From 38b09b9abc0d5366fec6c2a4f6bc3950447ceda4 Mon Sep 17 00:00:00 2001
From: vaultwiki <pegasus@vaultwiki.org>
Date: Fri, 20 May 2016 09:53:38 -0400
Subject: [PATCH 1/2] failed login over HTTP (no SSL)

---
 login/login.php | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/login/login.php b/login/login.php
index 233a921..9682cae 100644
--- a/login/login.php
+++ b/login/login.php
@@ -73,7 +73,8 @@
 	        // - Ensure Cookies are not available to Javascript
 	        // - Cookies are sent on https only
 	        $domain = ($_SERVER['HTTP_HOST'] !== 'localhost') ? $_SERVER['SERVER_NAME'] : false;
-	        session_set_cookie_params (0, "/", $domain, true, true);
+		$is_secure = (isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] === "on");
+	        session_set_cookie_params (0, "/", $domain, $is_secure, true);
 	    
 	        // Create a session
 	        session_start();
@@ -86,7 +87,7 @@
 	        // Checking which URL we should redirect the user to
 	        if (isset($_POST["from"])) {
 	        	$from = urldecode($_POST["from"]);
-	            $redirectTo = ((isset($_SERVER["HTTPS"]) && $_SERVER["HTTPS"] === "on")? "https://" : "http://").$_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$from;
+			$redirectTo = ($is_secure ? "https://" : "http://").$_SERVER["SERVER_NAME"].":".$_SERVER["SERVER_PORT"].$from;
 	        }
 	        else {
 	            $redirectTo = AUTH_SUCCEED_REDIRECT_URL;
@@ -102,4 +103,4 @@
     	require_once("loginForm.php");
     }
 }
-?>
\ No newline at end of file
+?>

From ae6b50e8c2d6d97fd51684f222c7ecac4e3f408e Mon Sep 17 00:00:00 2001
From: vaultwiki <pegasus@vaultwiki.org>
Date: Fri, 20 May 2016 11:09:50 -0400
Subject: [PATCH 2/2] close file system vulnerability

It was possible to fill the disk partition by flooding auth.php with requests while the debug mode was on.
---
 nginx/auth.php | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nginx/auth.php b/nginx/auth.php
index 58efc06..03c4e97 100644
--- a/nginx/auth.php
+++ b/nginx/auth.php
@@ -46,7 +46,12 @@
 	}
 
 	if ($canLog) {
-		$debugHandle = fopen ($debugFileName ,"a");
+		$mode = "a";
+		if (file_exists($debugFileName) AND filesize($debugFileName) > 104857600)
+		{
+			$mode = "w";
+		}
+		$debugHandle = fopen ($debugFileName, $mode);
 
 		foreach ($_SERVER as $key => $value) {
 			if (is_array($value)) {