Skip to content

fit remote code execution in history and template imports functionality #1625

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
Ngai-E wants to merge 4 commits into
base: master
Choose a base branch
from
Open

fit remote code execution in history and template imports functionality #1625

Ngai-E wants to merge 4 commits into from

Conversation

@Ngai-E
Copy link
Collaborator

@Ngai-E Ngai-E commented Jul 15, 2020

No description provided.

muarachmann
muarachmann reviewed Jul 30, 2020
View reviewed changes
interface/patient_file/letter.php
if (!isset($_POST['token'])) {
error_log('WARNING: A POST request detected with no csrf token found');
die('Authentication failed.');
} else if (!hash_equals(hash_hmac('sha256', '/letter.php.theform', $_SESSION['token']), $_POST['token'])) {
Copy link
Member

@muarachmann muarachmann Jul 30, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why is verifyCsrfTokenAndCompareHash not used here rather?

maggienegm
maggienegm reviewed Aug 1, 2020
View reviewed changes
patient_portal/import_template.php
if (!isset($_POST['token'])) {
error_log('WARNING: A POST request detected with no csrf token found');
die('Authentication failed.');
} else if (!(CsrfToken::verifyCsrfToken($_POST['token'])) {
Copy link
Contributor

@maggienegm maggienegm Aug 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're missing a closing parenthesis here too

maggienegm
maggienegm reviewed Aug 1, 2020
View reviewed changes
library/CsrfToken.php
// Function to verify a csrf token using with second token
function verifyCsrfTokenAndCompareHash($token, $secondToken)
{
if (hash_equals(hash_hmac('sha256', $secondToken, $_SESSION['token']), $token) {
Copy link
Contributor

@maggienegm maggienegm Aug 1, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're missing a closing parenthesis here too

Copy link
Contributor

@naveen17797 naveen17797 Aug 1, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Its necessary to type cast the inputs before supplying to hash_hmac, interesting things might occur if that is not done ( type juggling vulnerability ), if $secondToken is a user controlled input, if an array is passed, hash_hmac will return null.
For more details:
https://www.youtube.com/watch?v=MpeaSNERwQA

Copy link
Collaborator Author

@Ngai-E Ngai-E Aug 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @naveen17797 I will add that too.

maggienegm
maggienegm reviewed Aug 1, 2020
View reviewed changes
interface/billing/edi_history_main.php
if (!isset($_POST['token'])) {
error_log('WARNING: A POST request detected with no csrf token found');
die('Authentication failed.');
} else if (!(CsrfToken::verifyCsrfToken($_POST['token'])) {
Copy link
Contributor

@maggienegm maggienegm Aug 1, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You're missing a closing parenthesis here

Copy link
Collaborator Author

@Ngai-E Ngai-E Aug 2, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

thanks @maggienegm. I am guessing you fixed in here PR #1634?? have not checked yet. If you did then I can just close this.

Copy link
Contributor

@maggienegm maggienegm Aug 3, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes @Ngai-E , I fixed the closing parenthesis issues there

@maggienegm maggienegm mentioned this pull request Aug 3, 2020
Merged
@muarachmann
Copy link
Member

muarachmann commented Jul 19, 2021

@Ngai-E can you rebase thanks

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@muarachmann muarachmann muarachmann left review comments

+2 more reviewers

@maggienegm maggienegm maggienegm left review comments

@naveen17797 naveen17797 naveen17797 left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Ngai-E @muarachmann @maggienegm @naveen17797