Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Airtime 2.5.1 session pinning patch (fixes CVE-2014-4915)
diff --git a/airtime_mvc/application/Bootstrap.php b/airtime_mvc/application/Bootstrap.php
index 74c1cd6..5bafe0f 100644
--- a/airtime_mvc/application/Bootstrap.php
+++ b/airtime_mvc/application/Bootstrap.php
@@ -14,8 +14,10 @@ require_once "DateHelper.php";
require_once "OsPath.php";
require_once "Database.php";
require_once "Timezone.php";
+require_once "Auth.php";
require_once __DIR__.'/forms/helpers/ValidationTypes.php';
require_once __DIR__.'/controllers/plugins/RabbitMqPlugin.php';
+
require_once (APPLICATION_PATH."/logging/Logging.php");
Logging::setLogPath('/var/log/airtime/zendphp.log');
@@ -25,6 +27,8 @@ require_once __DIR__."/configs/navigation.php";
Zend_Validate::setDefaultNamespaces("Zend");
+Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
+
$front = Zend_Controller_Front::getInstance();
$front->registerPlugin(new RabbitMqPlugin());
diff --git a/airtime_mvc/application/controllers/LoginController.php b/airtime_mvc/application/controllers/LoginController.php
index 4c58a6b..84af7f9 100644
--- a/airtime_mvc/application/controllers/LoginController.php
+++ b/airtime_mvc/application/controllers/LoginController.php
@@ -14,9 +14,10 @@ class LoginController extends Zend_Controller_Action
$request = $this->getRequest();
Application_Model_Locale::configureLocalization($request->getcookie('airtime_locale', 'en_CA'));
- if (Zend_Auth::getInstance()->hasIdentity())
+ $auth = Zend_Auth::getInstance();
+
+ if ($auth->hasIdentity())
{
-
$this->_redirect('Showbuilder');
}
@@ -52,8 +53,7 @@ class LoginController extends Zend_Controller_Action
//pass to the adapter the submitted username and password
$authAdapter->setIdentity($username)
->setCredential($password);
-
- $auth = Zend_Auth::getInstance();
+
$result = $auth->authenticate($authAdapter);
if ($result->isValid()) {
//all info about this user from the login table omit only the password
@@ -66,14 +66,12 @@ class LoginController extends Zend_Controller_Action
Application_Model_LoginAttempts::resetAttempts($_SERVER['REMOTE_ADDR']);
Application_Model_Subjects::resetLoginAttempts($username);
- $tempSess = new Zend_Session_Namespace("referrer");
- $tempSess->referrer = 'login';
-
//set the user locale in case user changed it in when logging in
Application_Model_Preference::SetUserLocale($locale);
$this->_redirect('Showbuilder');
} else {
+
$message = _("Wrong username or password provided. Please try again.");
Application_Model_Subjects::increaseLoginAttempts($username);
Application_Model_LoginAttempts::increaseAttempts($_SERVER['REMOTE_ADDR']);
@@ -96,7 +94,8 @@ class LoginController extends Zend_Controller_Action
public function logoutAction()
{
- Zend_Auth::getInstance()->clearIdentity();
+ $auth = Zend_Auth::getInstance();
+ $auth->clearIdentity();
$this->_redirect('showbuilder/index');
}
diff --git a/airtime_mvc/application/controllers/plugins/Acl_plugin.php b/airtime_mvc/application/controllers/plugins/Acl_plugin.php
index 44555e5..2771b11 100644
--- a/airtime_mvc/application/controllers/plugins/Acl_plugin.php
+++ b/airtime_mvc/application/controllers/plugins/Acl_plugin.php
@@ -109,9 +109,9 @@ class Zend_Controller_Plugin_Acl extends Zend_Controller_Plugin_Abstract
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$controller = strtolower($request->getControllerName());
+ Application_Model_Auth::pinSessionToClient(Zend_Auth::getInstance());
if (in_array($controller, array("api", "auth", "locale"))) {
-
$this->setRoleName("G");
} elseif (!Zend_Auth::getInstance()->hasIdentity()) {
diff --git a/airtime_mvc/application/models/Auth.php b/airtime_mvc/application/models/Auth.php
index 104ee80..37b9cae 100644
--- a/airtime_mvc/application/models/Auth.php
+++ b/airtime_mvc/application/models/Auth.php
@@ -101,4 +101,18 @@ class Application_Model_Auth
return $string;
}
+
+ /** It is essential to do this before interacting with Zend_Auth otherwise sessions could be shared between
+ * different copies of Airtime on the same webserver. This essentially pins this session to:
+ * - The server hostname - including subdomain so we segment multiple Airtime installs on different subdomains
+ * - The remote IP of the browser - to help prevent session hijacking
+ * - The client ID - same reason as server hostname
+ * @param Zend_Auth $auth Get this with Zend_Auth::getInstance().
+ */
+ public static function pinSessionToClient($auth)
+ {
+ $serverName = isset($_SERVER['SERVER_NAME']) ? $_SERVER['SERVER_NAME'] : "";
+ $remoteAddr = isset($_SERVER['REMOTE_ADDR']) ? $_SERVER['REMOTE_ADDR'] : "";
+ $auth->setStorage(new Zend_Auth_Storage_Session('Airtime' . $serverName . $remoteAddr . Application_Model_Preference::GetClientId()));
+ }
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.