From 6c37836b3e1e86ceb847ce7e7df6fe0cf613c2e9 Mon Sep 17 00:00:00 2001 From: Laurent Destailleur Date: Sat, 18 Sep 2021 18:28:02 +0200 Subject: [PATCH] Show value of MAIN_SECURITY_CSRF_WITH_TOKEN in setup page --- SECURITY.md | 3 +- htdocs/admin/system/security.php | 130 ++++++++++++++++--------------- 2 files changed, 68 insertions(+), 65 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index 4c7fbaa8fd5..bec9c992351 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -90,9 +90,8 @@ Scope is the web application (back office) and the APIs. * Clickjacking/UI redressing * Physical or social engineering attempts or issues that require physical access to a victim’s computer/device * Presence of autocomplete attribute on web forms -* Vulnerabilities affecting outdated browsers or platforms +* Vulnerabilities affecting outdated browsers or platforms, or vulnerabilities inside browsers themself. * Logout and other instances of low-severity Cross-Site Request Forgery -* Missing cookie flags * Missing security-related HTTP headers which do not lead directly to a vulnerability * Reports from automated web vulnerability scanners (Acunetix, Vega, etc.) that have not been validated * Invalid or missing SPF (Sender Policy Framework) records (Incomplete or missing SPF/DKIM/DMARC) diff --git a/htdocs/admin/system/security.php b/htdocs/admin/system/security.php index 8a6d6bbb4ed..db2b8374b9b 100644 --- a/htdocs/admin/system/security.php +++ b/htdocs/admin/system/security.php @@ -340,69 +340,6 @@ if (empty($out)) { } print '
'; -print '
'; -print '
'; -print '
'; - - -print load_fiche_titre($langs->trans("OtherSetup").' ('.$langs->trans("Experimental").')', '', 'folder'); - - -//print ''.$langs->trans("PasswordEncryption").': '; -print 'MAIN_SECURITY_HASH_ALGO = '.(empty($conf->global->MAIN_SECURITY_HASH_ALGO) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_HASH_ALGO)."   "; -if (empty($conf->global->MAIN_SECURITY_HASH_ALGO)) { - print '     If unset: \'md5\''; -} -if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') { - print '
MAIN_SECURITY_SALT = '.(empty($conf->global->MAIN_SECURITY_SALT) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_SALT).'
'; -} else { - print '('.$langs->trans("Recommended").': password_hash)'; - print '
'; -} -if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') { - print '
The recommanded value for MAIN_SECURITY_HASH_ALGO is now \'password_hash\' but setting it now will make ALL existing passwords of all users not valid, so update is not possible.
'; - print 'If you really want to switch, you must:
'; - print '- Go on home - setup - other and add constant MAIN_SECURITY_HASH_ALGO to value \'password_hash\'
'; - print '- In same session, WITHOUT LOGGING OUT, go into your admin user record and set a new password
'; - print '- You can now logout and login with this new password. You must now reset password of all other users.
'; - print '

'; -} -print '
'; - -print 'MAIN_SECURITY_ANTI_SSRF_SERVER_IP = '.(empty($conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': List of static IPs of server separated with coma - '.$langs->trans("Note").': common loopback ip like 127.*.*.*, [::1] are already added)' : $conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP)."
"; -print '
'; - -print 'MAIN_ALLOW_SVG_FILES_AS_IMAGES = '.(empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES) ? '0' : $conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES).'   ('.$langs->trans("Recommended").': 0)
'; -print '
'; - -print 'MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE = '.(empty($conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE).'   ('.$langs->trans("Recommended").': 1)
'; -print '
'; - -print 'MAIN_RESTRICTHTML_ONLY_VALID_HTML = '.(empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': 1)' : $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML)."
"; -print '
'; - -print 'MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = '.(empty($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': 1)' : $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES)."
"; -print '
'; - -print 'MAIN_EXEC_USE_POPEN = '; -if (empty($conf->global->MAIN_EXEC_USE_POPEN)) { - print ''.$langs->trans("Undefined").''; -} else { - print $conf->global->MAIN_EXEC_USE_POPEN; -} -if ($execmethod == 1) { - print ', "exec" PHP method will be used for shell commands'; - print '   ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 1)'; - print ''; -} -if ($execmethod == 2) { - print ', "popen" PHP method will be used for shell commands'; - print '   ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 1)'; - print ''; -} -print "
"; -print '
'; - // Modules/Applications @@ -462,6 +399,73 @@ if (empty($conf->api->enabled) && empty($conf->webservices->enabled)) { print '

'; + +print '
'; + + +print load_fiche_titre($langs->trans("OtherSetup").' ('.$langs->trans("Experimental").')', '', 'folder'); + + +//print ''.$langs->trans("PasswordEncryption").': '; +print 'MAIN_SECURITY_HASH_ALGO = '.(empty($conf->global->MAIN_SECURITY_HASH_ALGO) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_HASH_ALGO)."   "; +if (empty($conf->global->MAIN_SECURITY_HASH_ALGO)) { + print '     If unset: \'md5\''; +} +if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') { + print '
MAIN_SECURITY_SALT = '.(empty($conf->global->MAIN_SECURITY_SALT) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_SECURITY_SALT).'
'; +} else { + print '('.$langs->trans("Recommended").': password_hash)'; + print '
'; +} +if ($conf->global->MAIN_SECURITY_HASH_ALGO != 'password_hash') { + print '
The recommanded value for MAIN_SECURITY_HASH_ALGO is now \'password_hash\' but setting it now will make ALL existing passwords of all users not valid, so update is not possible.
'; + print 'If you really want to switch, you must:
'; + print '- Go on home - setup - other and add constant MAIN_SECURITY_HASH_ALGO to value \'password_hash\'
'; + print '- In same session, WITHOUT LOGGING OUT, go into your admin user record and set a new password
'; + print '- You can now logout and login with this new password. You must now reset password of all other users.
'; + print '

'; +} +print '
'; + +print 'MAIN_SECURITY_ANTI_SSRF_SERVER_IP = '.(empty($conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': List of static IPs of server separated with coma - '.$langs->trans("Note").': common loopback ip like 127.*.*.*, [::1] are already added)' : $conf->global->MAIN_SECURITY_ANTI_SSRF_SERVER_IP)."
"; +print '
'; + +print 'MAIN_ALLOW_SVG_FILES_AS_IMAGES = '.(empty($conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES) ? '0' : $conf->global->MAIN_ALLOW_SVG_FILES_AS_IMAGES).'   ('.$langs->trans("Recommended").': 0)
'; +print '
'; + +print 'MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE = '.(empty($conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE) ? ''.$langs->trans("Undefined").'' : $conf->global->MAIN_ALWAYS_CREATE_LOCK_AFTER_LAST_UPGRADE).'   ('.$langs->trans("Recommended").': 1)
'; +print '
'; + +print 'MAIN_RESTRICTHTML_ONLY_VALID_HTML = '.(empty($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': 1)' : $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML)."
"; +print '
'; + +print 'MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = '.(empty($conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': 1)' : $conf->global->MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES)."
"; +print '
'; + +print 'MAIN_SECURITY_CSRF_WITH_TOKEN = '.(empty($conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN) ? ''.$langs->trans("Undefined").'   ('.$langs->trans("Recommended").': 1)' : $conf->global->MAIN_SECURITY_CSRF_WITH_TOKEN)."
"; +print '
'; + + +print 'MAIN_EXEC_USE_POPEN = '; +if (empty($conf->global->MAIN_EXEC_USE_POPEN)) { + print ''.$langs->trans("Undefined").''; +} else { + print $conf->global->MAIN_EXEC_USE_POPEN; +} +if ($execmethod == 1) { + print ', "exec" PHP method will be used for shell commands'; + print '   ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 1)'; + print ''; +} +if ($execmethod == 2) { + print ', "popen" PHP method will be used for shell commands'; + print '   ('.$langs->trans("Recommended").': '.$langs->trans("Undefined").' '.$langs->trans("or").' 1)'; + print ''; +} +print "
"; +print '
'; + + // End of page llxFooter(); $db->close();