From cf3c0a64106ea27ac432d8bba4826b5f1b7b881e Mon Sep 17 00:00:00 2001
From: johnnyq <johnny@pittpc.com>
Date: Sat, 1 Jan 2022 17:02:31 -0500
Subject: [PATCH] Fixed a vulnerability in the setup.php file and other code
 cleanups. Thanks to the person that wishes to remain anonymous for reporting
 and providing a patch Also added a notice to readme to not use this web app
 during beta for production use

---
 README.md       |  3 ++
 check_login.php | 10 ++++---
 functions.php   | 10 +++----
 login.php       | 13 ++-------
 post.php        | 13 +++++----
 setup.php       | 76 ++++++++++++++++++++++++++++---------------------
 6 files changed, 68 insertions(+), 57 deletions(-)

diff --git a/README.md b/README.md
index 8950ae37..d7bb9680 100644
--- a/README.md
+++ b/README.md
@@ -6,6 +6,9 @@
 * USERNAME: demo@demo
 * PASSWORD: demo
 
+### Notice
+This project is still in early Beta stages and is considered work in progress we highly do not recommend storing any confiential information like passwords in ITFlow. Many changes are being permformed and may cause breakage upon updates. We are hoping to have a stable 1.0 release by July 2022.
+
 ### Features
 * Client Documentation
   * Contacts - Keep track of important individuals
diff --git a/check_login.php b/check_login.php
index 831fa688..367b2408 100644
--- a/check_login.php
+++ b/check_login.php
@@ -1,11 +1,13 @@
 <?php
+	
+	if(!isset($_SESSION)){
+    session_start();
+	}
+
 	//Check to see if setup is enabled
 	if(!isset($config_enable_setup) or $config_enable_setup == 1){
   	header("Location: setup.php");
-	}
-
-	if(!isset($_SESSION)){
-    session_start();
+  	exit;
 	}
 	
 	if(!$_SESSION['logged']){
diff --git a/functions.php b/functions.php
index 4f0ff9bd..0bac4894 100644
--- a/functions.php
+++ b/functions.php
@@ -281,10 +281,10 @@ function formatPhoneNumber($phoneNumber) {
     return $phoneNumber;
 }
 
-//SESSION FINGERPRINT Removed Breaking Setup.php 2021-12-22
-//$session_ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
-//$session_os = strip_tags(mysqli_real_escape_string($mysqli,get_os()));
-//$session_browser = strip_tags(mysqli_real_escape_string($mysqli,get_web_browser()));
-//$session_device = strip_tags(mysqli_real_escape_string($mysqli,get_device()));
+function mkdir_missing($dir) {
+    if (!is_dir($dir)) {
+        mkdir($dir);
+    }
+}
 
 ?>
\ No newline at end of file
diff --git a/login.php b/login.php
index db682087..8e7ad958 100644
--- a/login.php
+++ b/login.php
@@ -2,14 +2,11 @@
 
 if(!file_exists('config.php')){
   header("Location: setup.php");
+  exit;
 }
 
-?>
-
-<?php include("config.php"); ?>
-<?php include("functions.php"); ?>
-
-<?php 
+include("config.php");
+include("functions.php");
 
 //SESSION FINGERPRINT
 $ip = strip_tags(mysqli_real_escape_string($mysqli,get_ip()));
@@ -19,10 +16,6 @@ $browser = strip_tags(mysqli_real_escape_string($mysqli,get_web_browser()));
 
 $user_agent = "$os - $browser";
 
-?>
-
-<?php
-
 session_start();
 
 if(isset($_POST['login'])){
diff --git a/post.php b/post.php
index 444bfb6b..6cadf4b2 100644
--- a/post.php
+++ b/post.php
@@ -1043,18 +1043,21 @@ if(isset($_POST['add_client'])){
     }
 
     //Add Tags
-    foreach($_POST['tags'] as $tag){
-        intval($tag);
-        mysqli_query($mysqli,"INSERT INTO client_tags SET client_id = $client_id, tag_id = $tag");
+    if(isset($_POST['tags'])){
+        foreach($_POST['tags'] as $tag){
+            intval($tag);
+            mysqli_query($mysqli,"INSERT INTO client_tags SET client_id = $client_id, tag_id = $tag");
+        }
     }
 
     //Logging
     mysqli_query($mysqli,"INSERT INTO logs SET log_type = 'Client', log_action = 'Create', log_description = '$session_name created $name$extended_log_description', log_ip = '$session_ip', log_user_agent = '$session_user_agent', log_created_at = NOW(), log_client_id = $client_id, log_user_id = $session_user_id, company_id = $session_company_id");
 
-    $_SESSION['alert_message'] = "Client created";
+    $_SESSION['alert_message'] = "Client <strong>$name</strong> created";
     
     header("Location: clients.php");
-
+    exit;
+    
 }
 
 if(isset($_POST['edit_client'])){
diff --git a/setup.php b/setup.php
index b5fa63e5..f3e5ee8f 100644
--- a/setup.php
+++ b/setup.php
@@ -1,6 +1,8 @@
 <?php
 
-include("config.php");
+if(file_exists("config.php")){
+  include("config.php");
+}
 include("functions.php");
 
 if(!isset($config_enable_setup)){
@@ -9,6 +11,7 @@ if(!isset($config_enable_setup)){
 
 if($config_enable_setup == 0){
   header("Location: login.php");
+  exit;
 }
 
 $countries_array = array(
@@ -326,35 +329,29 @@ $currencies_array = array(
 
 if(isset($_POST['add_database'])){
 
+  if(file_exists('config.php')){
+    $_SESSION['alert_message'] = "Database already configured. Any further changes should be made by editing the config.php file.";
+    header("Location: setup.php?user");
+    exit;
+  }
+
   $host = $_POST['host'];
   $database = $_POST['database'];
   $username = $_POST['username'];
   $password = $_POST['password'];
   $config_base_url = $_SERVER['HTTP_HOST'] . dirname($_SERVER['REQUEST_URI']);
 
-  $myfile = fopen("config.php", "w");
+  $new_config = array();
+  $new_config[] = "<?php\n\n";
+  $new_config[] = sprintf("\$dbhost = '%s';\n", addslashes($dbhost));
+  $new_config[] = sprintf("\$dbusername = '%s';\n", addslashes($username));
+  $new_config[] = sprintf("\$dbpassword = '%s';\n", addslashes($password));
+  $new_config[] = sprintf("\$database = '%s';\n", addslashes($database));
+  $new_config[] = "\$mysqli = mysqli_connect(\$dbhost, \$dbusername, \$dbpassword, \$database) or die('Database Connection Failed');\n";
+  $new_config[] = "\$config_app_name = 'ITFlow';\n";
+  $new_config[] = sprintf("\$config_base_url = '%s';\n", addslashes($config_base_url));
 
-  $txt = "<?php\n\n";
-
-  fwrite($myfile, $txt);
-
-  $txt = "\$dbhost = \"$host\";\n\$dbusername = \"$username\";\n\$dbpassword = \"$password\";\n\$database = \"$database\";\n\n";
-
-  fwrite($myfile, $txt);
-
-  $txt = "\$mysqli = mysqli_connect(\$dbhost, \$dbusername, \$dbpassword, \$database) or die('Database Connection Failed');\n\n";
-
-  fwrite($myfile, $txt);
-
-  $txt = "\$config_app_name = 'ITFlow';\n";
-
-  fwrite($myfile, $txt);
-
-  $txt = "\$config_base_url = '$config_base_url';\n";
-
-  fwrite($myfile, $txt);
-
-  fclose($myfile);
+  file_put_contents("config.php", $new_config);
 
   include("config.php");
 
@@ -384,10 +381,17 @@ if(isset($_POST['add_database'])){
   $_SESSION['alert_message'] = "Database successfully added";
 
   header("Location: setup.php?user");
+  exit;
 
 }
 
 if(isset($_POST['add_user'])){
+  $user_count = mysqli_num_rows(mysqli_query($mysqli,"SELECT COUNT(*) FROM users;"));
+  if($user_count !== 0) {
+    $_SESSION['alert_message'] = "Users already exist in the database. Clear them to reconfigure here.";
+    header("Location: setup.php?company");
+    exit;
+  }
 
   $name = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['name'])));
   $email = trim(strip_tags(mysqli_real_escape_string($mysqli,$_POST['email'])));
@@ -397,7 +401,7 @@ if(isset($_POST['add_user'])){
 
   $user_id = mysqli_insert_id($mysqli);
 
-  mkdir("uploads/users/$user_id");
+  mkdir_missing("uploads/users/$user_id");
 
   //Check to see if a file is attached
   if($_FILES['file']['tmp_name'] != ''){
@@ -448,6 +452,7 @@ if(isset($_POST['add_user'])){
   $_SESSION['alert_message'] = "User <strong>$name</strong> created!";
 
   header("Location: setup.php?company");
+  exit;
 
 }
 
@@ -475,11 +480,10 @@ if(isset($_POST['add_company_settings'])){
   $config_api_key = keygen();
   $config_aes_key = keygen();
 
-
-  mkdir("uploads/clients/$company_id");
-  mkdir("uploads/expenses/$company_id");
-  mkdir("uploads/settings/$company_id");
-  mkdir("uploads/tmp/$company_id");
+  mkdir_missing("uploads/clients/$company_id");
+  mkdir_missing("uploads/expenses/$company_id");
+  mkdir_missing("uploads/settings/$company_id");
+  mkdir_missing("uploads/tmp/$company_id");
 
   //Check to see if a file is attached
   if($_FILES['file']['tmp_name'] != ''){
@@ -552,13 +556,10 @@ if(isset($_POST['add_company_settings'])){
 
   fwrite($myfile, $txt);
 
-  $txt = "?>\n";
-
-  fwrite($myfile, $txt);
-
   fclose($myfile);
 
   header("Location: login.php");
+  exit;
 
 }
 
@@ -686,6 +687,10 @@ if(isset($_POST['add_company_settings'])){
               <h3 class="card-title"><i class="fa fa-fw fa-database"></i> Connect your Database</h3>
             </div>
             <div class="card-body">
+              <?php if(file_exists('config.php')){ ?>
+                Database already configured. Any further changes should be made by editing the config.php file,
+                or deleting it and refreshing this page.
+              <?php }else{ ?>
               <form method="post" autocomplete="off">
                 
                 <div class="form-group">
@@ -734,6 +739,7 @@ if(isset($_POST['add_company_settings'])){
                 <hr>
                 <button type="submit" name="add_database" class="btn btn-primary">Next <i class="fa fa-fw fa-arrow-circle-right"></i></button>
               </form>
+              <? } ?>
             </div>
           </div>
 
@@ -798,6 +804,9 @@ if(isset($_POST['add_company_settings'])){
               <h3 class="card-title"><i class="fa fa-fw fa-building"></i> Company Details</h3>
             </div>
             <div class="card-body">
+              <?php if(mysqli_num_rows(mysqli_query($mysqli,"SELECT COUNT(*) FROM users;")) !== 0){ ?>
+                Database config invalid, or users already exist in the database.
+              <?php }else{ ?>
               <form method="post" enctype="multipart/form-data" autocomplete="off">
                 
                 <div class="form-group">
@@ -920,6 +929,7 @@ if(isset($_POST['add_company_settings'])){
                 <button type="submit" name="add_company_settings" class="btn btn-primary">Finish and Sign in <i class="fa fa-fw fa-check-circle"></i></button>
                   
               </form>
+              <?php } ?>
             </div>
           </div>