Added security check sidebar
Added a security check on the sidebar.blade.php that tests if critical config components are accessible externally by anyone. This is a fairly crude method and not at all optimized. I might change this in future revisions. At least this feature is disabled for normal users, so it won't affect load for non admins. This is the same code from the new diagnostic tool added in the previous commit. I had to change the names of each variable, otherwise the diagnostic tool could not use the same variables. The smart thing to do here would probably be to simply use the variables only in the sidebar, since they are loaded anyway since the sidebar layout is included on the diagnostic tool, effectively loading the variables twice. I might change this later, but for now I will leave it as. Read more about the diagnostic tool on the blog here: https://blog.littlelink-custom.com/new-security-check-tool/
This commit is contained in:
Julian Prieber
parent
89f8361edd
commit
43cca4b191
|
|
@ -46,6 +46,40 @@
|
|||
@endif
|
||||
<!-- end dark mode detection -->
|
||||
|
||||
<?php //security check, checks if config files got compromised
|
||||
if(auth()->user()->role == 'admin'){
|
||||
|
||||
$serversb = $_SERVER['SERVER_NAME'];
|
||||
$urisb = $_SERVER['REQUEST_URI'];
|
||||
|
||||
// Tests if a URL has a valid SSL certificate
|
||||
function has_sslsb( $domain ) {
|
||||
$ssl_check = @fsockopen( 'ssl://' . $domain, 443, $errno, $errstr, 30 );
|
||||
$res = !! $ssl_check;
|
||||
if ( $ssl_check ) { fclose( $ssl_check ); }
|
||||
return $res;
|
||||
}
|
||||
|
||||
// Changes probed URL to HTTP if no valid SSL certificate is present, otherwise an error would be thrown
|
||||
if (has_sslsb($serversb)) {
|
||||
$actual_linksb = "https://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
|
||||
} else {
|
||||
$actual_linksb = "http://$_SERVER[HTTP_HOST]$_SERVER[REQUEST_URI]";
|
||||
}
|
||||
|
||||
// Files or directories to test if accessible externally
|
||||
$url1sb = Http::get($actual_linksb . '/../../.env');
|
||||
$url2sb = Http::get($actual_linksb . '/../../database/database.sqlite');
|
||||
|
||||
// sets compromised to true if config files got compromised
|
||||
if ($url1sb->successful() or $url2sb->successful()) {
|
||||
$compromised = "true";
|
||||
} else {
|
||||
$compromised = "false";
|
||||
}
|
||||
}
|
||||
// end security check ?>
|
||||
|
||||
@if(file_exists(base_path("littlelink/images/avatar.png" )))
|
||||
<link rel="icon" type="image/png" href="{{ asset('littlelink/images/avatar.png') }}">
|
||||
@else
|
||||
|
|
@ -207,7 +241,11 @@
|
|||
@endif
|
||||
<! –– #### end update detection #### ––>
|
||||
|
||||
<a class="nav-link" href="{{ url('') }}/@<?= Auth::user()->littlelink_name ?>" target="_blank">Watch Page</a>
|
||||
@if(auth()->user()->role == 'admin' and $compromised === "true")
|
||||
<a style="color:tomato;" class="nav-link" href="{{ url('panel/diagnose') }}" title="Your security is at risk. Some files can be accessed by everyone. Immediate action is required! Click this message to learn more.">Your security is at risk!</a>
|
||||
@endif
|
||||
|
||||
<a class="nav-link" href="{{ url('') }}/@<?= Auth::user()->littlelink_name ?>" target="_blank">View Page</a>
|
||||
</div>
|
||||
</li>
|
||||
</ul>
|
||||
|
|
|
|||
Loading…
Reference in New Issue