Author: jfthomps
Date: Tue Oct 25 17:16:00 2011
New Revision: 1188806

URL: http://svn.apache.org/viewvc?rev=1188806&view=rev
Log:
VCL-486
Measures against cross site scripting on the Login form

applied code from diff in JIRA issue

authentication.php:
-modified printLoginPage - unset $_GET['userid'] if it is set so that a userid 
cannot be submitted via a normal href link; added call to stripslashes for 
$userid if magic quotes is enabled to allow single quotes in user names and 
added htmlspecialchars for $userid to prevent XSS attacks
-modified submitLogin - unset $_GET['userid'] if it is set so that a userid 
cannot be submitted via a normal href link; added call to stripslashes for 
$userid if magic quotes is enabled to allow single quotes in user names
-modified ldapLogin, validateLocalAccount - added $esc_userid that is $userid 
escaped with mysql_real_escape_string to prevent SQL injection attacks
-modified validateLocalAccount - added mysql_real_escape_string to $user to 
prevent SQL injection attacks
-modified -addLoginLog - added mysql_real_escape_string to $user and $mech to 
prevent SQL injection attacks

ldapauth.php:
-modified addLDAPUser - added mysql_real_escape_string to $loweruserid to 
prevent SQL injection attacks
-modified updateLDAPUser - added $esc_userid that is $userid escaped with 
mysql_real_escape_string to prevent SQL injection attacks

Modified:
    incubator/vcl/trunk/web/.ht-inc/authentication.php
    incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php

Modified: incubator/vcl/trunk/web/.ht-inc/authentication.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authentication.php?rev=1188806&r1=1188805&r2=1188806&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authentication.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authentication.php Tue Oct 25 17:16:00 2011
@@ -233,6 +233,8 @@ function printLoginPage($servertimeout=0
        $authtype = getContinuationVar("authtype", processInputVar("authtype", 
ARG_STRING));
        if($authtype == '' && array_key_exists('VCLAUTHSEL', $_COOKIE))
                $authtype = $_COOKIE['VCLAUTHSEL'];
+       if(isset($_GET['userid']))
+               unset($_GET['userid']);
        $userid = processInputVar('userid', ARG_STRING, '');
        if($userid == 'Proceed to Login')
                $userid = '';
@@ -241,6 +243,9 @@ function printLoginPage($servertimeout=0
                dbDisconnect();
                exit;
        }
+       if(get_magic_quotes_gpc())
+               $userid = stripslashes($userid);
+       $userid = htmlspecialchars($userid);
        $extrafailedmsg = '';
        if($servertimeout)
                $extrafailedmsg = " (unable to connect to authentication 
server)";
@@ -326,14 +331,18 @@ function submitLogin() {
                dbDisconnect();
                exit;
        }
+       if(isset($_GET['userid']))
+               unset($_GET['userid']);
        $userid = processInputVar('userid', ARG_STRING, '');
        $passwd = $_POST['password'];
        if(empty($userid) || empty($passwd)) {
                selectAuth();
                return;
        }
-       if(get_magic_quotes_gpc())
+       if(get_magic_quotes_gpc()) {
+               $userid = stripslashes($userid);
                $passwd = stripslashes($passwd);
+       }
        if($authMechs[$authtype]['type'] == 'ldap')
                ldapLogin($authtype, $userid, $passwd);
        elseif($authMechs[$authtype]['type'] == 'local')
@@ -356,6 +365,7 @@ function submitLogin() {
 
////////////////////////////////////////////////////////////////////////////////
 function ldapLogin($authtype, $userid, $passwd) {
        global $HTMLheader, $printedHTMLheader, $authMechs, $phpVer;
+       $esc_userid = mysql_real_escape_string($userid);
        if(! $fh = fsockopen($authMechs[$authtype]['server'], 636, $errno, 
$errstr, 5)) {
                printLoginPageWithSkin($authtype, 1);
                return;
@@ -443,7 +453,7 @@ function ldapLogin($authtype, $userid, $
                // see if user in our db
                $query = "SELECT id "
                       . "FROM user "
-                      . "WHERE unityid = '$userid' AND "
+                      . "WHERE unityid = '$esc_userid' AND "
                       .       "affiliationid = 
{$authMechs[$authtype]['affiliationid']}";
                $qh = doQuery($query, 101);
                if(! mysql_num_rows($qh)) {
@@ -522,6 +532,7 @@ function localLogin($userid, $passwd) {
 ///
 
////////////////////////////////////////////////////////////////////////////////
 function validateLocalAccount($user, $pass) {
+       $user = mysql_real_escape_string($user);
        $query = "SELECT l.salt "
               . "FROM localauth l, "
               .      "user u, "
@@ -565,6 +576,8 @@ function validateLocalAccount($user, $pa
 ///
 
////////////////////////////////////////////////////////////////////////////////
 function addLoginLog($login, $mech, $affiliationid, $passfail) {
+       $login = mysql_real_escape_string($login);
+       $mech = mysql_real_escape_string($mech);
        $query = "INSERT INTO loginlog "
               .        "(user, "
               .        "authmech, "

Modified: incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php
URL: 
http://svn.apache.org/viewvc/incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php?rev=1188806&r1=1188805&r2=1188806&view=diff
==============================================================================
--- incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php (original)
+++ incubator/vcl/trunk/web/.ht-inc/authmethods/ldapauth.php Tue Oct 25 
17:16:00 2011
@@ -40,6 +40,7 @@ function addLDAPUser($authtype, $userid)
                return NULL;
 
        $loweruserid = strtolower($userid);
+       $loweruserid = mysql_real_escape_string($loweruserid);
 
        # check for existance of an expired user if a numericid exists
        if(array_key_exists('numericid', $data)) {
@@ -164,6 +165,7 @@ function validateLDAPUser($type, $logini
 
////////////////////////////////////////////////////////////////////////////////
 function updateLDAPUser($authtype, $userid) {
        global $authMechs;
+       $esc_userid = mysql_real_escape_string($userid);
        $userData = getLDAPUserData($authtype, $userid);
        if(is_null($userData))
                return NULL;
@@ -197,7 +199,7 @@ function updateLDAPUser($authtype, $user
           is_numeric($userData['numericid']))
                $query .=   "u.uid = {$userData['numericid']}";
        else {
-               $query .=   "u.unityid = '$userid' AND "
+               $query .=   "u.unityid = '$esc_userid' AND "
                       .    "u.affiliationid = $affilid";
        }
        $qh = doQuery($query, 255);
@@ -211,7 +213,7 @@ function updateLDAPUser($authtype, $user
                $user["email"] = $userData["email"];
                $user["lastupdated"] = $now;
                $query = "UPDATE user "
-                      . "SET unityid = '$userid', "
+                      . "SET unityid = '$esc_userid', "
                       .     "firstname = '{$userData['first']}', "
                       .     "lastname = '{$userData['last']}', "
                       .     "email = '{$userData['email']}', "
@@ -220,7 +222,7 @@ function updateLDAPUser($authtype, $user
                   is_numeric($userData['numericid']))
                        $query .= "WHERE uid = {$userData['numericid']}";
                else
-                       $query .= "WHERE unityid = '$userid' AND "
+                       $query .= "WHERE unityid = '$esc_userid' AND "
                               .        "affiliationid = $affilid";
                doQuery($query, 256, 'vcl', 1);
        }


Reply via email to