Fixed security issue reported by huntr.dev: Session cookie missed the…

… "secure" flag. Thanks for reporting!
flatpressblog · Oct 23, 2021 · e2a6bf1 · e2a6bf1
1 parent f4209dc
commit e2a6bf1
Show file tree

Hide file tree

Showing 5 changed files with 138 additions and 139 deletions.
diff --git a/defaults.php b/defaults.php
@@ -120,10 +120,9 @@
 }
 $serverport = "false";
 // Unterstützung für Apache und IIS
+ini_set('session.cookie_secure', 1);
 if (isset($_SERVER ['HTTPS']) && ($_SERVER ['HTTPS'] == '1' || strtolower($_SERVER ['HTTPS']) == 'on')) {
 	$serverport = "https://";
-	// Uses a secure connection (HTTPS) if possible
-	ini_set('session.cookie_secure', 1);
 } else {
 	$serverport = "http://";
 }

diff --git a/fp-includes/core/core.cookie.php b/fp-includes/core/core.cookie.php
@@ -1,138 +1,141 @@
 <?php
 
 function cookie_setup() {
-
-global $fp_config;
-
-// md5(BLOG_BASEURL);
-
-if ( !defined('COOKIEHASH') )
-	define('COOKIEHASH', $fp_config['general']['blogid']);
-
-if ( !defined('USER_COOKIE') )
-        define('USER_COOKIE', 'fpuser_'. COOKIEHASH);
-if ( !defined('PASS_COOKIE') )
-        define('PASS_COOKIE', 'fppass_'. COOKIEHASH);
-if ( !defined('SESS_COOKIE') )
-        define('SESS_COOKIE', 'fpsess_'. COOKIEHASH);
-
-if ( !defined('COOKIEPATH') )
-        define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', BLOG_BASEURL ) );
-if ( !defined('SITECOOKIEPATH') )
-        define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', BLOG_BASEURL ) );
-if ( !defined('COOKIE_DOMAIN') )
-        define('COOKIE_DOMAIN', false);
-
-
+	global $fp_config;
+
+	// md5(BLOG_BASEURL);
+
+	if (!defined('COOKIEHASH'))
+		define('COOKIEHASH', $fp_config ['general'] ['blogid']);
+
+	if (!defined('USER_COOKIE'))
+		define('USER_COOKIE', 'fpuser_' . COOKIEHASH);
+	if (!defined('PASS_COOKIE'))
+		define('PASS_COOKIE', 'fppass_' . COOKIEHASH);
+	if (!defined('SESS_COOKIE'))
+		define('SESS_COOKIE', 'fpsess_' . COOKIEHASH);
+
+	if (!defined('COOKIEPATH'))
+		define('COOKIEPATH', preg_replace('|https?://[^/]+|i', '', BLOG_BASEURL));
+	if (!defined('SITECOOKIEPATH'))
+		define('SITECOOKIEPATH', preg_replace('|https?://[^/]+|i', '', BLOG_BASEURL));
+	if (!defined('COOKIE_DOMAIN'))
+		define('COOKIE_DOMAIN', false);
+	if (!defined('COOKIE_SECURE'))
+		define('COOKIE_SECURE', true);
 }
 
-if ( !function_exists('wp_get_cookie_login') ):
-function wp_get_cookie_login() {
-	if ( empty($_COOKIE[USER_COOKIE]) || empty($_COOKIE[PASS_COOKIE]) )
-		return false;
+if (!function_exists('wp_get_cookie_login')) :
 
-	return array('login' => $_COOKIE[USER_COOKIE],	'password' => $_COOKIE[PASS_COOKIE]);
-}
+	function wp_get_cookie_login() {
+		if (empty($_COOKIE [USER_COOKIE]) || empty($_COOKIE [PASS_COOKIE]))
+			return false;
+
+		return array(
+			'login' => $_COOKIE [USER_COOKIE],
+			'password' => $_COOKIE [PASS_COOKIE]
+		);
+	}
 
 endif;
 
+
 function cookie_set($username, $password, $already_md5 = false, $home = '', $siteurl = '', $remember = false) {
-	if ( !$already_md5 )
-		$password = md5( md5($password) ); // Double hash the password in the cookie.
+	if (!$already_md5)
+		$password = md5(md5($password)); // Double hash the password in the cookie.
 
-	if ( empty($home) )
+	if (empty($home))
 		$cookiepath = COOKIEPATH;
 	else
-		$cookiepath = preg_replace('|https?://[^/]+|i', '', $home . '/' );
+		$cookiepath = preg_replace('|https?://[^/]+|i', '', $home . '/');
 
-	if ( empty($siteurl) ) {
+	if (empty($siteurl)) {
 		$sitecookiepath = SITECOOKIEPATH;
 		$cookiehash = COOKIEHASH;
 	} else {
-		$sitecookiepath = preg_replace('|https?://[^/]+|i', '', $siteurl . '/' );
+		$sitecookiepath = preg_replace('|https?://[^/]+|i', '', $siteurl . '/');
 		$cookiehash = md5($siteurl);
 	}
 
-	if ( $remember )
+	if ($remember)
 		$expire = time() + 31536000;
 	else
 		$expire = 0;
 
-	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN);
+	setcookie(USER_COOKIE, $username, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(PASS_COOKIE, $password, $expire, $cookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
 
-	if ( $cookiepath != $sitecookiepath ) {
-		setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN);
-		setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN);
+	if ($cookiepath != $sitecookiepath) {
+		setcookie(USER_COOKIE, $username, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
+		setcookie(PASS_COOKIE, $password, $expire, $sitecookiepath, COOKIE_DOMAIN, COOKIE_SECURE);
 	}
 }
 
 function cookie_clear() {
-	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
-	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN);
+	setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(USER_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+	setcookie(PASS_COOKIE, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
 }
 
+if (!function_exists('wp_login')) :
 
-if ( !function_exists('wp_login') ) :
-function wp_login($username, $password, $already_md5 = false) {
-	global $wpdb, $error;
+	function wp_login($username, $password, $already_md5 = false) {
+		global $wpdb, $error;
 
-	$username = sanitize_user($username);
+		$username = sanitize_user($username);
 
-	if ( '' == $username )
-		return false;
+		if ('' == $username)
+			return false;
 
-	if ( '' == $password ) {
-		$error = __('<strong>ERROR</strong>: The password field is empty.');
-		return false;
-	}
+		if ('' == $password) {
+			$error = __('<strong>ERROR</strong>: The password field is empty.');
+			return false;
+		}
 
-	$login = get_userdatabylogin($username);
-	//$login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");
+		$login = get_userdatabylogin($username);
+		// $login = $wpdb->get_row("SELECT ID, user_login, user_pass FROM $wpdb->users WHERE user_login = '$username'");
 
-	if (!$login) {
-		$error = __('<strong>ERROR</strong>: Invalid username.');
-		return false;
-	} else {
-		// If the password is already_md5, it has been double hashed.
-		// Otherwise, it is plain text.
-		if ( ($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password)) ) {
-			return true;
-		} else {
-			$error = __('<strong>ERROR</strong>: Incorrect password.');
-			$pwd = '';
+		if (!$login) {
+			$error = __('<strong>ERROR</strong>: Invalid username.');
 			return false;
+		} else {
+			// If the password is already_md5, it has been double hashed.
+			// Otherwise, it is plain text.
+			if (($already_md5 && md5($login->user_pass) == $password) || ($login->user_login == $username && $login->user_pass == md5($password))) {
+				return true;
+			} else {
+				$error = __('<strong>ERROR</strong>: Incorrect password.');
+				$pwd = '';
+				return false;
+			}
 		}
 	}
-}
 endif;
 
-if ( !function_exists('is_user_logged_in') ) :
-function is_user_logged_in() {
-	$user = wp_get_current_user();
+if (!function_exists('is_user_logged_in')) :
 
-	if ( $user->id == 0 )
-		return false;
+	function is_user_logged_in() {
+		$user = wp_get_current_user();
 
-	return true;
-}
+		if ($user->id == 0)
+			return false;
+
+		return true;
+	}
 endif;
 
-if ( !function_exists('auth_redirect') ) :
-function auth_redirect() {
-	// Checks if a user is logged in, if not redirects them to the login page
-	if ( (!empty($_COOKIE[USER_COOKIE]) &&
-				!wp_login($_COOKIE[USER_COOKIE], $_COOKIE[PASS_COOKIE], true)) ||
-			 (empty($_COOKIE[USER_COOKIE])) ) {
-		nocache_headers();
+if (!function_exists('auth_redirect')) :
+
+	function auth_redirect() {
+		// Checks if a user is logged in, if not redirects them to the login page
+		if ((!empty($_COOKIE [USER_COOKIE]) && !wp_login($_COOKIE [USER_COOKIE], $_COOKIE [PASS_COOKIE], true)) || (empty($_COOKIE [USER_COOKIE]))) {
+			nocache_headers();
 
-		wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER['REQUEST_URI']));
-		exit();
+			wp_redirect(get_option('siteurl') . '/wp-login.php?redirect_to=' . urlencode($_SERVER ['REQUEST_URI']));
+			exit();
+		}
 	}
-}
 endif;
 
-
 ?>
diff --git a/fp-includes/core/core.session.php b/fp-includes/core/core.session.php
@@ -1,44 +1,41 @@
 <?php
 
-
-
-	function sess_setup() {
-		if (SESSION_PATH != '')
-			session_save_path(SESSION_PATH);
-
-		session_name(SESS_COOKIE);
-
-		session_start();
-
-	}
-
-
-	function sess_add($key, $val) {
-		$_SESSION[$key] = $val;
-	}
-
-
-	function sess_remove($key) {
-		if (isset($_SESSION[$key])) {
-			$oldval=$_SESSION[$key];
-			unset($_SESSION[$key]);
-			return $oldval;
-		}
-	}
-
-	function sess_get($key) {
-		 if (isset($_SESSION[$key]))
-			 return $_SESSION[$key];
-		 else return false;
+function sess_setup() {
+	if (SESSION_PATH != '')
+		session_save_path(SESSION_PATH);
+
+	session_name(SESS_COOKIE);
+	setcookie(SESS_COOKIE, '', 0, '', COOKIE_DOMAIN, COOKIE_SECURE);
+
+	session_start();
+}
+
+function sess_add($key, $val) {
+	$_SESSION [$key] = $val;
+}
+
+function sess_remove($key) {
+	if (isset($_SESSION [$key])) {
+		$oldval = $_SESSION [$key];
+		unset($_SESSION [$key]);
+		return $oldval;
 	}
-
-	function sess_close() {
-		unset($_SESSION);
-		if (isset($_COOKIE[session_name()])) {
-			setcookie(session_name(), '', time()-42000, '/');
-			session_set_cookie_params(-42000);
-		}
-		session_destroy();
+}
+
+function sess_get($key) {
+	if (isset($_SESSION [$key]))
+		return $_SESSION [$key];
+	else
+		return false;
+}
+
+function sess_close() {
+	unset($_SESSION);
+	if (isset($_COOKIE [session_name()])) {
+		setcookie(session_name(), '', time() - 42000, '/', COOKIE_SECURE);
+		session_set_cookie_params(-42000);
 	}
+	session_destroy();
+}
 
 ?>
diff --git a/fp-includes/core/core.users.php b/fp-includes/core/core.users.php
@@ -64,8 +64,8 @@ function user_login($userid, $pwd, $params = null) {
 	if ($loggedin) {
 		// session_regenerate_id();
 		$expire = time() + 31536000;
-		setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN);
-		setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN);
+		setcookie(USER_COOKIE, $userid, $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+		setcookie(PASS_COOKIE, $user ['password'], $expire, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
 	}
 
 	return $loggedin;
@@ -76,8 +76,8 @@ function user_logout() {
 
 	if (user_loggedin()) {
 
-		setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
-		setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN);
+		setcookie(USER_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
+		setcookie(PASS_COOKIE, ' ', time() - 31536000, COOKIEPATH, COOKIE_DOMAIN, COOKIE_SECURE);
 	}
 
 	$loggedin = false;

diff --git a/fp-includes/core/core.wp-pluggable-funcs.php b/fp-includes/core/core.wp-pluggable-funcs.php
@@ -290,23 +290,23 @@ function wp_setcookie($username, $password, $already_md5 = false, $home = '', $s
 			$cookiehash = md5($siteurl);
 		}
 
-		setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath);
-		setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath);
+		setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $cookiepath, COOKIE_SECURE);
+		setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $cookiepath, COOKIE_SECURE);
 
 		if ($cookiepath != $sitecookiepath) {
-			setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath);
-			setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath);
+			setcookie('wordpressuser_' . $cookiehash, $username, time() + 31536000, $sitecookiepath, COOKIE_SECURE);
+			setcookie('wordpresspass_' . $cookiehash, $password, time() + 31536000, $sitecookiepath, COOKIE_SECURE);
 		}
 	}
 endif;
 
 if (!function_exists('wp_clearcookie')) :
 
 	function wp_clearcookie() {
-		setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH);
-		setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH);
-		setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH);
-		setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH);
+		setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE);
+		setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, COOKIEPATH, COOKIE_SECURE);
+		setcookie('wordpressuser_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE);
+		setcookie('wordpresspass_' . COOKIEHASH, ' ', time() - 31536000, SITECOOKIEPATH, COOKIE_SECURE);
 	}
 endif;