Permalink
Browse files

Fix reCaptcha bypass

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
  • Loading branch information...
madhuracj committed Sep 7, 2015
1 parent f81cc30 commit 0314e67900f01410bc8c81c58a40dc0515e3c91d
View
@@ -1,6 +1,9 @@
phpMyAdmin - ChangeLog
======================
4.3.13.2 (Not yet released)
- bug [security] reCaptcha bypass
4.3.13.1 (2015-05-13)
- bug #4899 [security] CSRF vulnerability in setup
- bug #4900 [security] Vulnerability allowing man-in-the-middle attack
@@ -218,18 +218,9 @@ public function auth()
. $GLOBALS['server'] . '" />';
} // end if (server choice)
// We already have one correct captcha.
$skip = false;
if ( isset($_SESSION['last_valid_captcha'])
&& $_SESSION['last_valid_captcha']
) {
$skip = true;
}
// Add captcha input field if reCaptcha is enabled
if ( !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
&& !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
&& !$skip
) {
// If enabled show captcha to the user on the login screen.
echo '<script type="text/javascript">
@@ -349,18 +340,9 @@ public function authCheck()
return false;
}
// We already have one correct captcha.
$skip = false;
if ( isset($_SESSION['last_valid_captcha'])
&& $_SESSION['last_valid_captcha']
) {
$skip = true;
}
// Verify Captcha if it is required.
if ( !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
&& !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
&& !$skip
) {
if ( !empty($_POST["recaptcha_challenge_field"])
&& !empty($_POST["recaptcha_response_field"])
@@ -378,22 +360,15 @@ public function authCheck()
// Check if the captcha entered is valid, if not stop the login.
if ( !$resp->is_valid ) {
$conn_error = __('Entered captcha is wrong, try again!');
$_SESSION['last_valid_captcha'] = false;
return false;
} else {
$_SESSION['last_valid_captcha'] = true;
}
} elseif (! empty($_POST["recaptcha_challenge_field"])
&& empty($_POST["recaptcha_response_field"])
) {
$conn_error = __('Please enter correct captcha!');
return false;
} else {
if (! isset($_SESSION['last_valid_captcha'])
|| ! $_SESSION['last_valid_captcha']
) {
return false;
}
return false;
}
}
@@ -406,8 +381,6 @@ public function authCheck()
if (! defined('TESTSUITE')) {
session_destroy();
// $_SESSION array is not immediately emptied
$_SESSION['last_valid_captcha'] = false;
}
// -> delete password cookie(s)
if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
@@ -186,7 +186,8 @@ public function testAuth()
$GLOBALS['cfg']['Lang'] = 'en';
$GLOBALS['cfg']['AllowArbitraryServer'] = true;
$GLOBALS['cfg']['Servers'] = array(1, 2);
$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
$GLOBALS['target'] = 'testTarget';
$GLOBALS['db'] = 'testDb';
$GLOBALS['table'] = 'testTable';
@@ -328,7 +329,6 @@ public function testAuth()
$GLOBALS['cfg']['Lang'] = '';
$GLOBALS['cfg']['AllowArbitraryServer'] = false;
$GLOBALS['cfg']['Servers'] = array(1);
$_SESSION['last_valid_captcha'] = false;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
$GLOBALS['server'] = 0;
@@ -470,7 +470,6 @@ public function testAuthCheck()
// case 2
$_SESSION['last_valid_captcha'] = false;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
$_POST["recaptcha_challenge_field"] = 'captcha1';
@@ -487,7 +486,6 @@ public function testAuthCheck()
// case 3
$_SESSION['last_valid_captcha'] = false;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
$_POST["recaptcha_challenge_field"] = '';
@@ -532,7 +530,8 @@ public function testAuthCheck()
// case 6
$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
$_REQUEST['old_usr'] = '';
$_REQUEST['pma_username'] = 'testPMAUser';
$_REQUEST['pma_servername'] = 'testPMAServer';
@@ -662,8 +661,8 @@ public function testAuthCheckDecryptUser()
$_COOKIE['pma_iv'] = base64_encode('testiv09testiv09');
$GLOBALS['cfg']['blowfish_secret'] = 'secret';
$_SESSION['last_access_time'] = '';
$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
// mock for blowfish function
$this->object = $this->getMockBuilder('AuthenticationCookie')
->disableOriginalConstructor()
@@ -700,7 +699,8 @@ public function testAuthCheckDecryptPassword()
$_COOKIE['pmaPass-1'] = 'pmaPass1';
$_COOKIE['pma_iv'] = base64_encode('testiv09testiv09');
$GLOBALS['cfg']['blowfish_secret'] = 'secret';
$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
$_SESSION['last_access_time'] = time() - 1000;
$GLOBALS['cfg']['LoginCookieValidity'] = 1440;
@@ -745,7 +745,8 @@ public function testAuthCheckAuthFails()
$_COOKIE['pma_iv'] = base64_encode('testiv09testiv09');
$GLOBALS['cfg']['blowfish_secret'] = 'secret';
$_SESSION['last_access_time'] = 1;
$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
$GLOBALS['cfg']['LoginCookieValidity'] = 0;
$_SESSION['last_access_time'] = -1;
// mock for blowfish function

0 comments on commit 0314e67

Please sign in to comment.