chriskuhar wrote on Wednesday, October 16, 2013:
I am not sure if this is the right way to fix the issue, but this is an issue.
This pertains to a server with more than one site, and a user is logged into one site, by changing the URL, they have access to another site.
In the browser navigator bar, there is the site URL which contains the site url, for example, this goes for any URL.
http://emr.mysite.com/interface/main/main_screen.php?auth=login&site=foo
Now change the URL to another site
http://emr.mysite.com/interface/main/main_screen.php?auth=login&site=bar
notice you are now viewing data from another site.
It would be nice to have this fixed, below is my fix, but maybe someone with a better understanding of the system has a better one?
The idea is to check the site value in the url, check it against the $_SESSION value, if it is different, clean the session out and send user to login page.
macky{ckuhar}2020: git diff globals.php
diff --git a/interface/globals.php b/interface/globals.php
index 9fa70ec…4270f17 100644
— a/interface/globals.php
+++ b/interface/globals.php
@@ -105,6 +105,14 @@ if (empty($_SESSION[‘site_id’]) || !empty($_GET[‘site’])) {
$tmp = $_SERVER[‘HTTP_HOST’];
if (!is_dir($GLOBALS[‘OE_SITES_BASE’] . “/$tmp”)) $tmp = “default”;
}
- if (!empty($_SESSION[‘site_id’]) && !empty($tmp) &&
-
(strcasecmp($_SESSION['site_id'], $tmp) !== 0) &&
-
!empty($_SESSION['userauthorized'])) {
-
session_unset(); // clear session, clean logout
-
header('Location: /interface/login_screen.php');
-
exit;
- }
- if (empty($tmp) || preg_match(’/[^A-Za-z0-9\-.]/’, $tmp))
die(“Site ID '”. htmlspecialchars($tmp,ENT_NOQUOTES) . “’ contains invalid characters.”);
if (!isset($_SESSION[‘site_id’]) || $_SESSION[‘site_id’] != $tmp) {