From a19253846efb6a724125115654c88fb19d2cf0b2 Mon Sep 17 00:00:00 2001 From: Tim de Boer Date: Mon, 11 Dec 2023 17:07:28 +0100 Subject: [PATCH 1/2] Possible fix for #6621 --- interface/lib/app.inc.php | 2 +- interface/lib/classes/remoting.inc.php | 12 ++++++------ interface/web/login/index.php | 10 +++++----- interface/web/login/otp.php | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/interface/lib/app.inc.php b/interface/lib/app.inc.php index 17c88b837a..cbf3d0bb70 100644 --- a/interface/lib/app.inc.php +++ b/interface/lib/app.inc.php @@ -361,7 +361,7 @@ class app extends stdClass { $maintenance_mode_exclude_ips = array_map('trim', explode(',', $system_config_misc['maintenance_mode_exclude_ips'])); } - return 'y' === $maintenance_mode && !in_array($_SERVER['REMOTE_ADDR'], $maintenance_mode_exclude_ips); + return 'y' === $maintenance_mode && !in_array($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'], $maintenance_mode_exclude_ips); } private function get_cookie_domain() { diff --git a/interface/lib/classes/remoting.inc.php b/interface/lib/classes/remoting.inc.php index 7bd39645af..c8a86fa70c 100644 --- a/interface/lib/classes/remoting.inc.php +++ b/interface/lib/classes/remoting.inc.php @@ -87,7 +87,7 @@ class remoting { $app->db->query($sql); //* Check for max. login attempts - $ip_md5 = md5($_SERVER['REMOTE_ADDR']); + $ip_md5 = md5($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); $sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_time` > (NOW() - INTERVAL 5 MINUTE) LIMIT 1"; $alreadyfailed = $app->db->queryOneRecord($sql, $ip_md5); @@ -143,7 +143,7 @@ class remoting { $remote_userid = $user['userid']; $remote_functions = ''; $tstamp = time() + $this->session_timeout; - $ip = $_SERVER['REMOTE_ADDR']; + $ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']; $sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,client_login,tstamp,remote_ip' .') VALUES (?, ?, ?, 1, ?, ?)'; $app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp,$ip); @@ -190,7 +190,7 @@ class remoting { $allowed_ips[] = '127.0.0.1'; $allowed_ips[] = '::1'; $allowed_ips=array_unique($allowed_ips); - $ip = $_SERVER['REMOTE_ADDR']; + $ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']; $remote_allowed = @($ip == '::1' || $ip == '127.0.0.1')?true:false; if(!$remote_allowed && $remote_user['remote_access'] == 'y') { if(trim($remote_user['remote_ips']) == '') { @@ -206,7 +206,7 @@ class remoting { } } if(!$remote_allowed) { - throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['REMOTE_ADDR']); + throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); return false; } //* Create a remote user session @@ -571,7 +571,7 @@ class remoting { return false; } - $ip_md5 = md5($_SERVER['REMOTE_ADDR']); + $ip_md5 = md5($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); $sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_time` > (NOW() - INTERVAL 5 MINUTE) LIMIT 1"; $alreadyfailed = $app->db->queryOneRecord($sql, $ip_md5); @@ -599,7 +599,7 @@ class remoting { return false; } - $ip = $_SERVER['REMOTE_ADDR']; + $ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']; if($session['remote_ip'] != $ip) { throw new SoapFault('session_ip_mismatch', 'Session IP mismatch.'); return false; diff --git a/interface/web/login/index.php b/interface/web/login/index.php index 87844408d7..f302321dc1 100644 --- a/interface/web/login/index.php +++ b/interface/web/login/index.php @@ -42,7 +42,7 @@ function process_login_request(app $app, &$error, $conf, $module) if (!preg_match("/^.{1,256}$/i", $_POST['password'])) $error = $app->lng('pw_error_length'); //** importing variables - $ip = md5($_SERVER['REMOTE_ADDR']); + $ip = md5($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); $username = $_POST['username']; $password = $_POST['password']; $loginAs = false; @@ -78,7 +78,7 @@ function process_login_request(app $app, &$error, $conf, $module) // Maintenance mode - allow logins only when maintenance mode is off or if the user is admin if ($app->is_under_maintenance() && $user['typ'] != 'admin') return; - if ($user['typ'] == 'admin' && !is_admin_ip_whitelisted($_SERVER['REMOTE_ADDR'], $conf)) { + if ($user['typ'] == 'admin' && !is_admin_ip_whitelisted($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'], $conf)) { // TODO: if it's not a security risk (information disclosure) to // let the user know they are not whitelisted, then change this // error message to a more appropriate one @@ -135,7 +135,7 @@ function process_login_request(app $app, &$error, $conf, $module) if ($loginAs) { echo 'LOGIN_REDIRECT:'.$_SESSION['s']['module']['startpage']; $app->plugin->raiseEvent('login', $username); - $app->auth_log('Successful login for user \''. $username .'\' ' . $msg . ' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); + $app->auth_log('Successful login for user \''. $username .'\' ' . $msg . ' from '. $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); exit; } else { @@ -157,7 +157,7 @@ function process_login_request(app $app, &$error, $conf, $module) die(); } else { $app->plugin->raiseEvent('login', $username); - $app->auth_log('Successful login for user \''. $username .'\' ' . $msg . ' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); + $app->auth_log('Successful login for user \''. $username .'\' ' . $msg . ' from '. $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); header('Location: ../index.php'); die(); } @@ -177,7 +177,7 @@ function process_login_request(app $app, &$error, $conf, $module) if ($app->db->errorMessage != '') $error .= '
'.$app->db->errorMessage != ''; $app->plugin->raiseEvent('login_failed', $username); - $app->auth_log('Failed login for user \''. $username .'\' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s')); + $app->auth_log('Failed login for user \''. $username .'\' from '. $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s')); } } diff --git a/interface/web/login/otp.php b/interface/web/login/otp.php index a0a4c0c6eb..e0bb6a5cd7 100644 --- a/interface/web/login/otp.php +++ b/interface/web/login/otp.php @@ -66,7 +66,7 @@ function finish_2fa_success($msg = '') { if (!empty($msg)) { $msg = ' ' . $msg; } - $app->auth_log('Successful login for user \''. $username .'\'' . $msg . ' from '. $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); + $app->auth_log('Successful login for user \''. $username .'\'' . $msg . ' from '. $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); $app->db->query('UPDATE `sys_user` SET otp_attempts=0 WHERE userid = ?', $_SESSION['s']['user']['userid']); session_write_close(); header('Location: ../index.php'); -- GitLab From 7aef5551b77f80e212571a177e49dbee8423d7fa Mon Sep 17 00:00:00 2001 From: Tim de Boer Date: Mon, 11 Dec 2023 17:14:56 +0100 Subject: [PATCH 2/2] Added brackets for consitency --- interface/lib/app.inc.php | 2 +- interface/lib/classes/remoting.inc.php | 12 ++++++------ interface/web/login/index.php | 10 +++++----- interface/web/login/otp.php | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/interface/lib/app.inc.php b/interface/lib/app.inc.php index cbf3d0bb70..09efe96837 100644 --- a/interface/lib/app.inc.php +++ b/interface/lib/app.inc.php @@ -361,7 +361,7 @@ class app extends stdClass { $maintenance_mode_exclude_ips = array_map('trim', explode(',', $system_config_misc['maintenance_mode_exclude_ips'])); } - return 'y' === $maintenance_mode && !in_array($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'], $maintenance_mode_exclude_ips); + return 'y' === $maintenance_mode && !in_array(($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']), $maintenance_mode_exclude_ips); } private function get_cookie_domain() { diff --git a/interface/lib/classes/remoting.inc.php b/interface/lib/classes/remoting.inc.php index c8a86fa70c..04a49af0ea 100644 --- a/interface/lib/classes/remoting.inc.php +++ b/interface/lib/classes/remoting.inc.php @@ -87,7 +87,7 @@ class remoting { $app->db->query($sql); //* Check for max. login attempts - $ip_md5 = md5($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); + $ip_md5 = md5(($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'])); $sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_time` > (NOW() - INTERVAL 5 MINUTE) LIMIT 1"; $alreadyfailed = $app->db->queryOneRecord($sql, $ip_md5); @@ -143,7 +143,7 @@ class remoting { $remote_userid = $user['userid']; $remote_functions = ''; $tstamp = time() + $this->session_timeout; - $ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']; + $ip = ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); $sql = 'INSERT INTO remote_session (remote_session,remote_userid,remote_functions,client_login,tstamp,remote_ip' .') VALUES (?, ?, ?, 1, ?, ?)'; $app->db->query($sql, $remote_session,$remote_userid,$remote_functions,$tstamp,$ip); @@ -190,7 +190,7 @@ class remoting { $allowed_ips[] = '127.0.0.1'; $allowed_ips[] = '::1'; $allowed_ips=array_unique($allowed_ips); - $ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']; + $ip = ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); $remote_allowed = @($ip == '::1' || $ip == '127.0.0.1')?true:false; if(!$remote_allowed && $remote_user['remote_access'] == 'y') { if(trim($remote_user['remote_ips']) == '') { @@ -206,7 +206,7 @@ class remoting { } } if(!$remote_allowed) { - throw new SoapFault('login_failed', 'The login is not allowed from '.$_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); + throw new SoapFault('login_failed', 'The login is not allowed from '.($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'])); return false; } //* Create a remote user session @@ -571,7 +571,7 @@ class remoting { return false; } - $ip_md5 = md5($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); + $ip_md5 = md5(($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'])); $sql = "SELECT * FROM `attempts_login` WHERE `ip`= ? AND `login_time` > (NOW() - INTERVAL 5 MINUTE) LIMIT 1"; $alreadyfailed = $app->db->queryOneRecord($sql, $ip_md5); @@ -599,7 +599,7 @@ class remoting { return false; } - $ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']; + $ip = ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); if($session['remote_ip'] != $ip) { throw new SoapFault('session_ip_mismatch', 'Session IP mismatch.'); return false; diff --git a/interface/web/login/index.php b/interface/web/login/index.php index f302321dc1..47ba7d9426 100644 --- a/interface/web/login/index.php +++ b/interface/web/login/index.php @@ -42,7 +42,7 @@ function process_login_request(app $app, &$error, $conf, $module) if (!preg_match("/^.{1,256}$/i", $_POST['password'])) $error = $app->lng('pw_error_length'); //** importing variables - $ip = md5($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']); + $ip = md5(($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'])); $username = $_POST['username']; $password = $_POST['password']; $loginAs = false; @@ -78,7 +78,7 @@ function process_login_request(app $app, &$error, $conf, $module) // Maintenance mode - allow logins only when maintenance mode is off or if the user is admin if ($app->is_under_maintenance() && $user['typ'] != 'admin') return; - if ($user['typ'] == 'admin' && !is_admin_ip_whitelisted($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'], $conf)) { + if ($user['typ'] == 'admin' && !is_admin_ip_whitelisted(($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']), $conf)) { // TODO: if it's not a security risk (information disclosure) to // let the user know they are not whitelisted, then change this // error message to a more appropriate one @@ -135,7 +135,7 @@ function process_login_request(app $app, &$error, $conf, $module) if ($loginAs) { echo 'LOGIN_REDIRECT:'.$_SESSION['s']['module']['startpage']; $app->plugin->raiseEvent('login', $username); - $app->auth_log('Successful login for user \''. $username .'\' ' . $msg . ' from '. $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); + $app->auth_log('Successful login for user \''. $username .'\' ' . $msg . ' from '. ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']) .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); exit; } else { @@ -157,7 +157,7 @@ function process_login_request(app $app, &$error, $conf, $module) die(); } else { $app->plugin->raiseEvent('login', $username); - $app->auth_log('Successful login for user \''. $username .'\' ' . $msg . ' from '. $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); + $app->auth_log('Successful login for user \''. $username .'\' ' . $msg . ' from '. ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']) .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); header('Location: ../index.php'); die(); } @@ -177,7 +177,7 @@ function process_login_request(app $app, &$error, $conf, $module) if ($app->db->errorMessage != '') $error .= '
'.$app->db->errorMessage != ''; $app->plugin->raiseEvent('login_failed', $username); - $app->auth_log('Failed login for user \''. $username .'\' from '. $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s')); + $app->auth_log('Failed login for user \''. $username .'\' from '. ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']) .' at '. date('Y-m-d H:i:s')); } } diff --git a/interface/web/login/otp.php b/interface/web/login/otp.php index e0bb6a5cd7..d1ec51e9e0 100644 --- a/interface/web/login/otp.php +++ b/interface/web/login/otp.php @@ -66,7 +66,7 @@ function finish_2fa_success($msg = '') { if (!empty($msg)) { $msg = ' ' . $msg; } - $app->auth_log('Successful login for user \''. $username .'\'' . $msg . ' from '. $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'] .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); + $app->auth_log('Successful login for user \''. $username .'\'' . $msg . ' from '. ($_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR']) .' at '. date('Y-m-d H:i:s') . ' with session ID ' .session_id()); $app->db->query('UPDATE `sys_user` SET otp_attempts=0 WHERE userid = ?', $_SESSION['s']['user']['userid']); session_write_close(); header('Location: ../index.php'); -- GitLab