diff options
author | jim-p <jimp@pfsense.org> | 2017-07-14 09:55:18 -0400 |
---|---|---|
committer | jim-p <jimp@pfsense.org> | 2017-07-14 09:55:18 -0400 |
commit | cc9b0f76da4936ac7510eee6cb5e0574d11b5973 (patch) | |
tree | 89a99a85b2e61f17cda4c6a36ff12542475912e7 /src/etc/inc | |
parent | 2c3b9ac554cc3940962e7f9b1799857583c394ab (diff) | |
download | pfsense-cc9b0f76da4936ac7510eee6cb5e0574d11b5973.zip pfsense-cc9b0f76da4936ac7510eee6cb5e0574d11b5973.tar.gz |
If a client address is in the webConfiguratorlockout table, do not allow them to access the GUI. Print an error and kill their states. Ticket #7693
Extra check to be sure that an existing open state cannot bypass lockout controls.
Diffstat (limited to 'src/etc/inc')
-rw-r--r-- | src/etc/inc/auth.inc | 25 |
1 files changed, 25 insertions, 0 deletions
diff --git a/src/etc/inc/auth.inc b/src/etc/inc/auth.inc index 6e0824b..b573107 100644 --- a/src/etc/inc/auth.inc +++ b/src/etc/inc/auth.inc @@ -36,6 +36,31 @@ $security_passed = true; /* If this function doesn't exist, we're being called from Captive Portal or another internal subsystem which does not include authgui.inc */ +if (function_exists("display_error_form")) { + /* Extra layer of lockout protection. Check if the user is in the GUI + * lockout table before processing a request */ + + /* Fetch the contents of the lockout table. */ + exec("/sbin/pfctl -t 'webConfiguratorlockout' -T show", $entries); + + /* If the client is in the lockout table, print an error, kill states, and exit */ + if (in_array($_SERVER['REMOTE_ADDR'], array_map('trim', $entries))) { + if (!security_checks_disabled()) { + /* They may never see the error since the connection will be cut off, but try to be nice anyhow. */ + display_error_form("501", gettext("Access Denied<br/><br/>Access attempt from a temporarily locked out client address.<br /><br />Try accessing the firewall again after the lockout expires.")); + /* If they are locked out, they shouldn't have a state. Disconnect their connections. */ + $retval = pfSense_kill_states($_SERVER['REMOTE_ADDR']); + if (is_ipaddrv4($_SERVER['REMOTE_ADDR'])) { + $retval = pfSense_kill_states("0.0.0.0/0", $_SERVER['REMOTE_ADDR']); + } elseif (is_ipaddrv6($_SERVER['REMOTE_ADDR'])) { + $retval = pfSense_kill_states("::", $_SERVER['REMOTE_ADDR']); + } + exit; + } + $security_passed = false; + } +} + if (function_exists("display_error_form") && !isset($config['system']['webgui']['nodnsrebindcheck'])) { /* DNS ReBinding attack prevention. https://redmine.pfsense.org/issues/708 */ $found_host = false; |