIG_LOG_FILE'], $_SERVER["SCRIPT_NAME"]);
}



function logMessage($type, $msg, $logFile, $currPage) {
/*
* @param $type The message type, for example, NOTICE, DEBUG, ERROR, ACTION, etc...
* @param $msg The message string which should be logged to the file
* @param $logFile The full path for the filename to write logs to
* @param $currPage The current page that we included from
* @return $table The table name, either radcheck or radreply
*/

$date = date('M d G:i:s');
$msgString = $date . " " . $type . " " . $msg . " " . $currPage;

$fp = fopen($logFile, "a");
if ($fp) {
fwrite($fp, $msgString . "\n");
fclose($fp);
} else {

echo "<font color='#FF0000'>error: could not open the file for writing:<b> $logFile </b><br/></font>";
echo "Check file permissions. The file should be writable by the webserver's user/group<br/>";
}

/* the continuation of the CONFIG_DEBUG_SQL actually, this prints to the page
* being viewed */
if ($configValues['CONFIG_DEBUG_SQL_ONPAGE'] == "yes" && isset($logDebugSQL) && !empty($logDebugSQL)) {
echo "<br><br>"
. "Debugging SQL Queries: <br>"
. "<pre>$logDebugSQL</pre>"
. "<br><br>";
}

?>
56 changes: 35 additions & 21 deletions include/management/actionMessages.php
@@ -1,27 +1,41 @@
<?php
/*********************************************************************
* Name: actionMessages.php
* Author: Liran tal <liran.tal@gmail.com>
*
* This file provides control for messages that are printed to the
* screen in reply to actions such as applying forms, saving data,
* removing data and such.
*
*********************************************************************/
/*
*********************************************************************************************************
* daloRADIUS - RADIUS Web Platform
* Copyright (C) 2007 - Liran Tal <liran@enginx.com> All Rights Reserved.
*
* This program is free software; you can redistribute it and/or
* modify it under the terms of the GNU General Public License
* as published by the Free Software Foundation; either version 2
* of the License, or (at your option) any later version.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*********************************************************************************************************
*
* Description:
* This file provides control for messages that are printed to the
* screen in reply to actions such as applying forms, saving data,
* removing data and such.
*
* Authors: Liran Tal <liran@enginx.com>
* Filippo Lauria <filippo.lauria@iit.cnr.it>
*
*********************************************************************************************************
*/


if ((isset($failureMsg)) && ($failureMsg != "")) {
echo "<div class='failure'>
$failureMsg
</div>
";
// prevent this file to be directly accessed
if (strpos($_SERVER['PHP_SELF'], '/include/management/actionMessages.php') !== false) {
header("Location: ../../index.php");
exit;
}


if ((isset($successMsg)) && ($successMsg != "")) {
echo "<div class='success'>
$successMsg
</div>
";
if (isset($failureMsg) && !empty($failureMsg)) {
printf('<div class="failure">%s</div>', $failureMsg);
}

if (isset($successMsg) && !empty($successMsg)) {
printf('<div class="success">%s</div>', $successMsg);
}
26 changes: 17 additions & 9 deletions library/errorHandling.php
Expand Up @@ -14,22 +14,30 @@
* Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*
*********************************************************************************************************
* Description:
* global error handling for all PEAR packages, it isn't too wise to do
* that as I've no idea what other php applications are running on this machine
* even though this is really just about handling the error but still.
* So instead we're using the object's error handling method (see library/opendb.php)
* PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'errorHandler');
*
* Description: global error handling for all PEAR packages, it isn't too wise to do
* that as I've no idea what other php applications are running on this machine
* even though this is really just about handling the error but still.
* So instead we're using the object's error handling method (see library/opendb.php)
* PEAR::setErrorHandling(PEAR_ERROR_CALLBACK, 'errorHandler');
*
* Authors: Liran Tal <liran@enginx.com>
* Authors: Liran Tal <liran@enginx.com>
* Filippo Lauria <filippo.lauria@iit.cnr.it>
*
*********************************************************************************************************
*/

// prevent this file to be directly accessed
if (strpos($_SERVER['PHP_SELF'], '/library/errorHandling.php') !== false) {
header("Location: ../index.php");
exit;
}

function errorHandler($err) {
echo("<br/><b>Database error</b><br>
<b>Error Message: </b>" . $err->getMessage() . "<br><b>Debug info: </b>" . $err->getDebugInfo() . "<br>");
echo '<div class="failure"><strong>Database error</strong><br>'
. "Error message: <strong>" . $err->getMessage() . "</strong><br>"
. "Debug info: <br>" . $err->getDebugInfo()
. "</div>";
}

?>

0 comments on commit 3d11f37

Please sign in to comment.