www/typolight26/patches/patch-ad


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52

$NetBSD: patch-ad,v 1.1 2009/12/20 04:21:05 taca Exp $

* Security fix:
	http://www.typolight.org/news/items/major-security-hole-in-the-typolight-install-tool.html

--- typolight/ftp.php.orig	2008-12-13 15:27:05.000000000 +0000
+++ typolight/ftp.php
@@ -88,6 +88,9 @@ class FtpCheck extends Controller
 		 */
 		if ($this->Input->post('FORM_SUBMIT') == 'tl_login')
 		{
+			$_SESSION['TL_INSTALL_AUTH'] = '';
+			$_SESSION['TL_INSTALL_EXPIRE'] = 0;
+
 			$password =  sha1($this->Input->post('password', true));
 
 			if (strlen($password) && $password != 'da39a3ee5e6b4b0d3255bfef95601890afd80709')
@@ -95,7 +98,10 @@ class FtpCheck extends Controller
 				// Set cookie
 				if ($password == $GLOBALS['TL_CONFIG']['installPassword'])
 				{
-					$this->setCookie('TL_INSTALL_AUTH', md5($this->Environment->ip.session_id()), (time()+300), $GLOBALS['TL_CONFIG']['websitePath']);
+					$_SESSION['TL_INSTALL_EXPIRE'] = (time() + 300);
+					$_SESSION['TL_INSTALL_AUTH'] = md5(uniqid('', true) . $this->Environment->ip . session_id());
+
+					$this->setCookie('TL_INSTALL_AUTH', $_SESSION['TL_INSTALL_AUTH'], $_SESSION['TL_INSTALL_EXPIRE'], $GLOBALS['TL_CONFIG']['websitePath']);
 					$this->Config->update("\$GLOBALS['TL_CONFIG']['installCount']", 0);
 
 					$this->reload();
@@ -109,14 +115,20 @@ class FtpCheck extends Controller
 		}
 
 		// Check cookie
-		if (!$this->Input->cookie('TL_INSTALL_AUTH'))
+		if (!$this->Input->cookie('TL_INSTALL_AUTH') || $_SESSION['TL_INSTALL_AUTH'] == '' || $this->Input->cookie('TL_INSTALL_AUTH') != $_SESSION['TL_INSTALL_AUTH'] || $_SESSION['TL_INSTALL_EXPIRE'] < time())
 		{
 			$this->Template->login = true;
 			$this->outputAndExit();
 		}
 
 		// Renew cookie
-		$this->setCookie('TL_INSTALL_AUTH', md5($this->Environment->ip.session_id()), (time()+300), $GLOBALS['TL_CONFIG']['websitePath']);
+		else
+		{
+			$_SESSION['TL_INSTALL_EXPIRE'] = (time() + 300);
+			$_SESSION['TL_INSTALL_AUTH'] = md5(uniqid('', true) . $this->Environment->ip . session_id());
+
+			$this->setCookie('TL_INSTALL_AUTH', $_SESSION['TL_INSTALL_AUTH'], $_SESSION['TL_INSTALL_EXPIRE'], $GLOBALS['TL_CONFIG']['websitePath']);
+		}
 
 
 		/**