login: Fix XSS issue if "Debug Userlogin" is enabled.

The username field was vulnerable against XSS attacks.
However this only affected POST data, so creating a URL with Querystring
for a XSS attack would not work.

Author: alorbach

ChangeLog

@@ -1,4 +1,10 @@
 ---------------------------------------------------------------------------
+Version 4.1.12 (stable), 2021-04-29
+---------------------------------------------------------------------------
+- Secured username field against XSS attacks, thanks for reporting to:
+  Michael Strametz of SySS Cyber Security GmbH (Austria).
+- UserDB: Allow NULL value for defaultfilter fields, updated to v13
+---------------------------------------------------------------------------
 Version 4.1.11 (stable), 2020-07-09
 - ThirdParty: Updated jpgraph to 4.3.1 (2020-04-24)
 - Thanks to Javier Pastor for the following fixes and changes: 

src/include/functions_users.php

@@ -283,7 +283,7 @@ function CheckUserLogin( $username, $password )
 		}
 		*/
 		if ( GetConfigSetting("DebugUserLogin", 0) == 1 )
-			DieWithFriendlyErrorMsg( "Debug Error: Could not find user '" . $username . "' <br><br><B>Sessionarray</B> <pre>" . var_export($_SESSION, true) . "</pre>");
+			DieWithFriendlyErrorMsg( "Debug Error: Could not find user '" . htmlspecialchars($username) . "' <br><br><B>Sessionarray</B> <pre>" . var_export($_SESSION, true) . "</pre>");
 
 		// Default return false
 		return false;

src/login.php

@@ -65,38 +65,32 @@
 	$szRedir = "index.php"; // Default
 $szRedir = SecureRedirect($szRedir); 
 
-if ( isset($_POST['op']) && $_POST['op'] == "login" )
-{
+if ( isset($_POST['op']) && $_POST['op'] == "login" ) {
 	// Perform login!
 	if ( $_POST['op'] == "login" )
 	{
 		if ( 
 			 (isset($_POST['uname']) && strlen($_POST['uname']) > 0) 
 				&& 
 			 (isset($_POST['pass']) && strlen($_POST['pass']) > 0)
-			)
-		{
-			// Set Username and password
-			$content['uname'] = DB_RemoveBadChars($_POST['uname']);
-			$content['pass'] = $_POST['pass']; // RAW Copy of password string, otherwise passwords with special characters can be broken. 
+			) {
+			// Copy Username and password for template system
+			$content['uname'] = htmlspecialchars(DB_RemoveBadChars($_POST['uname'])); // URL Decode the username to avoid XSS issues!
+			$content['pass'] = htmlspecialchars($_POST['pass']); // RAW Copy of password string, otherwise passwords with special characters can be broken.
 
-			if ( !CheckUserLogin( $content['uname'], $content['pass']) )
-			{
+			// Use raw properties for database login check
+			if ( !CheckUserLogin( DB_RemoveBadChars($_POST['uname']), $_POST['pass']) ) {
 				$content['ISERROR'] = "true";
 				$content['ERROR_MSG'] = $content['LN_LOGIN_ERRWRONGPASSWORD'];
 			}
 			else
 				RedirectPage( urldecode($szRedir) );
-		}
-		else
-		{
+		} else {
 			$content['ISERROR'] = "true";
 			$content['ERROR_MSG'] = $content['LN_LOGIN_USERPASSMISSING'];
 		}
 	}
-}
-else if ( isset($_GET['op']) && $_GET['op'] == "logoff" )
-{
+} else if ( isset($_GET['op']) && $_GET['op'] == "logoff" ) {
 	// logoff in this case
 	DoLogOff();
 }