Skip to content

Commit 785f4e2

Browse files
committed
Fix reCaptcha bypass
Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
1 parent 5b2b959 commit 785f4e2

File tree

3 files changed

+15
-36
lines changed

3 files changed

+15
-36
lines changed

Diff for: ChangeLog

+3
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,9 @@
11
phpMyAdmin - ChangeLog
22
======================
33

4+
4.4.14.1 (Not yet released)
5+
- issue [security] reCaptcha bypass
6+
47
4.4.14.0 (2015-08-20)
58
- issue #11367 Export after search, missing WHERE clause
69
- issue #11380 Incomplete message after import

Diff for: libraries/plugins/auth/AuthenticationCookie.class.php

+2-29
Original file line numberDiff line numberDiff line change
@@ -223,18 +223,9 @@ public function auth()
223223
. $GLOBALS['server'] . '" />';
224224
} // end if (server choice)
225225

226-
// We already have one correct captcha.
227-
$skip = false;
228-
if ( isset($_SESSION['last_valid_captcha'])
229-
&& $_SESSION['last_valid_captcha']
230-
) {
231-
$skip = true;
232-
}
233-
234226
// Add captcha input field if reCaptcha is enabled
235227
if ( !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
236228
&& !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
237-
&& !$skip
238229
) {
239230
// If enabled show captcha to the user on the login screen.
240231
echo '<script src="https://www.google.com/recaptcha/api.js?hl='
@@ -336,8 +327,6 @@ public function authCheck()
336327

337328
if (! defined('TESTSUITE')) {
338329
session_destroy();
339-
// $_SESSION array is not immediately emptied
340-
$_SESSION['last_valid_captcha'] = false;
341330
}
342331
// -> delete password cookie(s)
343332
if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
@@ -359,18 +348,9 @@ public function authCheck()
359348

360349
if (! empty($_REQUEST['pma_username'])) {
361350

362-
// We already have one correct captcha.
363-
$skip = false;
364-
if (isset($_SESSION['last_valid_captcha'])
365-
&& $_SESSION['last_valid_captcha']
366-
) {
367-
$skip = true;
368-
}
369-
370351
// Verify Captcha if it is required.
371352
if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
372353
&& ! empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
373-
&& ! $skip
374354
) {
375355
if (! empty($_POST["g-recaptcha-response"])) {
376356

@@ -388,18 +368,11 @@ public function authCheck()
388368
// Check if the captcha entered is valid, if not stop the login.
389369
if ($resp == null || ! $resp->isSuccess()) {
390370
$conn_error = __('Entered captcha is wrong, try again!');
391-
$_SESSION['last_valid_captcha'] = false;
392371
return false;
393-
} else {
394-
$_SESSION['last_valid_captcha'] = true;
395372
}
396373
} else {
397-
if (! isset($_SESSION['last_valid_captcha'])
398-
|| ! $_SESSION['last_valid_captcha']
399-
) {
400-
$conn_error = __('Please enter correct captcha!');
401-
return false;
402-
}
374+
$conn_error = __('Please enter correct captcha!');
375+
return false;
403376
}
404377
}
405378

Diff for: test/classes/plugin/auth/PMA_AuthenticationCookie_test.php

+10-7
Original file line numberDiff line numberDiff line change
@@ -186,7 +186,8 @@ public function testAuth()
186186
$GLOBALS['cfg']['Lang'] = 'en';
187187
$GLOBALS['cfg']['AllowArbitraryServer'] = true;
188188
$GLOBALS['cfg']['Servers'] = array(1, 2);
189-
$_SESSION['last_valid_captcha'] = true;
189+
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
190+
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
190191
$GLOBALS['target'] = 'testTarget';
191192
$GLOBALS['db'] = 'testDb';
192193
$GLOBALS['table'] = 'testTable';
@@ -308,7 +309,6 @@ public function testAuth()
308309
$GLOBALS['cfg']['Lang'] = '';
309310
$GLOBALS['cfg']['AllowArbitraryServer'] = false;
310311
$GLOBALS['cfg']['Servers'] = array(1);
311-
$_SESSION['last_valid_captcha'] = false;
312312
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
313313
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
314314
$GLOBALS['server'] = 0;
@@ -431,7 +431,6 @@ public function testAuthCheck()
431431

432432
// case 2
433433

434-
$_SESSION['last_valid_captcha'] = false;
435434
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
436435
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
437436
$_POST["g-recaptcha-response"] = '';
@@ -481,7 +480,8 @@ public function testAuthCheck()
481480

482481
// case 6
483482

484-
$_SESSION['last_valid_captcha'] = true;
483+
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
484+
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
485485
$_REQUEST['old_usr'] = '';
486486
$_REQUEST['pma_username'] = 'testPMAUser';
487487
$_REQUEST['pma_servername'] = 'testPMAServer';
@@ -611,7 +611,8 @@ public function testAuthCheckDecryptUser()
611611
$_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
612612
$GLOBALS['cfg']['blowfish_secret'] = 'secret';
613613
$_SESSION['last_access_time'] = '';
614-
$_SESSION['last_valid_captcha'] = true;
614+
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
615+
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
615616

616617
// mock for blowfish function
617618
$this->object = $this->getMockBuilder('AuthenticationCookie')
@@ -649,7 +650,8 @@ public function testAuthCheckDecryptPassword()
649650
$_COOKIE['pmaPass-1'] = 'pmaPass1';
650651
$_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
651652
$GLOBALS['cfg']['blowfish_secret'] = 'secret';
652-
$_SESSION['last_valid_captcha'] = true;
653+
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
654+
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
653655
$_SESSION['last_access_time'] = time() - 1000;
654656
$GLOBALS['cfg']['LoginCookieValidity'] = 1440;
655657

@@ -694,7 +696,8 @@ public function testAuthCheckAuthFails()
694696
$_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
695697
$GLOBALS['cfg']['blowfish_secret'] = 'secret';
696698
$_SESSION['last_access_time'] = 1;
697-
$_SESSION['last_valid_captcha'] = true;
699+
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
700+
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
698701
$GLOBALS['cfg']['LoginCookieValidity'] = 0;
699702
$_SESSION['last_access_time'] = -1;
700703
// mock for blowfish function

0 commit comments

Comments
 (0)