Yes, there are a few vulnerabilities in this code.
This could potentially be a problem:
define ( 'QUERY_SCRIPT', basename ($ _SERVER [ 'PHP_SELF']));
PHP_SELF
is bad because an attacker can control this variable. For instance try printing PHP_SELF
when you access the script with this url: http://localhost/index.php/test/junk/hacked
. Avoid this variable as much as possible, if you do use it, make sure you sanitize it. It is very common to see XSS crop up when using this variable.
1st Vulnerability:
setcookie (COOKIE_USER, md5 ($ user), COOKIE_LIVETIME, CP_HTTP_ROOT);
setcookie (COOKIE_PASS, $ pass, COOKIE_LIVETIME, CP_HTTP_ROOT);
This is a rather serious vulnerability. If an attacker had SQL injection in your application then they could obtain the md5 hash and the user name and login immediately without having to break the md5()
hash. It is as if you are storing passwords in clear text.
This session vulnerability is two fold, it is also an "immortal session", Session id's must always be large randomly generated values that expire. If they don't expire then they are much easier to brute force.
You should NEVER re-invent the wheel, call session_start()
at the very start of your application and this will automatically generate a secure session id that expires. Then use a session variable like $_SESSION['user']
to keep track if the browser is actually logged in.
2nd vulnerability:
$ pass = md5 ($ _POST [ 'pass']);
md5()
is proven to be insecure because collisions have been intentionally generated. md5() should never be used for passwords. You should use a member of the sha2 family, sha-256 or sha-512 are great choices.
3rd Vulnerability:
I don't see any CSRF protection for you authentication logic. I suspect that all requests in your application are vulnerable to CSRF.