Point808/LobbySIO
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Vulnerability mitigation - revert secure cookies by default

Browse Source
This commit is contained in:
Josh North 2021-06-01 10:52:51 -04:00
parent 0a39b60eee
commit c2fb21c570
19 changed files with 106 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
changelang.php
View File

@ -19,8 +19,8 @@
$app_disp_lang = filter_input(INPUT_POST, 'app_disp_lang', FILTER_SANITIZE_STRING); // GET SANITARY LANG CHOICE
setcookie ( 'app_disp_lang', $app_disp_lang, [
'expires' => time() + 60*60*24*90,
'secure' => true,
'httponly' => true,
'samesite' => 'Strict',
'secure' => false,
'httponly' => false,
'samesite' => 'Lax',
]);
header('Location: index.php'); // GO HOME UNTIL WE ADD REFERER LOGIC

6
changesite.php
View File

@ -19,8 +19,8 @@
$site = filter_input(INPUT_POST, 'site', FILTER_SANITIZE_STRING); // GET SANITARY SITE CHOICE
setcookie ( 'app_site', $site, [
'expires' => time() + 60*60*24*90,
'secure' => true,
'httponly' => true,
'samesite' => 'Strict',
'secure' => false,
'httponly' => false,
'samesite' => 'Lax',
]);
header('Location: index.php'); // GO HOME UNTIL WE ADD REFERER LOGIC

2
css/tempusdominus-bootstrap-4.min.css vendored
View File

@ -202,5 +202,5 @@
height: 27px;
line-height: 27px; }
.input-group [data-toggle="datetimepicker"] {
.input-group [data-bs-toggle="datetimepicker"] {
cursor: pointer; }

4
inc/header.inc.php
View File

@ -82,7 +82,7 @@
$timenow = $timeplus->format('Y-m-d H:i:s');
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
@ -159,7 +159,7 @@
<!-- START NAVBAR MENU FOR ALL LOGGED IN - BOTTOM END -->
</ul>
<ul class="navbar-nav mr-sm-2">
<li class="nav-item"><a class="nav-link<?php $sname=$SiteInfo->getSite($siteid, "0", "0", "0")[0]["sites_name"]; if($sname=="NOSITE") { echo " btn btn-sm btn-outline-warning"; } else { echo " btn btn-sm btn-outline-secondary"; }; ?>" href="#" data-toggle="modal" data-target="#sitetimeModal"><i class="fas fa-map-marker-alt"></i> <?php if ($sname=="NOSITE") {echo $transLang['NOSITE'];} else { echo $sname; } ?></a></li>
<li class="nav-item"><a class="nav-link<?php $sname=$SiteInfo->getSite($siteid, "0", "0", "0")[0]["sites_name"]; if($sname=="NOSITE") { echo " btn btn-sm btn-outline-warning"; } else { echo " btn btn-sm btn-outline-secondary"; }; ?>" href="#" data-bs-toggle="modal" data-bs-target="#sitetimeModal"><i class="fas fa-map-marker-alt"></i> <?php if ($sname=="NOSITE") {echo $transLang['NOSITE'];} else { echo $sname; } ?></a></li>
<?php if (Registry::AUTHMETHOD == 'SAML') { ?>
<!-- SAML SESSION BUTTONS -->
<li class="nav-item"><a class="nav-link btn btn-sm btn-outline-danger<?php if ($app_current_pagename==$transLang['LOGOUT']): echo " active"; endif; ?>" href="<?php echo str_replace("http%3A%2F%2F","https%3A%2F%2F",$auth->getLogoutURL()); ?>"><span class="badge bg-light text-dark"><?php echo $session_user["0"]["users_firstname"] . " " . $session_user["0"]["users_lastname"];?></span> <i class="fas fa-ban"></i> <?php echo $transLang['LOGOUT']; ?></a></li>

10
index.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -83,7 +83,7 @@
require_once("inc/header.inc.php");
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');
@ -329,7 +329,7 @@ if (Registry::AUTHMETHOD == 'SAML') {
</div>
<div class="input-group input-group-sm mb-0">
<span class="input-group-text"><i class="fas fa-clock"></i></span>
<input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $row['visits_id']; ?>" id="datetimepicker-<?php echo $row['visits_id']; ?>" data-toggle="datetimepicker" data-target=".datetimepicker-<?php echo $row['visits_id']; ?>"/>
<input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $row['visits_id']; ?>" id="datetimepicker-<?php echo $row['visits_id']; ?>" data-bs-toggle="datetimepicker" data-bs-target=".datetimepicker-<?php echo $row['visits_id']; ?>"/>
<script type="text/javascript">
$(function () {
$('.datetimepicker-<?php echo $row['visits_id']; ?>').datetimepicker({'timeZone': '<?php echo $timezone; ?>', 'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss'});
@ -411,11 +411,11 @@ if (Registry::AUTHMETHOD == 'SAML') {
<button type="submit" name="approvevisit" id="approvevisit-<?php echo $visitid; ?>" value="<?php echo $visitid; ?>" class="btn btn-success btn-block btn-sm"><i class="fas fa-thumbs-up"></i>&nbsp;<?php echo $transLang['APPROVE']; ?></button>
</div>
<div class="input-group input-group-sm mb-0 d-grid gap-2">
<a data-toggle="modal" data-target="#voidModal" data-id="<?php echo $visitid; ?>" href="#voidModal" name="voidvisit" value="<?php echo $visitid; ?>" class="btn btn-danger btn-block btn-sm open-voidModal"><i class="fas fa-thumbs-down"></i>&nbsp;<?php echo $transLang['DECLINE']; ?></a>
<a data-bs-toggle="modal" data-bs-target="#voidModal" data-id="<?php echo $visitid; ?>" href="#voidModal" name="voidvisit" value="<?php echo $visitid; ?>" class="btn btn-danger btn-block btn-sm open-voidModal"><i class="fas fa-thumbs-down"></i>&nbsp;<?php echo $transLang['DECLINE']; ?></a>
</div>
<div class="input-group input-group-sm mb-0">
<span class="input-group-text"><i class="fas fa-clock"></i></span>
<input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $visitid; ?>" id="datetimepicker-<?php echo $visitid; ?>" data-toggle="datetimepicker" data-target=".datetimepicker-<?php echo $visitid; ?>" />
<input placeholder="<?php echo $transLang['OPTIONAL']; ?>" name="outtime" type="text" class="form-control form-control-sm bg-white datetimepicker-input datetimepicker-<?php echo $visitid; ?>" id="datetimepicker-<?php echo $visitid; ?>" data-bs-toggle="datetimepicker" data-bs-target=".datetimepicker-<?php echo $visitid; ?>" />
<script type="text/javascript">
$(function () {
$('.datetimepicker-<?php echo $visitid; ?>').datetimepicker({'sideBySide':true, 'format':'YYYY-MM-DD HH:mm:ss'});

2
js/tempusdominus-bootstrap-4.min.js vendored
View File

File diff suppressed because one or more lines are too long

4
login.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -83,7 +83,7 @@
} else {
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');

2
logout.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD

2
profile.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD

14
reports.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -128,19 +128,19 @@
</div>
<div class="form-group row">
<div class='col-sm'>
<div class="input-group date" id="datetimepicker-1" data-target-input="#datetimepicker-1">
<div class="input-group-text " data-target=".datetimepicker-1" data-toggle="datetimepicker">
<div class="input-group date" id="datetimepicker-1" data-bs-target-input="#datetimepicker-1">
<div class="input-group-text " data-bs-target=".datetimepicker-1" data-bs-toggle="datetimepicker">
<div class="input-group-text "><i class="fa fa-calendar"></i>&nbsp <?php echo $transLang['START']; ?></div>
</div>
<input name="starttime" type="text" class="datetimepicker-input form-control datetimepicker-1" id="datetimepicker-1" data-target=".datetimepicker-1" autocomplete="new-password" required />
<input name="starttime" type="text" class="datetimepicker-input form-control datetimepicker-1" id="datetimepicker-1" data-bs-target=".datetimepicker-1" autocomplete="new-password" required />
</div>
</div>
<div class='col-sm'>
<div class="input-group date" id="datetimepicker-2" data-target-input="#datetimepicker-2">
<div class="input-group-text" data-target=".datetimepicker-2" data-toggle="datetimepicker">
<div class="input-group date" id="datetimepicker-2" data-bs-target-input="#datetimepicker-2">
<div class="input-group-text" data-bs-target=".datetimepicker-2" data-bs-toggle="datetimepicker">
<div class="input-group-text"><i class="fa fa-calendar"></i>&nbsp <?php echo $transLang['END']; ?></div>
</div>
<input name="endtime" type="text" class="datetimepicker-input form-control datetimepicker-2" id="datetimepicker-2" data-target=".datetimepicker-2" autocomplete="new-password" required />
<input name="endtime" type="text" class="datetimepicker-input form-control datetimepicker-2" id="datetimepicker-2" data-bs-target=".datetimepicker-2" autocomplete="new-password" required />
</div>
</div>
<script type="text/javascript">

4
signin.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -55,7 +55,7 @@
} else {
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');

4
signin_1.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -55,7 +55,7 @@
} else {
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');

4
signin_2.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -55,7 +55,7 @@
} else {
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');

4
signin_3.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -55,7 +55,7 @@
} else {
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');

4
signin_4.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -55,7 +55,7 @@
} else {
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');

4
signin_display.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -56,7 +56,7 @@
} else {
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');

4
signout.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -56,7 +56,7 @@
} else {
header("X-Frame-Options: SAMEORIGIN");
header("X-Content-Type-Options: nosniff");
header("Content-Security-Policy: script-src 'self'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'; script-src-elem 'self'; script-src-attr 'self'; style-src 'self'; style-src-elem 'self'; style-src-attr 'self'; img-src 'self'; connect-src 'self'; frame-src 'self'; font-src 'self'; media-src 'self'; object-src 'self'; manifest-src 'self'; worker-src 'self'; prefetch-src 'self'; form-action 'self'; frame-ancestors 'self'; default-src 'self'", false);
if (!empty($_GET['a'])) {
echo '<pre>' . print_r($_POST, true) . '</pre>';
echo 'Verification has been : ' . (Csrf::verifyToken('home') ? 'successful' : 'unsuccessful');

6
src/Misc/Csrf.php
View File

@ -19,9 +19,9 @@ class Csrf
setcookie ( self::makeCookieName($page), $token->cookietoken, [
'expires' => $token->expiry,
'secure' => true,
'httponly' => true,
'samesite' => 'Strict',
'secure' => false,
'httponly' => false,
'samesite' => 'Lax',
]);
return $_SESSION['csrftokens'][$page] = $token;

119
users.php
View File

@ -23,7 +23,7 @@
ini_set('session.use_only_cookies', '1');
ini_set('session.cookie_secure', '1');
ini_set('session.cookie_httponly', '1');
ini_set('session.cookie_samesite', 'Strict');
ini_set('session.cookie_samesite', 'Lax');
session_save_path('.tmp'); // TEMP
session_start(); // START
require_once __DIR__ . '/autoload.php'; // AUTOLOAD
@ -293,7 +293,7 @@ if (0 === $row_count): else: $page_count = (int)ceil($row_count / $StaticFunctio
<h2><?php echo $app_current_pageicon . $transLang['USERS']; ?></h2>
</div>
<div class="col-sm">
<button type="button" class="btn btn-block btn-lg btn-success" data-toggle="modal" data-target="#addUserModal"><?php echo $transLang['ADD_USER']; ?></button>
<button type="button" class="btn btn-block btn-lg btn-success" data-bs-toggle="modal" data-bs-target="#addUserModal"><?php echo $transLang['ADD_USER']; ?></button>
</div>
</div>
<?php echo '<ul class="pagination pagination-sm"><li class="page-item disabled"><a class="page-link" href="#" tabindex="-1">' . $transLang['PAGE'] . '</a></li>'; for ($i = 1; $i <= $page_count; $i++): echo '<li class="page-item'; if ($i === $page_num): echo ' active'; else: echo ' '; endif; echo '"><a class="page-link" href="' . $_SERVER['PHP_SELF'] . '?pnum=' . $i . '">' . $i . '</a></li>'; endfor; echo '</ul>'; ?>
@ -336,6 +336,8 @@ if (0 === $row_count): else: $page_count = (int)ceil($row_count / $StaticFunctio
$minpasslength = $StaticFunctions->getMinPass();
?>
<!-- MODAL START -->
<div class="modal fade" id="addUserModal" tabindex="-1" role="dialog" aria-labelledby="Site" aria-hidden="true">
<div class="modal-dialog" role="document">
@ -445,7 +447,7 @@ if (0 === $row_count1): else: $page_count1 = (int)ceil($row_count1 / $StaticFunc
<h2><?php echo $app_current_pageicon . $transLang['SITE']; ?></h2>
</div>
<div class="col-sm">
<button type="button" class="btn btn-block btn-lg btn-success" data-toggle="modal" data-target="#addSiteModal"><?php echo $transLang['ADD_SITE']; ?></button>
<button type="button" class="btn btn-success btn-lg" data-bs-toggle="modal" data-bs-target="#addSiteModal"><?php echo $transLang['ADD_SITE']; ?></button>
</div>
</div>
<?php echo '<ul class="pagination pagination-sm"><li class="page-item disabled"><a class="page-link" href="#" tabindex="-1">' . $transLang['PAGE'] . '</a></li>'; for ($i1 = 1; $i1 <= $page_count1; $i1++): echo '<li class="page-item'; if ($i1 === $page_num1): echo ' active'; else: echo ' '; endif; echo '"><a class="page-link" href="' . $_SERVER['PHP_SELF'] . '?pnum1=' . $i1 . '">' . $i1 . '</a></li>'; endfor; echo '</ul>'; ?>
@ -470,60 +472,65 @@ if (0 === $row_count1): else: $page_count1 = (int)ceil($row_count1 / $StaticFunc
$minpasslength = $StaticFunctions->getMinPass();
?>
<!-- MODAL START -->
<div class="modal fade" id="addSiteModal" tabindex="-1" role="dialog" aria-labelledby="Site" aria-hidden="true">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title" id="AddSite"><?php echo $transLang['ADD_SITE']; ?></h5>
<button type="button" class="close" data-dismiss="modal" aria-label="Close">
<span aria-hidden="true">&times;</span>
</button>
</div>
<div class="modal-body">
<form class="form-inline my-2 my-lg-0" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<div class="row">
<div class="col-sm">
<p class="lead"><?php echo $transLang['ADD_SITE']; ?></p>
</div>
</div>
<fieldset id="registration">
<div class="form-group">
<div class="row">
<div class="col-sm">
<input type="text" class="form-control" id="sitename" name="sitename" placeholder="Site Name" required />
</div>
<div class="col-sm">
<select class="form-control" id="timezone" name="timezone" required>
<option value=""><?php echo $transLang['TIMEZONE']; ?></option>
<?php foreach(DateTimeZone::listIdentifiers(DateTimeZone::ALL) as $row2) { ?><option><?php echo $row2; ?></option><?php }; ?>
</select>
</div>
</div>
<div class="row">
<div class="col-sm">
<select class="form-control" id="region" name="region" required>
<option value=""><?php echo $transLang['REGION']; ?></option>
<option>CAN</option>
<option>EMEA</option>
<option>US</option>
</select>
</div>
<div class="col-sm">
<button type="submit" class="form-control btn btn-block btn-primary" value="Submit" name="newsite"><i class="fa fa-user-plus"></i> <?php echo $transLang['ADD_SITE']; ?></button>
</div>
</div>
</div>
</fieldset>
</form>
</div>
</div>
</div>
<!-- START ADDSITE MODAL -->
<div class="modal fade" id="addSiteModal" tabindex="-1" role="dialog">
<div class="modal-dialog" role="document">
<div class="modal-content">
<div class="modal-header">
<h5 class="modal-title" id="AddSite"><?php echo $transLang['ADD_SITE']; ?></h5>
<button type="button" class="btn-close" data-bs-dismiss="modal"></button>
</div>
<!-- MODAL END -->
<!-- SITE MGMT END -->
<div class="modal-body">
<form class="form form-approve" action="<?php echo $_SERVER['PHP_SELF']; ?>" method="post">
<div class="row row-cols-1">
<div class="col d-grid gap-2">
<div class="input-group input-group-sm mb-0">
<span class="input-group-text"><?php echo $transLang['NAME']; ?></span>
<input type="text" class="form-control" id="sitename" name="sitename" required />
</div>
</div>
</div>
<div class="row row-cols-1">
<div class="col d-grid gap-2">
<div class="input-group input-group-sm mb-0">
<span class="input-group-text"><?php echo $transLang['TIMEZONE']; ?></span>
<select class="form-control" id="timezone" name="timezone" required>
<option value=""><?php echo $transLang['TIMEZONE']; ?></option>
<?php foreach(DateTimeZone::listIdentifiers(DateTimeZone::ALL) as $row2) { ?>
<option><?php echo $row2; ?></option>
<?php }; ?>
</select>
</div>
</div>
</div>
<div class="row row-cols-1">
<div class="col d-grid gap-2">
<div class="input-group input-group-sm mb-0">
<span class="input-group-text"><?php echo $transLang['NAME']; ?></span>
<select class="form-control" id="region" name="region" required>
<option value=""><?php echo $transLang['REGION']; ?></option>
<option>CAN</option>
<option>EMEA</option>
<option>US</option>
</select>
</div>
</div>
</div>
<div class="row row-cols-1">
<div class="col d-grid gap-2">
<button type="button" class="btn btn-secondary btn-sm" data-dismiss="modal"><?php echo $transLang['CANCEL']; ?></button>
<button type="submit" class="btn btn-success btn-sm" value="Submit" name="newsite"><i class="fas fa-user-plus"></i>&nbsp;<?php echo $transLang['ADD_SITE']; ?></button>
</div>
</div>
</form>
</div>
</div>
</div>
</div>
<!-- END ADDSITE MODAL -->
<!-- END PAGE -->
<!-- CONTENT END -->
<?php }; require_once("inc/footer.inc.php");
<?php }; require_once("inc/footer.inc.php"); ?>