From 2570a4702afa4648a19707f21b88420ba97fafb6 Mon Sep 17 00:00:00 2001
From: Bluzume <39113159+KuromeSan@users.noreply.github.com>
Date: Mon, 9 Aug 2021 19:58:55 +1200
Subject: [PATCH] make ppemu secure

---
 WebInterface/game-site/web/crosserver.php |  2 +-
 WebInterface/game-site/web/ppemu.php      | 20 +++++++++++++++++---
 WebInterface/master-site/crosserver.php   |  2 +-
 WebInterface/master-site/web/news.php     |  4 ++--
 4 files changed, 21 insertions(+), 7 deletions(-)

diff --git a/WebInterface/game-site/web/crosserver.php b/WebInterface/game-site/web/crosserver.php
index f87195f..ccb2593 100644
--- a/WebInterface/game-site/web/crosserver.php
+++ b/WebInterface/game-site/web/crosserver.php
@@ -8,7 +8,7 @@ function GenHmacMessage(string $data, string $channel)
 		echo("<h1>Set \$hmac_secret in config.php!</h1>");
 		exit();
 	}
-	$hmac = hash_hmac('sha256', $data, $hmac_secret.$channel.$_SERVER['REMOTE_ADDR'].date('mdYhi'));
+	$hmac = hash_hmac('sha256', $data, $hmac_secret.$channel.$_SERVER['REMOTE_ADDR'].date('mdy'));
 	return $hmac;
 }
 
diff --git a/WebInterface/game-site/web/ppemu.php b/WebInterface/game-site/web/ppemu.php
index f31b627..d695c63 100644
--- a/WebInterface/game-site/web/ppemu.php
+++ b/WebInterface/game-site/web/ppemu.php
@@ -1,7 +1,7 @@
 <?php
 
 session_start();
-include("config.php");
+include("../config.php");
 include("crosserver.php");
 include("common.php");
 
@@ -14,7 +14,7 @@ if(!is_logged_in()){
 
 $money = getUserMoney($dbname, $_SESSION['PLAYER_ID']);
 
-if(isset($_GET["go"], $_GET["qnt"], $_GET["itm"], $_GET['to'], $_GET["ret"]))
+if(isset($_GET["go"], $_GET["qnt"], $_GET["itm"], $_GET['to'], $_GET["ret"], $_GET['sign']))
 {
 	
 	$targetUser = $_GET['to'];
@@ -28,6 +28,17 @@ if(isset($_GET["go"], $_GET["qnt"], $_GET["itm"], $_GET['to'], $_GET["ret"]))
 
 	if($_GET["go"] == 1)
 	{
+		$msg = $_GET['itm'].$_GET["qnt"].$_GET["to"].$_GET["ret"].$_SESSION['USERNAME'].$_SESSION['PLAYER_ID'];
+		$expectedSignature = GenHmacMessage($msg, "PPEMU");
+		$gotHmacSignature = $_GET['sign'];
+		
+		if(!hash_equals($gotHmacSignature,$expectedSignature)){
+			include("header.php");
+			echo("Invalid Signature. Are you trying to scam people?");
+			include("footer.php");
+			exit();
+		}
+		
 		$itm = $_GET["itm"];		
 		if(strpos($itm, "One Month Horse Isle Membership") === 0){
 			$amount = 5; // NO CHEATING!
@@ -224,7 +235,10 @@ include("header.php");
 		?></td>
   </tr>
 </table>
-<h3><b>NOTE: $1USD = $<?php echo($EXHANGE_RATE)?> HorseIsle Money! (you have $<?php echo($money) ?>)</b></h3><br><b>This purchase is for User: <?php echo(htmlspecialchars($toUser)." (".$toUsername.")"); ?></b></br>Do you want to purchase?</br><br><a href="?go=1&itm=<?php echo(urlencode(htmlspecialchars($_POST['item_name']))); ?>&qnt=<?php echo(urlencode(htmlspecialchars($quantity)));?>&to=<?php echo(urlencode(htmlspecialchars($_POST['custom']))); ?>&ret=<?php echo(urlencode(htmlspecialchars($_POST['return']))); ?>">Yes</a> | <a href="/account.php">No</a> 
+<h3><b>NOTE: $1USD = $<?php echo($EXHANGE_RATE)?> HorseIsle Money! (you have $<?php echo($money) ?>)</b></h3><br><b>This purchase is for User: <?php echo(htmlspecialchars($toUser)." (".$toUsername.")"); ?></b></br>Do you want to purchase?</br><br><a href="?go=1&itm=<?php echo(urlencode(htmlspecialchars($_POST['item_name']))); ?>&qnt=<?php echo(urlencode(htmlspecialchars($quantity)));?>&to=<?php echo(urlencode(htmlspecialchars($_POST['custom']))); ?>&ret=<?php echo(urlencode(htmlspecialchars($_POST['return']))); ?>&sign=<?php 
+	$msg = htmlspecialchars($_POST['item_name']).htmlspecialchars($quantity).htmlspecialchars($_POST['custom']).htmlspecialchars($_POST['return']).$_SESSION['USERNAME'].$_SESSION['PLAYER_ID'];
+	echo(urlencode(GenHmacMessage($msg, "PPEMU"))); 
+?>">Yes</a> | <a href="/account.php">No</a> 
 <?php
 include("footer.php");
 ?>
\ No newline at end of file
diff --git a/WebInterface/master-site/crosserver.php b/WebInterface/master-site/crosserver.php
index f87195f..ccb2593 100644
--- a/WebInterface/master-site/crosserver.php
+++ b/WebInterface/master-site/crosserver.php
@@ -8,7 +8,7 @@ function GenHmacMessage(string $data, string $channel)
 		echo("<h1>Set \$hmac_secret in config.php!</h1>");
 		exit();
 	}
-	$hmac = hash_hmac('sha256', $data, $hmac_secret.$channel.$_SERVER['REMOTE_ADDR'].date('mdYhi'));
+	$hmac = hash_hmac('sha256', $data, $hmac_secret.$channel.$_SERVER['REMOTE_ADDR'].date('mdy'));
 	return $hmac;
 }
 
diff --git a/WebInterface/master-site/web/news.php b/WebInterface/master-site/web/news.php
index 2592f44..50103ea 100755
--- a/WebInterface/master-site/web/news.php
+++ b/WebInterface/master-site/web/news.php
@@ -1,7 +1,7 @@
 <?php
 session_start();
-include("config.php");
-include("common.php");
+include("../config.php");
+include("../common.php");
 include("header.php");
 
 if(isset($_POST['TITLE'], $_POST['CONTENT'])){