Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fit remote code execution in history and template imports functionality #1625

Open
wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fit remote code execution in history and template imports functionality #1625

wants to merge 4 commits into from

Conversation

Ngai-E
Copy link
Collaborator

@Ngai-E Ngai-E commented Jul 15, 2020

No description provided.

muarachmann
muarachmann reviewed Jul 30, 2020
View reviewed changes
interface/patient_file/letter.php
if (!isset($_POST['token'])) {
error_log('WARNING: A POST request detected with no csrf token found');
die('Authentication failed.');
} else if (!hash_equals(hash_hmac('sha256', '/letter.php.theform', $_SESSION['token']), $_POST['token'])) {
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is verifyCsrfTokenAndCompareHash not used here rather?

maggienegm
maggienegm reviewed Aug 1, 2020
View reviewed changes
patient_portal/import_template.php
if (!isset($_POST['token'])) {
error_log('WARNING: A POST request detected with no csrf token found');
die('Authentication failed.');
} else if (!(CsrfToken::verifyCsrfToken($_POST['token'])) {
Copy link
Contributor

@maggienegm maggienegm Aug 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're missing a closing parenthesis here too

maggienegm
maggienegm reviewed Aug 1, 2020
View reviewed changes
library/CsrfToken.php
// Function to verify a csrf token using with second token
function verifyCsrfTokenAndCompareHash($token, $secondToken)
{
if (hash_equals(hash_hmac('sha256', $secondToken, $_SESSION['token']), $token) {
Copy link
Contributor

@maggienegm maggienegm Aug 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're missing a closing parenthesis here too

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its necessary to type cast the inputs before supplying to hash_hmac, interesting things might occur if that is not done ( type juggling vulnerability ), if $secondToken is a user controlled input, if an array is passed, hash_hmac will return null.
For more details:
https://www.youtube.com/watch?v=MpeaSNERwQA

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @naveen17797 I will add that too.

maggienegm
maggienegm reviewed Aug 1, 2020
View reviewed changes
interface/billing/edi_history_main.php
if (!isset($_POST['token'])) {
error_log('WARNING: A POST request detected with no csrf token found');
die('Authentication failed.');
} else if (!(CsrfToken::verifyCsrfToken($_POST['token'])) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're missing a closing parenthesis here

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @maggienegm. I am guessing you fixed in here PR #1634?? have not checked yet. If you did then I can just close this.

Copy link
Contributor

@maggienegm maggienegm Aug 3, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes @Ngai-E , I fixed the closing parenthesis issues there

@maggienegm maggienegm mentioned this pull request Aug 3, 2020
Merged
@muarachmann
Copy link
Member

@Ngai-E can you rebase thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@naveen17797 naveen17797 naveen17797 left review comments

@muarachmann muarachmann muarachmann left review comments

@maggienegm maggienegm maggienegm left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Ngai-E @muarachmann @maggienegm @naveen17797