Security fix

JulianPrieber · JulianPrieber · commit b3e0b36dbab2 · 2023-07-14T17:59:39.000+02:00
diff --git a/app/Http/Controllers/AdminController.php b/app/Http/Controllers/AdminController.php
@@ -675,7 +675,7 @@ public function authAs(request $request)
 
         $user = User::find($userID);
 
-        if($user->remember_token == $token){
+        if($user->remember_token == $token && $request->session()->get('display_auth_nav') === $user->remember_token){
             $user->auth_as = null;
             $user->remember_token = null;
             $user->save();
@@ -686,7 +686,7 @@ public function authAs(request $request)
 
         return redirect('/admin/users/all');
         } else {
-            return redirect('');
+            Auth::logout();
         }
 
     }
diff --git a/app/Http/Middleware/Impersonate.php b/app/Http/Middleware/Impersonate.php
@@ -35,23 +35,25 @@ public function handle($request, Closure $next)
         }
 
             Auth::loginUsingId($id);
-            $request->session()->put('display_auth_nav', true);
+            $request->session()->put('display_auth_nav', $token);
             $request->session()->save();
         }
 
 if($request->session()->has('display_auth_nav')) {
+$dashboard = url('dashboard');
+$URL = url('/auth-as');
+$csrf = csrf_token();
+$remember_token = User::find($originalUser);
+$token = $remember_token->remember_token;
+$storageToken = $request->session()->get('display_auth_nav');
+if($storageToken === $token) {
 if (file_exists(base_path(findAvatar($id)))) {
     $img = '<img alt="avatar" class="iimg irounded" src="' . url(findAvatar($id)) . '">';
 } elseif (file_exists(base_path("assets/linkstack/images/").findFile('avatar'))) {
     $img = '<img alt="avatar" class="iimg irounded" src="' . url("assets/linkstack/images/") . "/" . findFile('avatar') . '">';
 } else {
     $img = '<img alt="avatar" class="iimg" src="' . asset('assets/linkstack/images/logo.svg') . '">';
 }
-$dashboard = url('dashboard');
-$URL = url('/auth-as');
-$csrf = csrf_token();
-$remember_token = User::find($originalUser);
-$token = $remember_token->remember_token;
 $customHtml =
 <<<EOD
 
@@ -154,6 +156,6 @@ function submitForm() {
                 Auth::logout();
             }
             return $next($request);
-        }
+        }}else{return $next($request);}
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -675,7 +675,7 @@ public function authAs(request $request)`
`675`	`675`
`676`	`676`	`$user = User::find($userID);`
`677`	`677`
`678`		`- if($user->remember_token == $token){`
	`678`	`+ if($user->remember_token == $token && $request->session()->get('display_auth_nav') === $user->remember_token){`
`679`	`679`	`$user->auth_as = null;`
`680`	`680`	`$user->remember_token = null;`
`681`	`681`	`$user->save();`
`@@ -686,7 +686,7 @@ public function authAs(request $request)`
`686`	`686`
`687`	`687`	`return redirect('/admin/users/all');`
`688`	`688`	`} else {`
`689`		`- return redirect('');`
	`689`	`+ Auth::logout();`
`690`	`690`	`}`
`691`	`691`
`692`	`692`	`}`