From 785f4e2711848eb8945894199d5870253a88584e Mon Sep 17 00:00:00 2001
From: Madhura Jayaratne <madhura.cj@gmail.com>
Date: Mon, 7 Sep 2015 21:23:14 +1000
Subject: [PATCH 1/2] Fix reCaptcha bypass

Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
---
 ChangeLog                                     |  3 ++
 .../auth/AuthenticationCookie.class.php       | 31 ++-----------------
 .../auth/PMA_AuthenticationCookie_test.php    | 17 +++++-----
 3 files changed, 15 insertions(+), 36 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 69d8cfd695ca..39124c9107e0 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,9 @@
 phpMyAdmin - ChangeLog
 ======================
 
+4.4.14.1 (Not yet released)
+- issue        [security] reCaptcha bypass
+
 4.4.14.0 (2015-08-20)
 - issue #11367 Export after search, missing WHERE clause
 - issue #11380 Incomplete message after import
diff --git a/libraries/plugins/auth/AuthenticationCookie.class.php b/libraries/plugins/auth/AuthenticationCookie.class.php
index c85f74a41fd8..2b75262e7e8f 100644
--- a/libraries/plugins/auth/AuthenticationCookie.class.php
+++ b/libraries/plugins/auth/AuthenticationCookie.class.php
@@ -223,18 +223,9 @@ public function auth()
                 . $GLOBALS['server'] . '" />';
         } // end if (server choice)
 
-        // We already have one correct captcha.
-        $skip = false;
-        if (  isset($_SESSION['last_valid_captcha'])
-            && $_SESSION['last_valid_captcha']
-        ) {
-            $skip = true;
-        }
-
         // Add captcha input field if reCaptcha is enabled
         if (  !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
             && !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
-            && !$skip
         ) {
             // If enabled show captcha to the user on the login screen.
             echo '<script src="https://www.google.com/recaptcha/api.js?hl='
@@ -336,8 +327,6 @@ public function authCheck()
 
             if (! defined('TESTSUITE')) {
                 session_destroy();
-                // $_SESSION array is not immediately emptied
-                $_SESSION['last_valid_captcha'] = false;
             }
             // -> delete password cookie(s)
             if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
@@ -359,18 +348,9 @@ public function authCheck()
 
         if (! empty($_REQUEST['pma_username'])) {
 
-            // We already have one correct captcha.
-            $skip = false;
-            if (isset($_SESSION['last_valid_captcha'])
-                && $_SESSION['last_valid_captcha']
-            ) {
-                $skip = true;
-            }
-
             // Verify Captcha if it is required.
             if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
                 && ! empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
-                && ! $skip
             ) {
                 if (! empty($_POST["g-recaptcha-response"])) {
 
@@ -388,18 +368,11 @@ public function authCheck()
                     // Check if the captcha entered is valid, if not stop the login.
                     if ($resp == null || ! $resp->isSuccess()) {
                         $conn_error = __('Entered captcha is wrong, try again!');
-                        $_SESSION['last_valid_captcha'] = false;
                         return false;
-                    } else {
-                        $_SESSION['last_valid_captcha'] = true;
                     }
                 } else {
-                    if (! isset($_SESSION['last_valid_captcha'])
-                        || ! $_SESSION['last_valid_captcha']
-                    ) {
-                        $conn_error = __('Please enter correct captcha!');
-                        return false;
-                    }
+                    $conn_error = __('Please enter correct captcha!');
+                    return false;
                 }
             }
 
diff --git a/test/classes/plugin/auth/PMA_AuthenticationCookie_test.php b/test/classes/plugin/auth/PMA_AuthenticationCookie_test.php
index e42e232409a1..421b59c57db8 100644
--- a/test/classes/plugin/auth/PMA_AuthenticationCookie_test.php
+++ b/test/classes/plugin/auth/PMA_AuthenticationCookie_test.php
@@ -186,7 +186,8 @@ public function testAuth()
         $GLOBALS['cfg']['Lang'] = 'en';
         $GLOBALS['cfg']['AllowArbitraryServer'] = true;
         $GLOBALS['cfg']['Servers'] = array(1, 2);
-        $_SESSION['last_valid_captcha'] = true;
+        $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
+        $GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
         $GLOBALS['target'] = 'testTarget';
         $GLOBALS['db'] = 'testDb';
         $GLOBALS['table'] = 'testTable';
@@ -308,7 +309,6 @@ public function testAuth()
         $GLOBALS['cfg']['Lang'] = '';
         $GLOBALS['cfg']['AllowArbitraryServer'] = false;
         $GLOBALS['cfg']['Servers'] = array(1);
-        $_SESSION['last_valid_captcha'] = false;
         $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
         $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
         $GLOBALS['server'] = 0;
@@ -431,7 +431,6 @@ public function testAuthCheck()
 
         // case 2
 
-        $_SESSION['last_valid_captcha'] = false;
         $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
         $GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
         $_POST["g-recaptcha-response"] = '';
@@ -481,7 +480,8 @@ public function testAuthCheck()
 
         // case 6
 
-        $_SESSION['last_valid_captcha'] = true;
+        $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
+        $GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
         $_REQUEST['old_usr'] = '';
         $_REQUEST['pma_username'] = 'testPMAUser';
         $_REQUEST['pma_servername'] = 'testPMAServer';
@@ -611,7 +611,8 @@ public function testAuthCheckDecryptUser()
         $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
         $GLOBALS['cfg']['blowfish_secret'] = 'secret';
         $_SESSION['last_access_time'] = '';
-        $_SESSION['last_valid_captcha'] = true;
+        $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
+        $GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
 
         // mock for blowfish function
         $this->object = $this->getMockBuilder('AuthenticationCookie')
@@ -649,7 +650,8 @@ public function testAuthCheckDecryptPassword()
         $_COOKIE['pmaPass-1'] = 'pmaPass1';
         $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
         $GLOBALS['cfg']['blowfish_secret'] = 'secret';
-        $_SESSION['last_valid_captcha'] = true;
+        $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
+        $GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
         $_SESSION['last_access_time'] = time() - 1000;
         $GLOBALS['cfg']['LoginCookieValidity'] = 1440;
 
@@ -694,7 +696,8 @@ public function testAuthCheckAuthFails()
         $_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
         $GLOBALS['cfg']['blowfish_secret'] = 'secret';
         $_SESSION['last_access_time'] = 1;
-        $_SESSION['last_valid_captcha'] = true;
+        $GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
+        $GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
         $GLOBALS['cfg']['LoginCookieValidity'] = 0;
         $_SESSION['last_access_time'] = -1;
         // mock for blowfish function

From f7f483e99a74648843cc87265033442aeb4b7342 Mon Sep 17 00:00:00 2001
From: Marc Delisle <marc@infomarc.info>
Date: Tue, 8 Sep 2015 11:16:27 -0400
Subject: [PATCH 2/2] 4.4.14.1 release

Signed-off-by: Marc Delisle <marc@infomarc.info>
---
 ChangeLog                  | 2 +-
 README                     | 2 +-
 doc/conf.py                | 2 +-
 libraries/Config.class.php | 2 +-
 4 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/ChangeLog b/ChangeLog
index 39124c9107e0..e1e8d7553fcc 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,7 +1,7 @@
 phpMyAdmin - ChangeLog
 ======================
 
-4.4.14.1 (Not yet released)
+4.4.14.1 (2015-09-08)
 - issue        [security] reCaptcha bypass
 
 4.4.14.0 (2015-08-20)
diff --git a/README b/README
index 75f9e1f16655..27b722aaca44 100644
--- a/README
+++ b/README
@@ -1,7 +1,7 @@
 phpMyAdmin - Readme
 ===================
 
-Version 4.4.14
+Version 4.4.14.1
 
 A set of PHP-scripts to manage MySQL over the web.
 
diff --git a/doc/conf.py b/doc/conf.py
index 8d05395126fd..6a7b22ac3261 100644
--- a/doc/conf.py
+++ b/doc/conf.py
@@ -51,7 +51,7 @@
 # built documents.
 #
 # The short X.Y version.
-version = '4.4.14'
+version = '4.4.14.1'
 # The full version, including alpha/beta/rc tags.
 release = version
 
diff --git a/libraries/Config.class.php b/libraries/Config.class.php
index b1ab9cf40e78..392586a9dd2b 100644
--- a/libraries/Config.class.php
+++ b/libraries/Config.class.php
@@ -114,7 +114,7 @@ function __construct($source = null)
      */
     function checkSystem()
     {
-        $this->set('PMA_VERSION', '4.4.14');
+        $this->set('PMA_VERSION', '4.4.14.1');
         /**
          * @deprecated
          */