Wichtiges Cyberworks Sicherheitsupdate

0xBADC0DED

Liebe Native-Network Community,

hier ein kleines Sicherheitsupdate für das Cyberworks Panel. Getestet mit Version 5. Habe das Workaround geschrieben auf Grund folgendem Problem:

Zitat von Scrpt

Ich weiss nicht ob es an den cookies lag, aber bei mir konnte sich ein ex-admin wessen account ich gebannt, passwort geändert und Login geändert habe sich immernoch mit den gleichen details rein "hacken". Glaube es könnte an den cookies liegen oder anderem.

EDIT:

Bitte folgende Datei komplett mit dieser ersetzen: classes/login.php:

PHP: login.php

<?php
require_once("gfunctions.php");
/**
     * Class login
     * handles the user's login and logout process
     */
class Login
{
    /**
     * @var array Collection of error messages
     */
    public $errors = array();
    /**
     * @var array Collection of success / neutral messages
     */
    public $messages = array();
    /**
     * @var object The database connection
     */
    private $db_connection = null;




    /**
     * the function "__construct()" automatically starts whenever an object of this class is created,
     * you know, when you do "$login = new Login();"
     */
    public function __construct()
    {
        // create/read session, absolutely necessary
        //session_start();
        // check the possible login actions:
        // if user tried to log out (happen when user clicks logout button)
        if (isset($_GET["logout"])) {
            $this->doLogout();
        } // login via post data (if user just submitted a login form)
        elseif (isset($_POST["login"])) {
            $this->dologinWithPostData();
        }
    }







    /**
     * perform the logout
     */
    public function doLogout()
    {
        // delete the session of the user
        if (isset($_SESSION['user_name'])) {
            logAction($_SESSION['user_name'], 'Logged Out', 1);
        }
        $_SESSION = array();
        session_destroy();
        // return a little feeedback message
        $this->messages[] = 'You have been logged out';




    }




    /**
     * log in with post data
     */
    private function dologinWithPostData()
    {
        $settings = require('config/settings.php');




        // check login form contents
        if (empty($_POST['user_name'])) {
            $this->errors[] = "Username field was empty.";
        } elseif (empty($_POST['user_password'])) {
            $this->errors[] = "Password field was empty.";
        } elseif (!empty($_POST['user_name']) && !empty($_POST['user_password'])) {




            if (isset($settings['db']['port'])) {
                $this->db_connection = new mysqli(decrypt($settings['db']['host']), decrypt($settings['db']['user']), decrypt($settings['db']['pass']), decrypt($settings['db']['name']), decrypt($settings['db']['port']));
            } else {
                $this->db_connection = new mysqli(decrypt($settings['db']['host']), decrypt($settings['db']['user']), decrypt($settings['db']['pass']), decrypt($settings['db']['name']));
            }




            // change character set to utf8 and check it
            if (!$this->db_connection->set_charset("utf8")) {
                $this->errors[] = $this->db_connection->error;
            }




            // if no connection errors (= working database connection)
            if (!$this->db_connection->connect_errno) {




                // escape the POST stuff
                $user_name = $this->db_connection->real_escape_string($_POST['user_name']);




                // database query, getting all the info of the selected user (allows login via email address in the
                // username field)
                $sql = "SELECT user_name, user_email, user_level, user_profile, permissions, user_password_hash, user_id, playerid, twoFactor, token
                        FROM users
                        WHERE user_name = '" . $user_name . "' OR user_email = '" . $user_name . "';";
                $result_of_login_check = $this->db_connection->query($sql);




                // if this user exists
                if ($result_of_login_check->num_rows == 1) {




                    // get result row (as an object)
                    $result_row = $result_of_login_check->fetch_object();




                    // using PHP 5.5's password_verify() function to check if the provided password fits
                    // the hash of that user's password
                    //var_dump(password_hash($_POST['user_password'], PASSWORD_DEFAULT));
                    if (password_verify($_POST['user_password'], $result_row->user_password_hash)) {
                        if ($result_row->user_level <> 0) {
                            //$verify = json_decode(file_get_contents('http://cyberbyte.org.uk/hooks/cyberworks/messages.php?id=' . $settings['id']));
                            //if (!isset($verify->verify)) {
                                $_SESSION['2factor'] = 0;
                                if (!empty($result_row->twoFactor)) {
                                    if ($settings['2factor']) $_SESSION['2factor'] = 1; else {
                                    $sql = "UPDATE `users` SET `backup`=NULL,`twoFactor`=NULL WHERE `userid` = '" . $result_row->user_id . "';";
                                    $this->db_connection->query($sql);
                                    $this->errors[] = $lang['2factorForceRevoke'];
                                    }
                                }




                                if (isset($_COOKIE['token']) && !empty($result_row->token)) {
                                    if (decrypt($result_row->token) == $_COOKIE['token']) {
                                        $_SESSION['2factor'] = 2;
                                    }
                                }
                                $_SESSION['sudo'] = time();
                                //$_SESSION['message'] = $verify;
                                $_SESSION['user_name'] = $result_row->user_name;
                                $_SESSION['user_level'] = $result_row->user_level;
								$_SESSION['user_password_hash'] = $result_row->user_password_hash;
                                $_SESSION['user_profile'] = $result_row->user_profile;
                                $_SESSION['user_email'] = $result_row->user_email;
                                $_SESSION['playerid'] = $result_row->playerid;
                                $_SESSION['user_id'] = $result_row->user_id;
                                $_SESSION['steamsignon'] = false;
                                $_SESSION['permissions'] = json_decode($result_row->permissions, true);
                                if (isset($result_row->items))$_SESSION['items'] = $result_row->items; else $_SESSION['items'] = $settings['items'];
                                if (isset($_POST['lang'])) {
                                    setcookie('lang', $_POST['lang'], time() + (3600 * 24 * 30));
                                    $_SESSION['lang'] = $_POST['lang'];
                                }
                                $_SESSION['steamsignon'] = false;
                                $_SESSION['user_login_status'] = 1;




                                multiDB();
                                logAction($_SESSION['user_name'], 'Successful Login (' . $_SERVER['REMOTE_ADDR'] . ')', 2);
                            /*} else {
                                if (isset($verify->message)) {
                                    $this->errors[] = $verify->message;
                                } else {
                                    $this->errors[] = "Verifcation Failed";
                                }
                            }*/
                        } else {
                            $this->errors[] = "User is banned.";
                            logAction($_POST['user_name'], 'Login Failed - Banned User (' . $_SERVER['REMOTE_ADDR'] . ')', 3);
                        }
                    } else {
                        $this->errors[] = "Wrong password. Try again.";
                        logAction($_POST['user_name'], 'Login Failed - Wrong Password (' . $_SERVER['REMOTE_ADDR'] . ')', 3);
                    }
                } else {
                    $this->errors[] = "This user does not exist.";
                    logAction($_POST['user_name'], 'Login Failed - Wrong Username (' . $_SERVER['REMOTE_ADDR'] . ')', 3);
                }
            } else {
                $this->errors[] = "Database connection problem.";
            }
        }
    }




    /**
     * simply return the current state of the user's login
     * @return boolean user's login status
     */
    public function isUserLoggedIn()
    {
        if (isset($_SESSION['user_login_status']) AND $_SESSION['user_login_status'] == 1 AND $this->checkUserStatus() == true) {
            return true;
        }
        // default return
        return false;
    }

	private function checkUserStatus()
	{
		$settings = require('config/settings.php');

            if (isset($settings['db']['port'])) {
                $this->db_connection = new mysqli(decrypt($settings['db']['host']), decrypt($settings['db']['user']), decrypt($settings['db']['pass']), decrypt($settings['db']['name']), decrypt($settings['db']['port']));
            } else {
                $this->db_connection = new mysqli(decrypt($settings['db']['host']), decrypt($settings['db']['user']), decrypt($settings['db']['pass']), decrypt($settings['db']['name']));
            }




            // change character set to utf8 and check it
            if (!$this->db_connection->set_charset("utf8")) {
                $this->errors[] = $this->db_connection->error;
            }




            // if no connection errors (= working database connection)
            if (!$this->db_connection->connect_errno) {

			$sql = "SELECT permissions, user_level, user_password_hash FROM users WHERE user_id = ". $_SESSION['user_id']; 
			$userlevel = $this->db_connection->query($sql)->fetch_object()->user_level;
			$permissions = json_decode($this->db_connection->query($sql)->fetch_object()->permissions,true);
			$passwordhash = $this->db_connection->query($sql)->fetch_object()->user_password_hash;




			if($userlevel != $_SESSION['user_level'])
			{
				$this->errors[] = "Userlevel changed.";
			} else if($passwordhash != $_SESSION['user_password_hash'])
			{
				$this->errors[] = "Your password is incorrect.";
			} else if($permissions != $_SESSION['permissions'])
			{
				$this->errors[] = "Your permissions have changed";
			} else {
			return true;
			}
			return false;
			}
	}
}

Alles anzeigen

Allerdings muss ich dennoch sagen, das Cyberworks sehr unsicher ist. Im schlimmsten Fall kann euer ganzer Server kompromittiert werden (Klick mich!). .Bald kommt meine Hosting Version & ich werde sie euch dann kostenlos zur Verfügung stellen, alles mit PDO->mysql und solche Fehler wie hier sind nicht vorhanden.

PS: @nox

Scrpt

Zitat von majoess
Liebe Native-Network Community,

hier ein kleines Sicherheitsupdate für das Cyberworks Panel. Getestet mit Version 5. Habe das Workaround geschrieben auf Grund folgendem Problem:

Als erstes bitte eure index.php im Stammverzeichnis öffnen.Dann bitte nach folgendem Code suchen:
PHP: index.php
if (!$db_connection->connect_errno) {
        if ($login->isUserLoggedIn() == true) {
Der Code steht standartmäßig auf Zeile 92 und 93.
Nach der Klammer auf von if ($login->isUserLoggedIn() == true) { folgendes einfügen: require("mods/workaround.php");
Dann sollte es wie folgt aussehen:
PHP: index.php
if (!$db_connection->connect_errno) {
        if ($login->isUserLoggedIn() == true) {
		   require("mods/workaround.php");
Dann bitte folgenden Ordner im Stammverzeichnis erstellen: mods. In den Ordner stammverzeichnis/mods folgende Datei mit dem Code erstellen:
PHP: mods/workaround.php
<?php
/*
WICHTIG: BITTE NUR DIESE EINE VARIABLE VERÄNDERN, NICHTS ANDERES!
*/
$backurl = "https://google.de" // <- Bei Fehler wird auf diese Adresse umgeleitet.
/*
ENDE ZUM EDITIEREN. BITTE ALLES DARUNTER NICHT UMSCHREIBEN WENN KEINE ERFAHRUNG
*/




$sql = "SELECT * FROM users WHERE user_id = ". $_SESSION['user_id'];
$userlevel = $db_connection->query($sql)->fetch_object()->user_level;
$permissions = $db_connection->query($sql)->fetch_object()->permissions;
$permissions = json_decode($permissions, true);







if($userlevel == null || $userlevel == "") {
	$login->doLogout();
	header("Location: $backurl");
	exit;
} else {
	if($userlevel != $_SESSION['user_level']) {
		$login->doLogout();
		header("Location: $backurl");
		exit;
	}
}




if($permissions == null || $permissions == "") {
	$login->doLogout();
	header("Location: https://google.de");
	exit;
} else {
	if($permissions != $_SESSION['permissions']) {
		$login->doLogout();
		header("Location: $backurl");
		exit;
	}
}
Alles anzeigen
Hier könnt ihr die $backurl nach euren Wünschen verändern.

Allerdings muss ich dennoch sagen, das Cyberworks sehr unsicher ist. Im schlimmsten Fall kann euer ganzer Server kompromittiert werden (Klick mich!). .Bald kommt meine Hosting Version & ich werde sie euch dann kostenlos zur Verfügung stellen, alles mit PDO->mysql und solche Fehler wie hier sind nicht vorhanden.

PS: @nox
Alles anzeigen

Super geil gemacht. Danke dafür. Bist ein schatz

Multivitamin

Ich glaube das ist ein Problem im Framework, wenn ich heute zu Hause bin werde ich es nochmal genauer untersuchen,

Fakt ist dass hier > https://github.com/Cyberbyte-Stud…/login.php#L171 der Login Check ledeglich über das gesetzte cookie verifiziert wird und die Abfrage nicht über die Datenbank doppelt geschieht

Der Abgleich mit der Datenbank passiert NUR beim Login

Falls ich heute noch dazu komme werde ich einen anständigen Fix schreiben

EDIT:

PHP

<?php
require_once("gfunctions.php");
/**
     * Class login
     * handles the user's login and logout process
     */
class Login
{
    /**
     * @var array Collection of error messages
     */
    public $errors = array();
    /**
     * @var array Collection of success / neutral messages
     */
    public $messages = array();
    /**
     * @var object The database connection
     */
    private $db_connection = null;
	/**
	 * @var boolean Indicates if the User is logged in or not for Function "isUserLoggedIn"
	 */
	private $isLoggedIn = false;




    /**
     * the function "__construct()" automatically starts whenever an object of this class is created,
     * you know, when you do "$login = new Login();"
     */
    public function __construct()
    {
        // create/read session, absolutely necessary
        //session_start();
        // check the possible login actions:
        // if user tried to log out (happen when user clicks logout button)
        if (isset($_GET["logout"])) {
            $this->doLogout();
        } // login via post data (if user just submitted a login form)
        elseif (isset($_POST["login"])) {
            $this->dologinWithPostData();
        }
    }







    /**
     * perform the logout
     */
    public function doLogout()
    {
        // delete the session of the user
        if (isset($_SESSION['user_name'])) {
            logAction($_SESSION['user_name'], 'Logged Out', 1);
        }
        $_SESSION = array();
        session_destroy();
        // return a little feeedback message
        $this->messages[] = 'You have been logged out';




    }
	/*
	*	Create Database Connection 
	*	returns true on success
	*/
	private function createConnection() 
	{
        $this->db_connection = new mysqli(
			decrypt($settings['db']['host']), 
			decrypt($settings['db']['user']), 
			decrypt($settings['db']['pass']), 
			decrypt($settings['db']['name']), 
			(isset($settings['db']['port'])) ? decrypt($settings['db']['port']) : 3306
		);
		if (!$this->db_connection->set_charset("utf8")) $this->errors[] = $this->db_connection->error;
        if ($this->db_connection->connect_errno) $this->errors[] = "Database connection problem.";
		return !$this->db_connection->connect_errno;
	}




    /**
     * log in with post data
     */
    private function dologinWithPostData()
    {
        $settings = require('config/settings.php');




        // check login form contents
        if (empty($_POST['user_name'])) {
            $this->errors[] = "Username field was empty.";
        } elseif (empty($_POST['user_password'])) {
            $this->errors[] = "Password field was empty.";
        } elseif (!empty($_POST['user_name']) && !empty($_POST['user_password'])) {




            // if no connection errors (= working database connection)
            if ($this->createConnection()) {




                // escape the POST stuff
                $user_name = $this->db_connection->real_escape_string($_POST['user_name']);




                // database query, getting all the info of the selected user (allows login via email address in the
                // username field)
                $sql = "SELECT user_name, user_email, user_level, user_profile, permissions, user_password_hash, user_id, playerid, twoFactor, token
                        FROM users
                        WHERE user_name = '" . $user_name . "' OR user_email = '" . $user_name . "';";
                $result_of_login_check = $this->db_connection->query($sql);




                // if this user exists
                if ($result_of_login_check->num_rows == 1) {




                    // get result row (as an object)
                    $result_row = $result_of_login_check->fetch_object();




                    // using PHP 5.5's password_verify() function to check if the provided password fits
                    // the hash of that user's password
                    //var_dump(password_hash($_POST['user_password'], PASSWORD_DEFAULT));
                    if (password_verify($_POST['user_password'], $result_row->user_password_hash)) {
                        if ($result_row->user_level <> 0) {
                            //$verify = json_decode(file_get_contents('http://cyberbyte.org.uk/hooks/cyberworks/messages.php?id=' . $settings['id']));
                            //if (!isset($verify->verify)) {
                                $_SESSION['2factor'] = 0;
                                if (!empty($result_row->twoFactor)) {
                                    if ($settings['2factor']) $_SESSION['2factor'] = 1; else {
                                    $sql = "UPDATE `users` SET `backup`=NULL,`twoFactor`=NULL WHERE `userid` = '" . $result_row->user_id . "';";
                                    $this->db_connection->query($sql);
                                    $this->errors[] = $lang['2factorForceRevoke'];
                                    }
                                }




                                if (isset($_COOKIE['token']) && !empty($result_row->token)) {
                                    if (decrypt($result_row->token) == $_COOKIE['token']) {
                                        $_SESSION['2factor'] = 2;
                                    }
                                }
                                $_SESSION['sudo'] = time();
                                //$_SESSION['message'] = $verify;
                                $_SESSION['user_password_hash'] = $result_row->user_password_hash;
                                $_SESSION['user_name'] = $result_row->user_name;
                                $_SESSION['user_level'] = $result_row->user_level;
                                $_SESSION['user_profile'] = $result_row->user_profile;
                                $_SESSION['user_email'] = $result_row->user_email;
                                $_SESSION['playerid'] = $result_row->playerid;
                                $_SESSION['user_id'] = $result_row->user_id;
                                $_SESSION['steamsignon'] = false;
                                $_SESSION['permissions'] = json_decode($result_row->permissions, true);
                                if (isset($result_row->items))$_SESSION['items'] = $result_row->items; else $_SESSION['items'] = $settings['items'];
                                if (isset($_POST['lang'])) {
                                    setcookie('lang', $_POST['lang'], time() + (3600 * 24 * 30));
                                    $_SESSION['lang'] = $_POST['lang'];
                                }
                                $_SESSION['steamsignon'] = false;
                                $_SESSION['user_login_status'] = 1;




                                multiDB();
                                logAction($_SESSION['user_name'], 'Successful Login (' . $_SERVER['REMOTE_ADDR'] . ')', 2);
                            /*} else {
                                if (isset($verify->message)) {
                                    $this->errors[] = $verify->message;
                                } else {
                                    $this->errors[] = "Verifcation Failed";
                                }
                            }*/
                        } else {
                            $this->errors[] = "User is banned.";
                            logAction($_POST['user_name'], 'Login Failed - Banned User (' . $_SERVER['REMOTE_ADDR'] . ')', 3);
                        }
                    } else {
                        $this->errors[] = "Wrong password. Try again.";
                        logAction($_POST['user_name'], 'Login Failed - Wrong Password (' . $_SERVER['REMOTE_ADDR'] . ')', 3);
                    }
                } else {
                    $this->errors[] = "This user does not exist.";
                    logAction($_POST['user_name'], 'Login Failed - Wrong Username (' . $_SERVER['REMOTE_ADDR'] . ')', 3);
                }
            }
        }
    }




    /**
     * simply return the current state of the user's login
     * @return boolean user's login status
     */
    public function isUserLoggedIn()
    {
        if ($this->isLoggedIn) return true;
        if (
			isset($_SESSION['user_login_status'])
			AND $_SESSION['user_login_status'] == 1
		) {
			$resp = $this->verifyUser($_SESSION['user_id'], $_SESSION['user_name'], $_SESSION['user_password_hash'], $_SESSION['playerid']);
			if ($resp !== TRUE) {
				$this->errors[] = "Login Cookie Check - ".$resp;
				logAction($_SESSION['user_name'], 'Cookie Check Failed - '.$resp.' (' . $_SERVER['REMOTE_ADDR'] . ')', 3);
				return false;
			}
			$this->isLoggedIn = true;
            return true;
        }
        return false;
    }
	/*
		Verifies the User again with the Session
	*/
	private function verifyUser($userid, $username, $userpass, $playerid) 
	{
		if (!$this->createConnection()) return "Error with Database Connection";
		$result = $this->db_connection->query(
			"SELECT permissions, user_level, user_password_hash 
			FROM users 
			WHERE user_name = '".$username."' AND playerid = '".$playerid."' AND user_id = '".$userid."';"
		);
		if ($result_of_login_check->num_rows !== 1) return "User does not exist";
		$result = $result->fetch_object();
		if (!password_verify($userpass, $result->user_password_hash)) return "Wrong password";
		//When we already get the data let us reload the Permissions and User Level aswell
		$_SESSION['permissions'] = json_decode($result->permissions, true);
		$_SESSION['user_level'] = $result->user_level;
		return true;
	}
}

Alles anzeigen

Ich habe die komplette login.php überarbeitet, es ist aber noch komplett ungetestet
Den kompletten Code unter classes/login.php austauschen (backup vom alten Code machen)

Damit der neue Code ebenfalls funktioniert und es zu keinen Fehler kommt sollten zuerst alle User ausgeloggt werden bzw eine Private Browser Session geöffnet werden

0xBADC0DED

@Multivitamin: Ist ja quasi genau das was ich geschrieben habe, nur in der Login zusammen gefasst.

EDIT: Habe meine Version aktualisiert, macht im Prinzip das gleiche wie die von Multivitamin.

Multivitamin

Zitat von majoess

$userlevel = $db_connection->query($sql)->fetch_object()->user_level;
$permissions = $db_connection->query($sql)->fetch_object()->permissions;
$passwordhash = $db_connection->query($sql)->fetch_object()->user_password_hash;

Ich bin mir nicht sicher wie MySQLi das handled aber der feuert da glaub ich 3 mal die gleiche Query drüber

Die Variable

Code

$_SESSION['user_password_hash']

ist standardmäßig nicht in der Session Variable vorhanden > muss bei dir ebenfalls noch in der classes/login.php definiert werden

0xBADC0DED

@Multivitamin @Scrpt,

bitte mein Update anschauen.

Alle die die alte Version habe, bitte in index.php das require("mods/workaround.php"); sowie den Ordner mods komplett löschen.

Panthor Life

Und ich dachte das ding basiert inzwischen auf einem vernünfigten Framework

0xBADC0DED

Zitat von Greeny

Und ich dachte das ding basiert inzwischen auf einem vernünfigten Framework

Ohne Framework geht natürlich auch solange man programmieren "kann" & sich auskennt. Aber bei Cyberworks ist das leider nicht so

Troublemaker2_0

Moin gibt es eine Möglichkeit bei Cyberworks eine neue Fraktion hinzuzufügen? lg

Panthor Life

Klar, musst dich halt reindenken und ein bisschen Ahnung von PHP haben.

Troublemaker2_0

Hätt ja sein könn, das es da schon was fertiges gibt

Wichtiges Cyberworks Sicherheitsupdate

Ähnliche Themen

Cyber Works Level gehen nicht

Benutzer online in diesem Thema