Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security Issue #19

Open
exmex opened this issue Aug 29, 2014 · 1 comment
Open

Security Issue #19

exmex opened this issue Aug 29, 2014 · 1 comment

Comments

@exmex
Copy link

exmex commented Aug 29, 2014

In loginprocess is a massive security issue. You can "post" EVERY url to return.

https://github.com/warhawk3407/bgpanel/blob/master/admin/loginprocess.php#L111

header( "Location: ".urldecode($return));

https://github.com/warhawk3407/bgpanel/blob/master/admin/loginprocess.php#L109

My fix for it:

if (!empty($return) && parse_url($_SERVER['HTTP_HOST'], PHP_URL_HOST) == parse_url($return, PHP_URL_HOST))

It compares the host from the return argument & the http host host :)
(parse_url for $_SERVER because it contains ports if not running on default 80 / 443)
@superg2
Copy link
Collaborator

superg2 commented Sep 30, 2014

Is this "issue" a security hole ? I mean that if you post a fancy return url, what is the breach you open ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@superg2 @exmex