Commit f5d7ba73 authored by Carsten  Rose's avatar Carsten Rose
Browse files

Security: Honeypot vars - check if any of the honeypot vars is filled - if yes, it's an attack.

Config.php: Defaults are now set in Config.php, not in Store.php anymore. New function setDefaults(), checkForAttack().
parent 434cac36
......@@ -53,3 +53,7 @@ WKHTMLTOPDF = /opt/wkhtmltox/bin/wkhtmltopdf
;LDAP_1_RDN =
;LDAP_1_PASSWORD =
;SECURITY_VARS_HONEYPOT=email,username,password
;SECURITY_ATTACK_DELAY=5
;SECURITY_SHOW_MESSAGE=true
\ No newline at end of file
......@@ -367,6 +367,11 @@ const SYSTEM_REPORT_FULL_LEVEL = 'reportFullLevel'; // Keyname of SQL-column pro
const SYSTEM_LDAP_1_RDN = 'LDAP_1_RDN'; // Credentials to access LDAP
const SYSTEM_LDAP_1_PASSWORD = 'LDAP_1_PASSWORD'; // Credentials to access LDAP
const SYSTEM_SECURITY_VARS_HONEYPOT = 'SECURITY_VARS_HONEYPOT'; // Fake variables
const SYSTEM_SECURITY_ATTACK_DELAY = 'SECURITY_ATTACK_DELAY'; // Fake variables
const SYSTEM_SECURITY_SHOW_MESSAGE = 'SECURITY_SHOW_MESSAGE'; // Fake variables
// Not stored in config.qfq.ini, but used in STORE_SYSTEM
const SYSTEM_DOWNLOAD_POPUP = 'hasDownloadPopup'; // Marker which is set to 'true' if there is at least one Download Link rendered
const DOWNLOAD_POPUP_REQUEST = 'true';
......
......@@ -10,7 +10,8 @@ namespace qfq;
use qfq;
require_once(__DIR__ . '/../../qfq/Constants.php');
require_once(__DIR__ . '/../Constants.php');
require_once(__DIR__ . '/../helper/Support.php');
class Config {
......@@ -40,6 +41,63 @@ class Config {
}
$config = self::renameConfigElements($config);
$config = self::setDefaults($config);
self::checkForAttack($config);
return $config;
}
/**
* @param array $config
*/
private static function checkForAttack(array $config) {
$flag = false;
// Iterate over all fake vars
$arr = explode(',', $config[SYSTEM_SECURITY_VARS_HONEYPOT]);
foreach ($arr as $key) {
if (!empty($_POST[$key]) || !empty($_GET[$key])) {
$flag = true;
}
}
// Nothing found?
if (!$flag) {
return;
}
// Sleep
if (!empty($config[SYSTEM_SECURITY_ATTACK_DELAY])) {
sleep($config[SYSTEM_SECURITY_ATTACK_DELAY]);
}
if ($config[SYSTEM_SECURITY_SHOW_MESSAGE] == 'true') {
echo "Attack detected - stop process";
}
exit;
}
/**
* @param array $config
* @return array
*/
private static function setDefaults(array $config) {
// Defaults
Support::setIfNotSet($config, SYSTEM_DATE_FORMAT, 'yyyy-mm-dd');
Support::setIfNotSet($config, SYSTEM_SHOW_DEBUG_INFO, 'auto');
Support::setIfNotSet($config, F_BS_COLUMNS, '12');
Support::setIfNotSet($config, F_BS_LABEL_COLUMNS, '3');
Support::setIfNotSet($config, F_BS_INPUT_COLUMNS, '6');
Support::setIfNotSet($config, F_BS_NOTE_COLUMNS, '3');
Support::setIfNotSet($config, F_CLASS_PILL, 'qfq-color-grey-1');
Support::setIfNotSet($config, F_CLASS_BODY, 'qfq-color-grey-2');
Support::setIfNotSet($config, F_BUTTON_ON_CHANGE_CLASS, 'btn-info alert-info');
Support::setIfNotSet($config, SYSTEM_EDIT_FORM_PAGE, 'form');
Support::setIfNotSet($config, SYSTEM_SECURITY_VARS_HONEYPOT, 'email,username,password');
Support::setIfNotSet($config, SYSTEM_SECURITY_ATTACK_DELAY, '5');
Support::setIfNotSet($config, SYSTEM_SECURITY_SHOW_MESSAGE, 'true');
return $config;
}
......
......@@ -187,18 +187,6 @@ class Store {
$cfg = new Config();
$config = $cfg->readConfig($fileConfigIni);
// Defaults
Support::setIfNotSet($config, SYSTEM_DATE_FORMAT, 'yyyy-mm-dd');
Support::setIfNotSet($config, SYSTEM_SHOW_DEBUG_INFO, 'auto');
Support::setIfNotSet($config, F_BS_COLUMNS, '12');
Support::setIfNotSet($config, F_BS_LABEL_COLUMNS, '3');
Support::setIfNotSet($config, F_BS_INPUT_COLUMNS, '6');
Support::setIfNotSet($config, F_BS_NOTE_COLUMNS, '3');
Support::setIfNotSet($config, F_CLASS_PILL, 'qfq-color-grey-1');
Support::setIfNotSet($config, F_CLASS_BODY, 'qfq-color-grey-2');
Support::setIfNotSet($config, F_BUTTON_ON_CHANGE_CLASS, 'btn-info alert-info');
Support::setIfNotSet($config, SYSTEM_EDIT_FORM_PAGE, 'form');
$config = self::doSystemPath($config);
$config = self::adjustConfig($config);
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment