From 212a9988d111fdac6a80855b0b3b6bcfb975d88fd1a4db596979fd4a8eec91a0 Mon Sep 17 00:00:00 2001 From: Christian Wittmer Date: Thu, 14 Jul 2022 15:56:14 +0000 Subject: [PATCH] Accepting request 989215 from home:computersalat:devel:php Fix for boo#1162794 (CVE-2019-10784) OBS-URL: https://build.opensuse.org/request/show/989215 OBS-URL: https://build.opensuse.org/package/show/server:php:applications/phpPgAdmin?expand=0&rev=32 --- csrf-samesite-fix.patch | 311 ++++++++++++++++++++++++++++++++++++++++ phpPgAdmin.changes | 9 ++ phpPgAdmin.spec | 4 +- 3 files changed, 323 insertions(+), 1 deletion(-) create mode 100644 csrf-samesite-fix.patch diff --git a/csrf-samesite-fix.patch b/csrf-samesite-fix.patch new file mode 100644 index 0000000..4cfe07a --- /dev/null +++ b/csrf-samesite-fix.patch @@ -0,0 +1,311 @@ +Index: classes/Misc.php +=================================================================== +--- classes/Misc.php.orig ++++ classes/Misc.php +@@ -1333,6 +1333,10 @@ + $server_info = $this->getServerInfo(); + $reqvars = $this->getRequestVars('table'); + ++ if (!$conf['extra_session_security']) { ++ echo '

', htmlspecialchars($lang['sessionsecuritywarning']), '

'; ++ } ++ + echo "
"; + + if ($server_info && isset($server_info['platform']) && isset($server_info['username'])) { +Index: conf/config.inc.php-dist +=================================================================== +--- conf/config.inc.php-dist.orig ++++ conf/config.inc.php-dist +@@ -89,6 +89,15 @@ + // your browser preference. + $conf['default_lang'] = 'auto'; + ++ // If extra session security is true, then PHP's session cookies will have ++ // SameSite cookie flags set to prevent CSRF attacks. If you're using ++ // auto-start sessions, autostarted sessions will be destroyed and ++ // restarted with SameSite on. If this this solution is not acceptable for ++ // your situation, you will need to either turn off auot-start sessions, or ++ // turn off secure sessions. Versions of PHP below 7.3 do not have access ++ // to this feature and will be vulnerable to CSRF attacks. ++ $conf['extra_session_security'] = true; ++ + // AutoComplete uses AJAX interaction to list foreign key values + // on insert fields. It currently only works on single column + // foreign keys. You can choose one of the following values: +Index: lang/english.php +=================================================================== +--- lang/english.php.orig ++++ lang/english.php +@@ -807,6 +807,7 @@ + $lang['strloading'] = 'Loading...'; + $lang['strerrorloading'] = 'Error Loading'; + $lang['strclicktoreload'] = 'Click to reload'; ++ $lang['sessionsecuritywarning'] = 'You are running phpPgAdmin without session security.'; + + // Autovacuum + $lang['strautovacuum'] = 'Autovacuum'; +Index: libraries/lib.inc.php +=================================================================== +--- libraries/lib.inc.php.orig ++++ libraries/lib.inc.php +@@ -50,11 +50,36 @@ + require_once('./classes/Misc.php'); + $misc = new Misc(); + +- // Start session (if not auto-started) +- if (!ini_get('session.auto_start')) { +- session_name('PPA_ID'); +- session_start(); +- } ++ // Session start: if extra_session_security is on, make sure cookie_samesite ++ // is on (exit if we fail); otherwise, just start the session ++ $our_session_name = 'PPA_ID'; ++ if ($conf['extra_session_security']) { ++ if (version_compare(phpversion(), '7.3', '<')) { ++ exit('PHPPgAdmin cannot be fully secured while running under PHP versions before 7.3. Please upgrade PHP if possible. If you cannot upgrade, and you\'re willing to assume the risk of CSRF attacks, you can change the value of "extra_session_security" to false in your config.inc.php file.'); ++ } ++ if (ini_get('session.auto_start')) { ++ // If session.auto_start is on, and the session doesn't have ++ // session.cookie_samesite set, destroy and re-create the session ++ if (session_name() !== $our_session_name) { ++ $setting = strtolower(ini_get('session.cookie_samesite')); ++ if ($setting !== 'lax' && $setting !== 'strict') { ++ session_destroy(); ++ session_name($our_session_name); ++ ini_set('session.cookie_samesite', 'Strict'); ++ session_start(); ++ } ++ } ++ } else { ++ session_name($our_session_name); ++ ini_set('session.cookie_samesite', 'Strict'); ++ session_start(); ++ } ++ } else { ++ if (!ini_get('session.auto_start')) { ++ session_name($our_session_name); ++ session_start(); ++ } ++ } + + // Do basic PHP configuration checks + if (ini_get('magic_quotes_gpc')) { +Index: tests/manual/issue-94/README.md +=================================================================== +--- /dev/null ++++ tests/manual/issue-94/README.md +@@ -0,0 +1,42 @@ ++# Testing CSRF vulnerabilities (Issue #94) ++ ++How to test: ++ ++1. Start phppgadmin: ++ ++``` ++$ cd /path/to/phppgadmin ++$ php -S localhost:8000 ++``` ++ ++2. Set up a testing domain in /etc/hosts: ++ ++``` ++127.0.0.1 localhost2 ++``` ++ ++3. Start the tests ++ ++``` ++$ cd /path/to/phppgadmin/tests/manual/issue-94 ++$ php -S localhost2:8001 ++``` ++ ++4. Open both sites in the same browser (different windows or tabs): ++ ++``` ++http://localhost:8000 ++``` ++ ++``` ++http://localhost2:8001 ++``` ++ ++5. Log in to phppgadmin ++ ++6. Run a test ++ ++Choose a test from the list. Open your console, and click "Submit Request" -- you should see a CORS error, but the request should also appear in the network tab. Open it to see the response. ++ ++If you see a login page, phppgadmin is protected. If not, phppgadmin is vulnerable. ++ +Index: tests/manual/issue-94/index.html +=================================================================== +--- /dev/null ++++ tests/manual/issue-94/index.html +@@ -0,0 +1,12 @@ ++ ++ ++Issue #94 (CSRF vulnerabilities) proof of concepts ++ ++ ++

Issue #94: CSRF vulnerabilities

++
    ++
  • Proof of concept #1: out of band technique
  • ++
  • Proof of concept #2: remote code execution
  • ++
      ++ ++ +Index: tests/manual/issue-94/poc1.html +=================================================================== +--- /dev/null ++++ tests/manual/issue-94/poc1.html +@@ -0,0 +1,48 @@ ++ ++ ++ ++
      ++ ++
      ++ ++ +Index: tests/manual/issue-94/poc2.html +=================================================================== +--- /dev/null ++++ tests/manual/issue-94/poc2.html +@@ -0,0 +1,53 @@ ++ ++ ++ ++
      ++ ++
      ++ ++ +Index: themes/global.css +=================================================================== +--- themes/global.css.orig ++++ themes/global.css +@@ -72,6 +72,26 @@ body.browser { + } + .ac_values {width:100%} + ++/** alert banner **/ ++.alert-banner { ++ background-color: #FEEFB3; ++ border: 1px dotted #9F6000; ++ color: #9F6000; ++ padding: 4px; ++ margin: 4px 0; ++} ++.alert-banner p { ++ margin: 0; ++ padding: 0; ++} ++.alert-banner p:before { ++ content: url(../../images/themes/default/ObjectNotFound.png); ++ vertical-align: -20%; ++} ++.alert-banner p a { ++ color: #9F6000; ++} ++ + /** bottom link back to top **/ + .bottom_link { + position: fixed; +Index: themes/gotar/global.css +=================================================================== +--- themes/gotar/global.css.orig ++++ themes/gotar/global.css +@@ -136,6 +136,7 @@ td.opbutton1 a, td.opbutton2 a { + padding-left:6px; + padding-right:6px; + } ++.alert-banner { margin-top: 0 } + .topbar { border: 0 } + .topbar, .topbar *, .trail, .tab, .crumb { + border: 0; diff --git a/phpPgAdmin.changes b/phpPgAdmin.changes index e71d304..160c1de 100644 --- a/phpPgAdmin.changes +++ b/phpPgAdmin.changes @@ -1,3 +1,12 @@ +------------------------------------------------------------------- +Thu Jul 14 15:41:56 UTC 2022 - chris@computersalat.de + +- Fix for boo#1162794 (CVE-2019-10784) + * add csrf-samesite-fix.patch + taken from here: + https://github.com/phppgadmin/phppgadmin/issues/94 + https://github.com/phppgadmin/phppgadmin/pull/99 + ------------------------------------------------------------------- Mon Dec 14 12:13:12 UTC 2020 - ecsos diff --git a/phpPgAdmin.spec b/phpPgAdmin.spec index d4ffc23..1b73e6c 100644 --- a/phpPgAdmin.spec +++ b/phpPgAdmin.spec @@ -1,7 +1,7 @@ # # spec file for package phpPgAdmin # -# Copyright (c) 2020 SUSE LLC +# Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -34,6 +34,7 @@ Source0: https://github.com/%{lc_name}/%{lc_name}/releases/download/%{rel Source1: %{name}.http Source2: %{name}.http.inc Patch0: %{name}-config.inc.patch +Patch100: csrf-samesite-fix.patch BuildArch: noarch BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildRequires: apache-rpm-macros @@ -83,6 +84,7 @@ This subpackage contains the Apache configuration files %prep %setup -q %patch0 +%patch100 ### remove not needed files pushd lang