Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Fix reCaptcha bypass
Signed-off-by: Madhura Jayaratne <madhura.cj@gmail.com>
  • Loading branch information
madhuracj committed Sep 7, 2015
1 parent 5b2b959 commit 785f4e2
Show file tree
Hide file tree
Showing 3 changed files with 15 additions and 36 deletions.
3 changes: 3 additions & 0 deletions ChangeLog
@@ -1,6 +1,9 @@
phpMyAdmin - ChangeLog
======================

4.4.14.1 (Not yet released)
- issue [security] reCaptcha bypass

4.4.14.0 (2015-08-20)
- issue #11367 Export after search, missing WHERE clause
- issue #11380 Incomplete message after import
Expand Down
31 changes: 2 additions & 29 deletions libraries/plugins/auth/AuthenticationCookie.class.php
Expand Up @@ -223,18 +223,9 @@ public function auth()
. $GLOBALS['server'] . '" />';
} // end if (server choice)

// We already have one correct captcha.
$skip = false;
if ( isset($_SESSION['last_valid_captcha'])
&& $_SESSION['last_valid_captcha']
) {
$skip = true;
}

// Add captcha input field if reCaptcha is enabled
if ( !empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
&& !empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
&& !$skip
) {
// If enabled show captcha to the user on the login screen.
echo '<script src="https://www.google.com/recaptcha/api.js?hl='
Expand Down Expand Up @@ -336,8 +327,6 @@ public function authCheck()

if (! defined('TESTSUITE')) {
session_destroy();
// $_SESSION array is not immediately emptied
$_SESSION['last_valid_captcha'] = false;
}
// -> delete password cookie(s)
if ($GLOBALS['cfg']['LoginCookieDeleteAll']) {
Expand All @@ -359,18 +348,9 @@ public function authCheck()

if (! empty($_REQUEST['pma_username'])) {

// We already have one correct captcha.
$skip = false;
if (isset($_SESSION['last_valid_captcha'])
&& $_SESSION['last_valid_captcha']
) {
$skip = true;
}

// Verify Captcha if it is required.
if (! empty($GLOBALS['cfg']['CaptchaLoginPrivateKey'])
&& ! empty($GLOBALS['cfg']['CaptchaLoginPublicKey'])
&& ! $skip
) {
if (! empty($_POST["g-recaptcha-response"])) {

Expand All @@ -388,18 +368,11 @@ public function authCheck()
// Check if the captcha entered is valid, if not stop the login.
if ($resp == null || ! $resp->isSuccess()) {
$conn_error = __('Entered captcha is wrong, try again!');
$_SESSION['last_valid_captcha'] = false;
return false;
} else {
$_SESSION['last_valid_captcha'] = true;
}
} else {
if (! isset($_SESSION['last_valid_captcha'])
|| ! $_SESSION['last_valid_captcha']
) {
$conn_error = __('Please enter correct captcha!');
return false;
}
$conn_error = __('Please enter correct captcha!');
return false;
}
}

Expand Down
17 changes: 10 additions & 7 deletions test/classes/plugin/auth/PMA_AuthenticationCookie_test.php
Expand Up @@ -186,7 +186,8 @@ public function testAuth()
$GLOBALS['cfg']['Lang'] = 'en';
$GLOBALS['cfg']['AllowArbitraryServer'] = true;
$GLOBALS['cfg']['Servers'] = array(1, 2);
$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
$GLOBALS['target'] = 'testTarget';
$GLOBALS['db'] = 'testDb';
$GLOBALS['table'] = 'testTable';
Expand Down Expand Up @@ -308,7 +309,6 @@ public function testAuth()
$GLOBALS['cfg']['Lang'] = '';
$GLOBALS['cfg']['AllowArbitraryServer'] = false;
$GLOBALS['cfg']['Servers'] = array(1);
$_SESSION['last_valid_captcha'] = false;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
$GLOBALS['server'] = 0;
Expand Down Expand Up @@ -431,7 +431,6 @@ public function testAuthCheck()

// case 2

$_SESSION['last_valid_captcha'] = false;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = 'testprivkey';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = 'testpubkey';
$_POST["g-recaptcha-response"] = '';
Expand Down Expand Up @@ -481,7 +480,8 @@ public function testAuthCheck()

// case 6

$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
$_REQUEST['old_usr'] = '';
$_REQUEST['pma_username'] = 'testPMAUser';
$_REQUEST['pma_servername'] = 'testPMAServer';
Expand Down Expand Up @@ -611,7 +611,8 @@ public function testAuthCheckDecryptUser()
$_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
$GLOBALS['cfg']['blowfish_secret'] = 'secret';
$_SESSION['last_access_time'] = '';
$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';

// mock for blowfish function
$this->object = $this->getMockBuilder('AuthenticationCookie')
Expand Down Expand Up @@ -649,7 +650,8 @@ public function testAuthCheckDecryptPassword()
$_COOKIE['pmaPass-1'] = 'pmaPass1';
$_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
$GLOBALS['cfg']['blowfish_secret'] = 'secret';
$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
$_SESSION['last_access_time'] = time() - 1000;
$GLOBALS['cfg']['LoginCookieValidity'] = 1440;

Expand Down Expand Up @@ -694,7 +696,8 @@ public function testAuthCheckAuthFails()
$_COOKIE['pma_iv-1'] = base64_encode('testiv09testiv09');
$GLOBALS['cfg']['blowfish_secret'] = 'secret';
$_SESSION['last_access_time'] = 1;
$_SESSION['last_valid_captcha'] = true;
$GLOBALS['cfg']['CaptchaLoginPrivateKey'] = '';
$GLOBALS['cfg']['CaptchaLoginPublicKey'] = '';
$GLOBALS['cfg']['LoginCookieValidity'] = 0;
$_SESSION['last_access_time'] = -1;
// mock for blowfish function
Expand Down

0 comments on commit 785f4e2

Please sign in to comment.