Uploaded image for project: 'CiviCRM'
  1. CiviCRM
  2. CRM-14710

CiviCRM impersonating Sessions/Dashboards not working with forced HTTPS

    Details

    • Type: Improvement
    • Status: Done/Fixed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: 4.4.5
    • Fix Version/s: Unscheduled
    • Component/s: Core CiviCRM
    • Labels:
      None
    • Documentation Required?:
      None
    • Funding Source:
      Needs Funding

      Description

      So I was debugging a piece of code, specifically for the Dashboards. I notice it was running HTTP_Request from PEAR. My site specifically redirects all HTTP traffic to HTTPS and is filtered through an nginx/PHP-FPM system. This causes the dashboards to fail and return 'false'. Since documentation on HTTP_Request is poor, I rewrote it using HTTP_Request2.

      I rewrote it in order to ignore HTTPS certificates (but this could probably be more flexibly configured using the CiviCRM config option that says whether to ignore certificate issues). Calling HTTPS through PEAR's HTTP_Request2 requires PHP to be compiled with OpenSSL (so this should probably be checked by the CiviCRM installer).

      I personally think however there are several issues with the way this is done.

      • This requires additional server resources to call "itself" through an HTTP request while this could equally be done in another Ajax call.
      • This impersonates a users' entire session (by copying it's cookies) and unless the site URL is configured as HTTPS this is done through HTTP. So you're eliminating a potentially secure, encrypted connection and doing it insecurely (especially in server farms eg. shared/VPS hosting this may be an issue) which could be a set up for session takeover if a hacker can intercept the clear text data.

      I don't have the resources to dedicate myself to rewriting large portions of the code but I think this should definitely be something to be worked on.

      From CRM/Utils/System.php:

        /**
         * Execute external or internal urls and return server response
         *
         *  @param string   $url request url
         *  @param boolean  $addCookie  should be true to access internal urls
         *
         *  @return string  $response response from url
         *  @static
         */
        static function getServerResponse($url, $addCookie = TRUE) {
          CRM_Core_Error::ignoreException();
          require_once 'HTTP/Request2.php';
          $request = new HTTP_Request2($url, HTTP_Request2::METHOD_GET);
      
          if ($addCookie) {
            foreach ($_COOKIE as $name => $value) {
              $request->addCookie($name, $value);
            }
          }
      
          if (isset($_SERVER['AUTH_TYPE'])) {
            $request->setBasicAuth($_SERVER['PHP_AUTH_USER'], $_SERVER['PHP_AUTH_PW']);
          }
      
          $config = CRM_Core_Config::singleton();
          if ($config->userFramework == 'WordPress') {
            session_write_close();
          }
          $request->setConfig("ssl_verify_peer", false);
          $request->setConfig("ssl_verify_host", false);
          $return = false;
          try {
             $response = $request->send();
             if ($response->getStatus() == 200) {
                $return = $response->getBody();
             } else {
                error_log ("Unexpected HTTP Status" . $response->getStatus());
             }
          } catch (HTTP_Request2_Exception $e) {
              error_log ("Error: " . $e->getMessage());
          }
          CRM_Core_Error::setCallback();
          return $return;
        }
      

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                guruevi Evi Vanoost
              • Votes:
                0 Vote for this issue
                Watchers:
                1 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: