Skip to content

Security Issue #19

Description

@exmex

In loginprocess is a massive security issue. You can "post" EVERY url to return.

https://github.com/warhawk3407/bgpanel/blob/master/admin/loginprocess.php#L111

header( "Location: ".urldecode($return));

https://github.com/warhawk3407/bgpanel/blob/master/admin/loginprocess.php#L109

My fix for it:

if (!empty($return) && parse_url($_SERVER['HTTP_HOST'], PHP_URL_HOST) == parse_url($return, PHP_URL_HOST))

It compares the host from the return argument & the http host host :)
(parse_url for $_SERVER because it contains ports if not running on default 80 / 443)

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions