From 0a39b60eeea67675e997f1bf3a44a68757ebb294 Mon Sep 17 00:00:00 2001 From: Josh North Date: Fri, 28 May 2021 17:02:01 -0400 Subject: [PATCH] Vulnerability mitigation --- changelang.php | 2 +- changesite.php | 2 +- inc/header.inc.php | 7 ++++--- index.php | 13 ++++++++++++- login.php | 9 +++++++-- logout.php | 6 +++++- profile.php | 6 +++++- reports.php | 6 +++++- signin.php | 9 +++++++-- signin_1.php | 9 +++++++-- signin_2.php | 9 +++++++-- signin_3.php | 9 +++++++-- signin_4.php | 9 +++++++-- signin_display.php | 9 +++++++-- signout.php | 9 +++++++-- src/Misc/Csrf.php | 2 +- users.php | 6 +++++- 17 files changed, 95 insertions(+), 27 deletions(-) diff --git a/changelang.php b/changelang.php index df36a9e..8aa906c 100755 --- a/changelang.php +++ b/changelang.php @@ -21,6 +21,6 @@ 'expires' => time() + 60*60*24*90, 'secure' => true, 'httponly' => true, - 'samesite' => 'None', + 'samesite' => 'Strict', ]); header('Location: index.php'); // GO HOME UNTIL WE ADD REFERER LOGIC diff --git a/changesite.php b/changesite.php index 7398fdb..f1d622e 100755 --- a/changesite.php +++ b/changesite.php @@ -21,6 +21,6 @@ 'expires' => time() + 60*60*24*90, 'secure' => true, 'httponly' => true, - 'samesite' => 'None', + 'samesite' => 'Strict', ]); header('Location: index.php'); // GO HOME UNTIL WE ADD REFERER LOGIC diff --git a/inc/header.inc.php b/inc/header.inc.php index 4340771..44183e1 100644 --- a/inc/header.inc.php +++ b/inc/header.inc.php @@ -21,7 +21,7 @@ //ini_set('session.gc_divisor', 100); // TIMES //session_save_path('.tmp'); // TEMP //session_start(); // START - //ini_set("session. cookie_httponly", 1); + //ini_set("session.cookie_httponly", 1); require_once __DIR__ . '/../autoload.php'; // AUTOLOAD use App\LobbySIO\Config\Registry; use App\LobbySIO\Misc\Csrf; // ANTICSRF @@ -80,8 +80,9 @@ $timeplus = new DateTime($StaticFunctions->getUTC(), new DateTimeZone('UTC')); // DUMB WAY TO CALCULATE SOME TIMES $timeplus->setTimezone(new DateTimeZone("$timezone")); $timenow = $timeplus->format('Y-m-d H:i:s'); - header("X-Frame-Options: SAMEORIGIN"); - header("Content-Security-Policy: frame-ancestors 'none'", false); + header("X-Frame-Options: SAMEORIGIN"); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); if (!empty($_GET['a'])) { echo '
' . print_r($_POST, true) . '
'; echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); diff --git a/index.php b/index.php index 7d61b83..894f49b 100644 --- a/index.php +++ b/index.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD @@ -77,6 +81,13 @@ $app_current_pagename = $transLang['HOME']; // PAGE SETUP $app_current_pageicon = ' '; require_once("inc/header.inc.php"); + header("X-Frame-Options: SAMEORIGIN"); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); + if (!empty($_GET['a'])) { + echo '
' . print_r($_POST, true) . '
'; + echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); + } ?> diff --git a/login.php b/login.php index 1b6de75..a089446 100644 --- a/login.php +++ b/login.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD @@ -78,7 +82,8 @@ header('Location: index.php'); // ELSE HOME } else { header("X-Frame-Options: SAMEORIGIN"); - header("Content-Security-Policy: frame-ancestors 'none'", false); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); if (!empty($_GET['a'])) { echo '
' . print_r($_POST, true) . '
'; echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); diff --git a/logout.php b/logout.php index b86e15a..408b9d7 100644 --- a/logout.php +++ b/logout.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD diff --git a/profile.php b/profile.php index c5e542d..19a13df 100644 --- a/profile.php +++ b/profile.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD diff --git a/reports.php b/reports.php index 43610b8..f800260 100644 --- a/reports.php +++ b/reports.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD diff --git a/signin.php b/signin.php index bc56e21..cc4f57e 100644 --- a/signin.php +++ b/signin.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD @@ -50,7 +54,8 @@ header('Location: index.php'); // ELSE HOME } else { header("X-Frame-Options: SAMEORIGIN"); - header("Content-Security-Policy: frame-ancestors 'none'", false); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); if (!empty($_GET['a'])) { echo '
' . print_r($_POST, true) . '
'; echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); diff --git a/signin_1.php b/signin_1.php index e1b6c69..912dadc 100644 --- a/signin_1.php +++ b/signin_1.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD @@ -50,7 +54,8 @@ header('Location: index.php'); // ELSE HOME } else { header("X-Frame-Options: SAMEORIGIN"); - header("Content-Security-Policy: frame-ancestors 'none'", false); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); if (!empty($_GET['a'])) { echo '
' . print_r($_POST, true) . '
'; echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); diff --git a/signin_2.php b/signin_2.php index 329a777..afa5d82 100644 --- a/signin_2.php +++ b/signin_2.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD @@ -50,7 +54,8 @@ header('Location: index.php'); // ELSE HOME } else { header("X-Frame-Options: SAMEORIGIN"); - header("Content-Security-Policy: frame-ancestors 'none'", false); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); if (!empty($_GET['a'])) { echo '
' . print_r($_POST, true) . '
'; echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); diff --git a/signin_3.php b/signin_3.php index 65797c4..2f7e32e 100644 --- a/signin_3.php +++ b/signin_3.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD @@ -50,7 +54,8 @@ header('Location: index.php'); // ELSE HOME } else { header("X-Frame-Options: SAMEORIGIN"); - header("Content-Security-Policy: frame-ancestors 'none'", false); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); if (!empty($_GET['a'])) { echo '
' . print_r($_POST, true) . '
'; echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); diff --git a/signin_4.php b/signin_4.php index a993938..3e8112b 100644 --- a/signin_4.php +++ b/signin_4.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD @@ -50,7 +54,8 @@ header('Location: index.php'); // ELSE HOME } else { header("X-Frame-Options: SAMEORIGIN"); - header("Content-Security-Policy: frame-ancestors 'none'", false); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); if (!empty($_GET['a'])) { echo '
' . print_r($_POST, true) . '
'; echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); diff --git a/signin_display.php b/signin_display.php index cd352ad..dbbe804 100644 --- a/signin_display.php +++ b/signin_display.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD @@ -51,7 +55,8 @@ header('Location: index.php'); // ELSE HOME } else { header("X-Frame-Options: SAMEORIGIN"); - header("Content-Security-Policy: frame-ancestors 'none'", false); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); if (!empty($_GET['a'])) { echo '
' . print_r($_POST, true) . '
'; echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); diff --git a/signout.php b/signout.php index aad5420..0e351db 100644 --- a/signout.php +++ b/signout.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD @@ -51,7 +55,8 @@ header('Location: index.php'); // ELSE HOME } else { header("X-Frame-Options: SAMEORIGIN"); - header("Content-Security-Policy: frame-ancestors 'none'", false); + header("X-Content-Type-Options: nosniff"); + header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false); if (!empty($_GET['a'])) { echo '
' . print_r($_POST, true) . '
'; echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful'); diff --git a/src/Misc/Csrf.php b/src/Misc/Csrf.php index b87a054..083d35d 100644 --- a/src/Misc/Csrf.php +++ b/src/Misc/Csrf.php @@ -21,7 +21,7 @@ class Csrf 'expires' => $token->expiry, 'secure' => true, 'httponly' => true, - 'samesite' => 'None', + 'samesite' => 'Strict', ]); return $_SESSION['csrftokens'][$page] = $token; diff --git a/users.php b/users.php index 027f061..76d3ceb 100644 --- a/users.php +++ b/users.php @@ -19,7 +19,11 @@ ini_set('session.gc_maxlifetime', 24*60*60); // MIN SESSION ini_set('session.gc_probability', 1); // GC RATES ini_set('session.gc_divisor', 100); // TIMES - ini_set("session. cookie_httponly", 1); + ini_set('session.use_cookies', '1'); + ini_set('session.use_only_cookies', '1'); + ini_set('session.cookie_secure', '1'); + ini_set('session.cookie_httponly', '1'); + ini_set('session.cookie_samesite', 'Strict'); session_save_path('.tmp'); // TEMP session_start(); // START require_once __DIR__ . '/autoload.php'; // AUTOLOAD