Security patch

samt2497 · Oct 11, 2014 · bbfc662 · bbfc662
1 parent 2907188
commit bbfc662
Show file tree

Hide file tree

Showing 9 changed files with 57 additions and 17 deletions.
diff --git a/.htaccess b/.htaccess
@@ -1,3 +1,8 @@
+<Files cron.php>
+	AuthName "403"
+	deny from all
+</Files>
+
 RewriteEngine On
 RewriteCond %{REQUEST_FILENAME} !-f
 RewriteCond %{REQUEST_FILENAME} !-d

diff --git a/app/.htaccess b/app/.htaccess
@@ -0,0 +1,2 @@
+AuthName "403"
+deny from all
diff --git a/app/app.core.php b/app/app.core.php
@@ -38,7 +38,7 @@
 		break;
 
 	default:
-		// PHP 5.5 Function Implementation
+		// PHP 5.5 Functions Implementation
 		require( LIBS_DIR	. '/php5.5/func.inc.php');
 
 		// Database Handle Manager

diff --git a/app/core/auth.class.php b/app/core/auth.class.php
@@ -29,6 +29,9 @@
 
 class Core_AuthService
 {
+	// Handle
+	public static $authService;
+
 	// Username
 	private $username;
 
@@ -75,23 +78,22 @@ function __construct( $username = '', $auth_key = APP_LOGGED_IN_KEY, $rsa_privat
 	}
 
 	/**
-	 * Decrypt Session Credentials
+	 * Service Handler
 	 *
-	 * @param Array $session
-	 * @return array
+	 * @param String $username
+	 * @param String $auth_key
+	 * @param String $rsa_private_key
+	 * @param String $rsa_public_key
+	 * @return Core_AuthService
 	 * @access public
 	 */
-	public static function decryptSessionCredentials( $session ) {
-		if ( !empty($session) && array_key_exists('CREDENTIALS', $session) ) {
-			$rsa = new Crypt_RSA();
-			$rsa->loadKey( $this->rsa_private_key ); // private key
-
-			$rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1);
-			$credentials = unserialize( $rsa->decrypt( $session['CREDENTIALS'] ) );
+	public static function getAuthService( $username = '', $auth_key = APP_LOGGED_IN_KEY, $rsa_private_key = RSA_PRIVATE_KEY, $rsa_public_key = RSA_PUBLIC_KEY ) {
+		if ( empty(self::$authService) || !is_object(self::$authService) || (get_class(self::$authService) != 'Core_AuthService') ) {
 
-			return $credentials;
+			self::$authService = new Core_AuthService( $username, $auth_key, $rsa_private_key, $rsa_public_key );
 		}
-		return array();
+
+		return self::$authService;
 	}
 
 	/**
@@ -102,7 +104,9 @@ public static function decryptSessionCredentials( $session ) {
 	 * @access public
 	 */
 	public static function getSessionPrivilege() {
-		$credentials = Core_AuthService::decryptSessionCredentials( $_SESSION );
+		$authService = Core_AuthService::getAuthService();
+
+		$credentials = $authService->decryptSessionCredentials();
 
 		if ( !empty($credentials['role']) ) {
 			return $credentials['role'];
@@ -119,7 +123,7 @@ public static function getSessionPrivilege() {
 	 */
 	public function getSessionValidity() {
 		if ( !empty($this->username) ) {
-			$credentials = Core_AuthService::decryptSessionCredentials( $this->session );
+			$credentials = $this->decryptSessionCredentials();
 
 			if ( $credentials['username'] == $this->username && $credentials['key'] == $this->auth_key && $credentials['token'] == session_id() ) {
 				return TRUE;
@@ -128,6 +132,26 @@ public function getSessionValidity() {
 		return FALSE;
 	}
 
+	/**
+	 * Decrypt Session Credentials
+	 *
+	 * @param none
+	 * @return array
+	 * @access private
+	 */
+	private function decryptSessionCredentials() {
+		if ( !empty($this->session) && array_key_exists('CREDENTIALS', $this->session) ) {
+			$rsa = new Crypt_RSA();
+			$rsa->loadKey( $this->rsa_private_key ); // private key
+
+			$rsa->setEncryptionMode(CRYPT_RSA_ENCRYPTION_PKCS1);
+			$credentials = unserialize( $rsa->decrypt( $this->session['CREDENTIALS'] ) );
+
+			return $credentials;
+		}
+		return array();
+	}
+
 	/**
 	 * Create A New Legit Session
 	 *

diff --git a/app/routing.core.php b/app/routing.core.php
@@ -43,7 +43,7 @@
 Flight::route('GET|POST /', function() {
 	// User Authentication
 
-	$authService = new Core_AuthService();
+	$authService = Core_AuthService::getAuthService();
 
 	// Test if the user has a whitecard to access the system
 

diff --git a/gui/.htaccess b/gui/.htaccess
@@ -0,0 +1 @@
+Options -Indexes 
diff --git a/index.php b/index.php
@@ -25,6 +25,8 @@
  * @link		http://www.bgpanel.net/
  */
 
+define('LICENSE', 'GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007');
+
 /**
  * Bright Game Panel Init
  */

diff --git a/init.app.php b/init.app.php
@@ -25,7 +25,11 @@
  * @link		http://www.bgpanel.net/
  */
 
-define('LICENSE', 'GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007');
+// Prevent direct access
+if (!defined('LICENSE'))
+{
+	exit('Access Denied');
+}
 
 /**
  * ERROR Handling

diff --git a/logs/.htaccess b/logs/.htaccess
@@ -0,0 +1,2 @@
+AuthName "403"
+deny from all
-Original file line number
+Diff line change
@@ Expand Up / @@ -25,6 +25,8 @@ @@
      * @link		http://www.bgpanel.net/
      */
+    define('LICENSE', 'GNU GENERAL PUBLIC LICENSE - Version 3, 29 June 2007');
     /**
      * Bright Game Panel Init
      */
@@ Expand Down @@