Advanced search  

News:

cpg1.5.48 Security release - upgrade mandatory!
The Coppermine development team is releasing a security update for Coppermine in order to counter a recently discovered vulnerability. It is important that all users who run version cpg1.5.46 or older update to this latest version as soon as possible.
[more]

Pages: [1]   Go Down

Author Topic: No IP in security log when login fails  (Read 2357 times)

0 Members and 1 Guest are viewing this topic.

Veronica

  • Contributor
  • Coppermine frequent poster
  • ***
  • Country: se
  • Offline Offline
  • Posts: 106
  • Coppermine 1.5.22
No IP in security log when login fails
« on: October 21, 2012, 04:34:53 pm »

Is there any good reason for not logging the user IP address in the sercurity log when an user login fails?

These IP addresses are missing in both login.php line 65 and logout.php line 25.
All other security log entries (total of 10) will have the user IP logged.
Logged

Jeff Bailey

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1322
  • Fishing relaxes me.
    • Bailey Family Co.
Re: No IP in security log when login fails
« Reply #1 on: October 22, 2012, 09:19:18 pm »

You can add the $raw_ip to the log_write functions to add that capability.

Not sure if thats by design or an oversight.

login.php
Code: [Select]
// Write the log entry
        log_write("Failed login attempt with Username: " . $superCage->post->getEscaped('username') . " IP: ". $raw_ip, CPG_SECURITY_LOG);

logout.php
Code: [Select]
if (!USER_ID) {
    if ($CONFIG['log_mode'] == CPG_LOG_ALL) {
        log_write("Logout attempt failed because visitor is not logged in. IP: " . $raw_ip, CPG_SECURITY_LOG);
    }
    cpg_die(ERROR, $lang_logout_php['err_not_logged_in'], __FILE__, __LINE__);
}

Untested
Logged
Thinking is the hardest work there is, which is probably the reason why so few engage in it. - Henry Ford

Veronica

  • Contributor
  • Coppermine frequent poster
  • ***
  • Country: se
  • Offline Offline
  • Posts: 106
  • Coppermine 1.5.22
Re: No IP in security log when login fails
« Reply #2 on: October 22, 2012, 10:09:54 pm »

Yes ofcourse but I don't want to have fixes all over cpg when there is a new release available.
Having IP addresses logged when there is a login failure has been standard procedure in cpg 1.4 and was removed in cpg 1.5
Logged

Jeff Bailey

  • Dev Team member
  • Coppermine addict
  • ****
  • Country: us
  • Offline Offline
  • Gender: Male
  • Posts: 1322
  • Fishing relaxes me.
    • Bailey Family Co.
Re: No IP in security log when login fails
« Reply #3 on: October 22, 2012, 10:15:11 pm »

When Αndré comes by again I'm sure he'll comment as to whether or not this is by design or if it just never was committed in 1.5.x
Logged
Thinking is the hardest work there is, which is probably the reason why so few engage in it. - Henry Ford

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: No IP in security log when login fails
« Reply #4 on: October 23, 2012, 03:08:13 pm »

I haven't checked the logs nor looked at the cpg1.4.x code yet. So I currently don't know if it was dropped intentionally, but I don't see any reason to omit the IP address for those log entries.
Logged

Αndré

  • Administrator
  • Coppermine addict
  • *****
  • Country: de
  • Offline Offline
  • Gender: Male
  • Posts: 15765
Re: No IP in security log when login fails
« Reply #5 on: October 23, 2012, 03:20:52 pm »

Comparison login.php:

cpg1.4.x
Code: [Select]
log_write("Failed login attempt with Username: {$_POST['username']} from IP {$_SERVER['REMOTE_ADDR']} on " . localised_date(-1,$log_date_fmt),CPG_SECURITY_LOG);
cpg1.5.x
Code: [Select]
log_write("Failed login attempt with Username: " . $superCage->post->getEscaped('username'), CPG_SECURITY_LOG);

There was no log entry in cpg1.4.x's logout procedure.
Logged
Pages: [1]   Go Up
 

Page created in 0.015 seconds with 20 queries.