2.1.26

#1229 CSRFProtector message while DUO is enabled

changelog.md

@@ -14,6 +14,7 @@ Last changes
  #1241 OTV visible more than one time
  #1238 Fix for upgrade.php where mysql_result() command were still not replaced
  #1235 Import from Keepass: missing items with the same title
+ #1229 CSRFProtector message while DUO is enabled
  #1225 Unable to Access OTV Link
  #1224 Fixed errors in export_to_html_format
  #1211 No FA code sent from home page

duo.load.php

@@ -52,7 +52,7 @@ function(data) {
                 Duo.init({
                     'host': '<?php echo HOST; ?>',
                     'sig_request': data[0].sig_request,
-                    'post_action': "index.php?page=duo_check&"+data[0].csrfp_token+"="+data[0].csrfp_key
+                    'post_action': "index.php?page=items&type=duo_check&"+data[0].csrfp_token+"="+data[0].csrfp_key
                 });
 
                 $("#duo_login").val($("#login").val());

includes/libraries/csrfp/libs/csrf/csrfprotector.php

@@ -176,36 +176,36 @@ public static function authorizePost()
             //#todo this method is valid for same origin request only, 
             //enable it for cross origin also sometime
             //for cross origin the functionality is different
-            if ($_SERVER['REQUEST_METHOD'] === 'POST') {
-
-                //set request type to POST
-                self::$requestType = "POST";
-
+            if (!static::isURLallowed()) {
+
                 //currently for same origin only
-                if (!(isset($_POST[self::$config['CSRFP_TOKEN']]) 
+                if (!(isset($_GET[self::$config['CSRFP_TOKEN']]) 
                     && isset($_SESSION[self::$config['CSRFP_TOKEN']])
-                    && (self::isValidToken($_POST[self::$config['CSRFP_TOKEN']]))
+                    && (self::isValidToken($_GET[self::$config['CSRFP_TOKEN']]))
                     )) {
 
                     //action in case of failed validation
                     self::failedValidationAction();         
                 } else {
                     self::refreshToken();   //refresh token for successfull validation
                 }
-            } else if (!static::isURLallowed()) {
-
+            } else if ($_SERVER['REQUEST_METHOD'] === 'POST') {
+
+                //set request type to POST
+                self::$requestType = "POST";
+
                 //currently for same origin only
-                if (!(isset($_GET[self::$config['CSRFP_TOKEN']]) 
+                if (!(isset($_POST[self::$config['CSRFP_TOKEN']]) 
                     && isset($_SESSION[self::$config['CSRFP_TOKEN']])
-                    && (self::isValidToken($_GET[self::$config['CSRFP_TOKEN']]))
+                    && (self::isValidToken($_POST[self::$config['CSRFP_TOKEN']]))
                     )) {
 
                     //action in case of failed validation
                     self::failedValidationAction();         
                 } else {
                     self::refreshToken();   //refresh token for successfull validation
                 }
-            }   
+            } 
         }
 
         /*
@@ -487,7 +487,7 @@ private static function getCurrentUrl()
                 }
             }
 
-            return $request_scheme . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['PHP_SELF'];
+            return $request_scheme . '://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'];
         }
 
         /*

includes/libraries/csrfp/libs/csrfp.config.sample.php

@@ -17,5 +17,5 @@
    "disabledJavascriptMessage" => "This site attempts to protect users against <a href=\"https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29\">
    Cross-Site Request Forgeries </a> attacks. In order to do so, you must have JavaScript enabled in your web browser otherwise this site will fail to work correctly for you.
     See details of your web browser for how to enable JavaScript.",
-    "verifyGetFor" => array()
+    "verifyGetFor" => array("*page=items&type=duo_check*")
 );

install/upgrade_ajax.php

@@ -582,6 +582,7 @@ function tableExists($tablename, $database = false)
                 $newdata = str_replace('"tokenLength" => "25"', '"tokenLength" => "50"', $newdata);
                 $jsUrl = $_SESSION['fullurl'].'/includes/libraries/csrfp/js/csrfprotector.js';
                 $newdata = str_replace('"jsUrl" => ""', '"jsUrl" => "'.$jsUrl.'"', $newdata);
+                $newdata = str_replace('"verifyGetFor" => array()', '"verifyGetFor" => array("*page=items&type=duo_check*")', $newdata);
                 file_put_contents("../includes/libraries/csrfp/libs/csrfp.config.php", $newdata);
 
 

install/upgrade_run_2.1.26.php

@@ -159,9 +159,9 @@ function tableExists($tablename, $database = false)
 // check that API doesn't exist
 $tmp = mysqli_fetch_row(mysqli_query($dbTmp, "SELECT COUNT(*) FROM `".$_SESSION['tbl_prefix']."users` WHERE id = '9999999'"));
 if ($tmp[0] == 0 || empty($tmp[0])) {
-	mysqli_query($dbTmp,
-		"INSERT INTO `".$_SESSION['tbl_prefix']."users` (`id`, `login`, `read_only`) VALUES ('9999999', 'API', '1')"
-	);
+    mysqli_query($dbTmp,
+        "INSERT INTO `".$_SESSION['tbl_prefix']."users` (`id`, `login`, `read_only`) VALUES ('9999999', 'API', '1')"
+    );
 }
 
 
@@ -180,13 +180,13 @@ function tableExists($tablename, $database = false)
 // add Estonian
 $tmp = mysqli_fetch_row(mysqli_query($dbTmp, "SELECT COUNT(*) FROM `".$_SESSION['tbl_prefix']."languages` WHERE name = 'estonian'"));
 if ($tmp[0] == 0 || empty($tmp[0])) {
-	mysqli_query($dbTmp, "INSERT INTO `".$_SESSION['tbl_prefix']."languages` VALUES (null, 'estonian', 'Estonian', 'ee', 'ee.png')");
+    mysqli_query($dbTmp, "INSERT INTO `".$_SESSION['tbl_prefix']."languages` VALUES (null, 'estonian', 'Estonian', 'ee', 'ee.png')");
 }
 
 // remove Estonia
 $tmp = mysqli_fetch_row(mysqli_query($dbTmp, "SELECT COUNT(*) FROM `".$_SESSION['tbl_prefix']."languages` WHERE name = 'estonia'"));
 if ($tmp[0] == 0 || empty($tmp[0])) {
-	mysqli_query($dbTmp, "DELETE FROM `".$_SESSION['tbl_prefix']."languages` WHERE name = 'estonia'");
+    mysqli_query($dbTmp, "DELETE FROM `".$_SESSION['tbl_prefix']."languages` WHERE name = 'estonia'");
 }
 
 // ensure CSRFP config file is ready

load.php

@@ -257,18 +257,18 @@ function (){
                     );
                 } else if (data[0].value == "false_onetimepw") {
                     $("#connection_error").html("'.$LANG['bad_onetime_password'].'").show();
-				} else if (data[0].pwd_attempts >=3 ||data[0].error == "bruteforce_wait") {
-					// now user needs to wait 10 secs before new passwd
-					$("#connection_error").html("'.$LANG['error_bad_credentials_more_than_3_times'].'").show();					
+                } else if (data[0].pwd_attempts >=3 ||data[0].error == "bruteforce_wait") {
+                    // now user needs to wait 10 secs before new passwd
+                    $("#connection_error").html("'.$LANG['error_bad_credentials_more_than_3_times'].'").show();                 
                 } else if (data[0].error == "bad_credentials") {
                     $("#connection_error").html("'.$LANG['error_bad_credentials'].'").show();
                 } else if (data[0].error == "ga_code_wrong") {
                     $("#connection_error").html("'.$LANG['ga_bad_code'].'").show();
                 } else {
                     $("#connection_error").html("'.$LANG['error_bad_credentials'].'").show();
                 }
-				
-				$("#ajax_loader_connexion").hide();
+                
+                $("#ajax_loader_connexion").hide();
             },
             "json"
        );
@@ -430,7 +430,7 @@ function refreshListLastSeenItems()
                 key        : "'.$_SESSION["key"].'"
             },
             function(data) {
-				data = $.parseJSON(data);
+                data = $.parseJSON(data);
                 //check if format error
                 if (data.error == "") {
                     if (data.text == null) {
@@ -440,10 +440,10 @@ function(data) {
                     }
                     // rebuild menu
                     $("#menu_last_seen_items").menu("refresh");
-					// show notification
-					if (data.existing_suggestions != 0) {
-						blink("#menu_button_suggestion", -1, 500, "ui-state-error");
-					}
+                    // show notification
+                    if (data.existing_suggestions != 0) {
+                        blink("#menu_button_suggestion", -1, 500, "ui-state-error");
+                    }
                 } else {
                     $("#main_info_box_text").html(data.error);
                     setTimeout(function(){$("#main_info_box").effect( "fade", "slow" );}, 1000);
@@ -455,25 +455,7 @@ function(data) {
     // DUO box - identification
     function loadDuoDialog()
     {
-		/*
-		// save data connection
-		$.post(
-            "sources/identify.php",
-            {
-                type   : "store_data_in_cookie",
-                data   : prepareExchangedData($("#duo_data").val(), "encode", "'.$_SESSION['key'].'>"),
-                key    : "'.$_SESSION['key'].'"
-            },
-			function(data) {
-				if (data[0].error == "something_wrong") {
-
-				}
-			},
-			"json"
-        );
-		*/
-
-		// show dialog
+        // show dialog
         $("#dialog_duo").dialog({
             width: 600,
             height: 500,
@@ -496,6 +478,7 @@ function loadDuoDialogWait()
             title: "DUO Security - please wait ..."
         }).dialog("open");
     }
+    
     function ChangeMyPass()
     {
         if ($("#new_pw").val() != "" && $("#new_pw").val() == $("#new_pw2").val()) {
@@ -608,7 +591,7 @@ function(data) {
         $("#main *, #footer *, #icon_last_items *, #top *, button, .tip").tooltipster({
             maxWidth: 400,
             contentAsHTML: true,
-			multiple: true
+            multiple: true
         });
         $("#user_session").val(sessionStorage.password);
 
@@ -715,7 +698,7 @@ function() {
             title: "'.$LANG['home_personal_saltkey_label'].'",
             open: function( event, ui ) {
                 $("#input_personal_saltkey").val("'.addslashes(str_replace(""", '"', $_SESSION['my_sk'])).'");
-				console.log("'.addslashes(str_replace(""", '"', $_SESSION['my_sk'])).'");
+                console.log("'.addslashes(str_replace(""", '"', $_SESSION['my_sk'])).'");
             },
             buttons: {
                 "'.$LANG['save_button'].'": function() {
@@ -768,7 +751,7 @@ function(data) {
                     $("#div_change_personal_saltkey_wait").show();
                     var data_to_share = "{\"sk\":\"" + sanitizeString($("#new_personal_saltkey").val()) + "\", \"old_sk\":\"" + sanitizeString($("#old_personal_saltkey").val()) + "\"}";
 
-					$("#div_change_personal_saltkey_wait_progress").html("  0%");
+                    $("#div_change_personal_saltkey_wait_progress").html("  0%");
 
                     //Send query
                     $.post(
@@ -946,8 +929,8 @@ function getSelectedValue(id)
         });
         $("#new_pw").bind({
             "score.simplePassMeter" : function(jQEvent, score) {
-				$("#pw_strength_value").val(score);
-			}
+                $("#pw_strength_value").val(score);
+            }
         }).change({
             "score.simplePassMeter" : function(jQEvent, score) {
         $("#pw_strength_value").val(score);
@@ -957,32 +940,32 @@ function getSelectedValue(id)
         // get list of last items
         refreshListLastSeenItems();
 
-		// prevent usage of symbols in Personal saltkey
-		$(".text_without_symbols").bind("keydown", function (event) {
-			switch (event.keyCode) {
-				case 8:  // Backspace
-				case 9:  // Tab
-				case 13: // Enter
-				case 37: // Left
-				case 38: // Up
-				case 39: // Right
-				case 40: // Down
-				break;
-				default:
-				var regex = new RegExp("^[a-zA-Z0-9.,/#&$@()%*]+$");
-				var key = event.key;
-				if (!regex.test(key)) {
-					$("#set_personal_saltkey_warning").html("'.addslashes($LANG['character_not_allowed']).'").stop(true,true).show().fadeOut(1000);
-					event.preventDefault();
-					return false;
-				}
-				if (key !== "Alt" && key !== "Control" && key !== "Shift") $("#set_personal_saltkey_last_letter").html(key).stop(true,true).show().fadeOut(1400);
-				break;
-			}
-		}).bind("paste",function(e){
-			$("#set_personal_saltkey_warning").html("'.addslashes($LANG['error_not_allowed_to']).'").stop(true,true).show().fadeOut(1000);
-			e.preventDefault();
-		});
+        // prevent usage of symbols in Personal saltkey
+        $(".text_without_symbols").bind("keydown", function (event) {
+            switch (event.keyCode) {
+                case 8:  // Backspace
+                case 9:  // Tab
+                case 13: // Enter
+                case 37: // Left
+                case 38: // Up
+                case 39: // Right
+                case 40: // Down
+                break;
+                default:
+                var regex = new RegExp("^[a-zA-Z0-9.,/#&$@()%*]+$");
+                var key = event.key;
+                if (!regex.test(key)) {
+                    $("#set_personal_saltkey_warning").html("'.addslashes($LANG['character_not_allowed']).'").stop(true,true).show().fadeOut(1000);
+                    event.preventDefault();
+                    return false;
+                }
+                if (key !== "Alt" && key !== "Control" && key !== "Shift") $("#set_personal_saltkey_last_letter").html(key).stop(true,true).show().fadeOut(1400);
+                break;
+            }
+        }).bind("paste",function(e){
+            $("#set_personal_saltkey_warning").html("'.addslashes($LANG['error_not_allowed_to']).'").stop(true,true).show().fadeOut(1000);
+            e.preventDefault();
+        });
 
         setTimeout(function() { NProgress.done(); $(".fade").removeClass("out"); }, 1000);
     });';

sources/checks.php

@@ -16,13 +16,13 @@
 
 $pagesRights = array(
     "user" => array(
-        "home", "items", "find", "kb", "favourites", "suggestion", "folders", "duo_check"
+        "home", "items", "find", "kb", "favourites", "suggestion", "folders"
     ),
     "manager" => array(
-        "home", "items", "find", "kb", "favourites", "suggestion", "folders", "manage_roles", "manage_folders", "manage_views", "manage_users", "duo_check"
+        "home", "items", "find", "kb", "favourites", "suggestion", "folders", "manage_roles", "manage_folders", "manage_views", "manage_users"
     ),
     "admin" => array(
-        "home", "items", "find", "kb", "favourites", "suggestion", "folders", "manage_roles", "manage_folders", "manage_views", "manage_users", "manage_settings", "manage_main", "duo_check"
+        "home", "items", "find", "kb", "favourites", "suggestion", "folders", "manage_roles", "manage_folders", "manage_views", "manage_users", "manage_settings", "manage_main"
     )
 );
 

sources/identify.php

@@ -50,7 +50,7 @@
     $csrfp_config = include $_SESSION['settings']['cpassman_dir'].'/includes/libraries/csrfp/libs/csrfp.config.php';
 
     // return result
-    echo '[{"sig_request" : "'.$sig_request.'" , "csrfp_token" : "'.$csrfp_config['CSRFP_TOKEN'].'" , "csrfp_key" : "'.$COOKIE[$csrfp_config['CSRFP_TOKEN']].'"}]';
+    echo '[{"sig_request" : "'.$sig_request.'" , "csrfp_token" : "'.$csrfp_config['CSRFP_TOKEN'].'" , "csrfp_key" : "'.$_COOKIE[$csrfp_config['CSRFP_TOKEN']].'"}]';
 
 } elseif ($_POST['type'] == "identify_duo_user_check") {
     // this step is verifying the response received from the server