Index: classes/Misc.php =================================================================== --- classes/Misc.php.orig +++ classes/Misc.php @@ -1333,6 +1333,10 @@ $server_info = $this->getServerInfo(); $reqvars = $this->getRequestVars('table'); + if (!$conf['extra_session_security']) { + echo '
'; + } + echo "";
if ($server_info && isset($server_info['platform']) && isset($server_info['username'])) {
Index: conf/config.inc.php-dist
===================================================================
--- conf/config.inc.php-dist.orig
+++ conf/config.inc.php-dist
@@ -89,6 +89,15 @@
// your browser preference.
$conf['default_lang'] = 'auto';
+ // If extra session security is true, then PHP's session cookies will have
+ // SameSite cookie flags set to prevent CSRF attacks. If you're using
+ // auto-start sessions, autostarted sessions will be destroyed and
+ // restarted with SameSite on. If this this solution is not acceptable for
+ // your situation, you will need to either turn off auot-start sessions, or
+ // turn off secure sessions. Versions of PHP below 7.3 do not have access
+ // to this feature and will be vulnerable to CSRF attacks.
+ $conf['extra_session_security'] = true;
+
// AutoComplete uses AJAX interaction to list foreign key values
// on insert fields. It currently only works on single column
// foreign keys. You can choose one of the following values:
Index: lang/english.php
===================================================================
--- lang/english.php.orig
+++ lang/english.php
@@ -807,6 +807,7 @@
$lang['strloading'] = 'Loading...';
$lang['strerrorloading'] = 'Error Loading';
$lang['strclicktoreload'] = 'Click to reload';
+ $lang['sessionsecuritywarning'] = 'You are running phpPgAdmin without session security.';
// Autovacuum
$lang['strautovacuum'] = 'Autovacuum';
Index: libraries/lib.inc.php
===================================================================
--- libraries/lib.inc.php.orig
+++ libraries/lib.inc.php
@@ -50,11 +50,36 @@
require_once('./classes/Misc.php');
$misc = new Misc();
- // Start session (if not auto-started)
- if (!ini_get('session.auto_start')) {
- session_name('PPA_ID');
- session_start();
- }
+ // Session start: if extra_session_security is on, make sure cookie_samesite
+ // is on (exit if we fail); otherwise, just start the session
+ $our_session_name = 'PPA_ID';
+ if ($conf['extra_session_security']) {
+ if (version_compare(phpversion(), '7.3', '<')) {
+ exit('PHPPgAdmin cannot be fully secured while running under PHP versions before 7.3. Please upgrade PHP if possible. If you cannot upgrade, and you\'re willing to assume the risk of CSRF attacks, you can change the value of "extra_session_security" to false in your config.inc.php file.');
+ }
+ if (ini_get('session.auto_start')) {
+ // If session.auto_start is on, and the session doesn't have
+ // session.cookie_samesite set, destroy and re-create the session
+ if (session_name() !== $our_session_name) {
+ $setting = strtolower(ini_get('session.cookie_samesite'));
+ if ($setting !== 'lax' && $setting !== 'strict') {
+ session_destroy();
+ session_name($our_session_name);
+ ini_set('session.cookie_samesite', 'Strict');
+ session_start();
+ }
+ }
+ } else {
+ session_name($our_session_name);
+ ini_set('session.cookie_samesite', 'Strict');
+ session_start();
+ }
+ } else {
+ if (!ini_get('session.auto_start')) {
+ session_name($our_session_name);
+ session_start();
+ }
+ }
// Do basic PHP configuration checks
if (ini_get('magic_quotes_gpc')) {
Index: tests/manual/issue-94/README.md
===================================================================
--- /dev/null
+++ tests/manual/issue-94/README.md
@@ -0,0 +1,42 @@
+# Testing CSRF vulnerabilities (Issue #94)
+
+How to test:
+
+1. Start phppgadmin:
+
+```
+$ cd /path/to/phppgadmin
+$ php -S localhost:8000
+```
+
+2. Set up a testing domain in /etc/hosts:
+
+```
+127.0.0.1 localhost2
+```
+
+3. Start the tests
+
+```
+$ cd /path/to/phppgadmin/tests/manual/issue-94
+$ php -S localhost2:8001
+```
+
+4. Open both sites in the same browser (different windows or tabs):
+
+```
+http://localhost:8000
+```
+
+```
+http://localhost2:8001
+```
+
+5. Log in to phppgadmin
+
+6. Run a test
+
+Choose a test from the list. Open your console, and click "Submit Request" -- you should see a CORS error, but the request should also appear in the network tab. Open it to see the response.
+
+If you see a login page, phppgadmin is protected. If not, phppgadmin is vulnerable.
+
Index: tests/manual/issue-94/index.html
===================================================================
--- /dev/null
+++ tests/manual/issue-94/index.html
@@ -0,0 +1,12 @@
+
+
+Issue #94: CSRF vulnerabilities+
|