Browse Source

v 1.7

master v1.7
Rolf Brugger 10 years ago
parent
commit
ae40163ff6
  1. 8
      doc/index.html
  2. 87
      index.php
  3. 7
      makerelease.sh
  4. 5
      svconfig.php-dist
  5. 3
      tpl-std/incl-entry-body.php

8
doc/index.html

@ -25,7 +25,7 @@
<li>Store passwords and other secret information with a web based tool</li>
<li>High level of security if installed on the local network. Good level of security if installed on a shared host on the internet.</li>
<li>There is no user account management.</li>
<li>There is no user account management (this is considered a feature, not a restriction).</li>
<li>It can be configured
<ul>
<li>if all entires are encoded with a global passphrase, </li>
@ -54,7 +54,7 @@
<a name="install" ></a>
<h2>Installation and Configuration</h2>
<p>Prerequisites are: PHP4 or PHP5 with the mcrypt library.</p>
<p><a href='http://sourceforge.net/project/showfiles.php?group_id=205981'>Download</a> and unpack the SimpleVault package to the directory <tt>&lt;install-dir&gt;</tt>. By default, <tt>&lt;install-dir&gt;/vault/simplevault.txt</tt> is used as the vault file where all encrypted and unencrypted data is stored. This file should be readable and writeable by the web server. A different vault file can be configured in <tt>index.php</tt> in the variables <tt>$vaultfname</tt>.</p>
<p><a href='http://sourceforge.net/project/showfiles.php?group_id=205981'>Download</a> and unpack the SimpleVault package to the directory <tt>&lt;install-dir&gt;</tt>. By default, <tt>/var/lib/simplevault/simplevault.txt</tt> is used as the vault file where all encrypted and unencrypted data is stored. This file should be readable and writeable by the web server. A different vault file can be configured in <tt>svconfig.php</tt> in the variable <tt>$vaultfname</tt>.</p>
<p>That's it. Go to <tt>&lt;your-host&gt;/&lt;install-dir&gt;/index.php</tt> and start creating entries.</p>
<p>In the default installation, the vault file contains 2 categories and 4 entries for demonstration purposes. All entries are encrypted with the passphrase <i>toto</i>. You can delete the entries interactively, or by emptying the vault file.</p>
<p>If you have problems please ask your questions in the <a href='http://sourceforge.net/forum/?group_id=205981'>support forum</a>.</p>
@ -229,8 +229,8 @@ There are probably more risks or leaks. Please report them in the <a href='http:
</ul>
<h3>Credits</h3>
<p>These people have contributed to SimpleVault: Christian R., Reimar H.</p>
<p>Various People have contributed to SimpleVault. Most of them are listed the comments in index.php.</p>
<p><br/><br/><br/>Rolf Brugger, Jan 2010<br/></p>
<p><br/><br/><br/>Rolf Brugger, Dec 2011<br/></p>
</body>
</html>

87
index.php

@ -9,9 +9,10 @@
# Email: mail at rolfb dot ch
#
# Versions - History:
# 1.7 - settings are now in a separate file.
# 1.7 Dec 11 - settings are now in a separate file.
# - search also works with get parameter (needed for saved search feature of firefox)
# - generate passwords based on 3 different character sets
# Many thanks to Gordon K. who contributed the following features
# - support for ", ' and other special characters in fields
# - added .htaccess file in vault folder to deny access from the internet (works in Apache only, not IIS)
# - changed default vault location to /var/lib/simplevault/simplevault.txt
@ -19,6 +20,7 @@
# - added random small delay when passphrase is wrong (anti brute force)
# - added logging to webserver's error log when too many incorrect passphrases are entered
# - added warning when connecting using regular HTTP (unencrypted connection)
# - various additional error and consistency checks
#
# 1.6 Jun 11: - Bulk decrypt entries shows a list of not decrypted entries too.
# - Set cursor to password form field.
@ -43,6 +45,7 @@
# - When an entry is saved, it is checked if the passphrase was used for other entries too.
# - New tools area.
# - New functions: bulk decrypt, bulk change passphrase.
# Many thanks to the contributors Christian R. and Reimar H.
#
# 1.3 Jan 08: - More secure handling of special characters in title tags
#
@ -121,16 +124,16 @@ $template = $defaulttemplate;
// Load the vault file. Ensure it is writable and readable.
if( file_exists($vaultfname) && is_readable($vaultfname) && is_writable($vaultfname) ) {
$vltcontents = file_get_contents("$vaultfname");
if( $vltcontents !== FALSE ) {
$vlt = explode("\n", $vltcontents);
unset($vltcontents);
} else {
die( "Error reading vault file $vaultfname." );
}
$vltcontents = file_get_contents("$vaultfname");
if( $vltcontents !== FALSE ) {
$vlt = explode("\n", $vltcontents);
unset($vltcontents);
} else {
die( "Error reading vault file $vaultfname." );
}
} else {
echo "<p>Unable to load vault file $vaultfname. Ensure that:</p><ul><li>The folder <b>" . dirname($vaultfname) . "</b> exists and that the webserver has permission to read/write to it</li><li>The file <b>$vaultfname</b> exists and the webserver has permission to write to it.</li><li>If you want to start with an empty vault, simply create a zero-length file called <b>$vaultfname</b></li></ul>";
die();
echo "<p>Unable to load vault file $vaultfname. Ensure that:</p><ul><li>The folder <b>" . dirname($vaultfname) . "</b> exists and that the webserver has permission to read/write to it</li><li>The file <b>$vaultfname</b> exists and the webserver has permission to write to it.</li><li>If you want to start with an empty vault, simply create a zero-length file called <b>$vaultfname</b></li></ul>";
die();
}
if(count($vlt)==1 and strlen($vlt[0])==0){$vlt=array();} // fix php-explode bug of an empty file
@ -331,13 +334,12 @@ if(isset($_POST['bulkimportentries'])){
$errormsg[] = $errmsg;
}
// Warning if SSL is not detected
if( strtolower($_SERVER['HTTPS']) == "off" || empty($_SERVER['HTTPS']) ) {
if( $suppresshttpswarning == "0" ) {
$errormsg[] = "Warning: This connection is not encrypted! This is a significant security vulnerability. You should enable HTTPS on you webserver or add SSL encryption to your web hosting package.";
$errormsg[] = "To suppress this warning, change the \$suppresshttpswarning variable in svconfig.php to \"1\"";
}
if( strtolower($_SERVER['HTTPS']) == "off" || !isset($_SERVER['HTTPS']) || empty($_SERVER['HTTPS']) ) {
if( $suppresshttpswarning == "0" ) {
$errormsg[] = "Warning: This connection is not encrypted! This is a significant security vulnerability. You should enable HTTPS on your webserver or add SSL encryption to your web hosting package.";
$errormsg[] = "To suppress this warning, change the \$suppresshttpswarning variable in svconfig.php to \"1\"";
}
}
@ -370,7 +372,7 @@ if(isset($decrmode)) {
$decfields = svdecrypt($pf, $recfields[$nbfields-1]);
if ($decfields[0] == $preamble){
// decryption suceeded
$_SESSION["failcount"] = 0;
$_SESSION["failcount"] = 0;
$encfields = $decfields;
if ($decrmode == "decrypt"){
// passphrase is ok, show decrypted entry
@ -397,21 +399,21 @@ if(isset($decrmode)) {
// decryption failed
$pwdmsg = "Wrong passphrase!";
// short delay to prevent brute force attacks
sleep($wrongpfdelay);
// short delay to prevent brute force attacks
sleep($wrongpfdelay);
// keep track of the # of failed logins on this session
if( ! isset($_SESSION["failcount"]) ) {
$_SESSION["failcount"] = 0;
}
$_SESSION["failcount"]++;
// keep track of the # of failed logins on this session
if( ! isset($_SESSION["failcount"]) ) {
$_SESSION["failcount"] = 0;
}
$_SESSION["failcount"]++;
// report suspiciously high failure count
if( ($_SESSION["failcount"] > $wrongpfalertthreshold) && ($wrongpfalertthreshold > 0) ) {
reportVisitor("Too many failed decryption attempts (more than $wrongpfalertthreshold) for SimpleVault entry: [$cat: $t1 - $t2]");
$_SESSION["failcount"] = 0;
$pwdmsg .= " You have entered an incorrect passphrase too many times. This incident will be reported.";
}
// report suspiciously high failure count
if( ($_SESSION["failcount"] > $wrongpfalertthreshold) && ($wrongpfalertthreshold > 0) ) {
reportVisitor("Too many failed decryption attempts (more than $wrongpfalertthreshold) for SimpleVault entry: [$cat: $t1 - $t2]");
$_SESSION["failcount"] = 0;
$pwdmsg .= " You have entered an incorrect passphrase too many times. This incident will be reported.";
}
include "$template/decryptform.php";
@ -488,8 +490,11 @@ else{
include "$template/main.php";
}
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
// ----------------------------------------------------------------------------------------
// *** Library, Functions
// ----------------------------------------------------------------------------------------
function svencrypt($pf, $p0, $p1, $p2, $p3, $p8, $p9, $note)
// concatenates p0..note and encrypts it with $pf
@ -617,14 +622,12 @@ function entry_index($vlt, $cat, $tit1, $tit2)
}
}
/* -------------------------------------------------------------------------- */
/* *** Forms *** */
/* -------------------------------------------------------------------------- */
// ----------------------------------------------------------------------------------------
// *** Forms
// ----------------------------------------------------------------------------------------
/* -------------------------------------------------------------------------- */
/* -------------------------------------------------------------------------- */
function show_entry_title($cat, $t1, $t2)
{
@ -713,11 +716,11 @@ function escape_for_db_enc($string)
// Report suspicious activity
function reportVisitor($reason)
{
$body = "SimpleVault detected unusual user activity. $reason. User information: ";
$body .= "IP: " . $_SERVER['REMOTE_ADDR'] . ", ";
$body .= "Referrer: " . $_SERVER['HTTP_REFERER'] . ", ";
$body .= "UserAgent: " . $_SERVER['HTTP_USER_AGENT'];
error_log($body);
$body = "SimpleVault detected unusual user activity. $reason. User information: ";
$body .= "IP: " . $_SERVER['REMOTE_ADDR'] . ", ";
$body .= "Referrer: " . $_SERVER['HTTP_REFERER'] . ", ";
$body .= "UserAgent: " . $_SERVER['HTTP_USER_AGENT'];
error_log($body);
}
function selfURL(){

7
makerelease.sh

@ -7,15 +7,16 @@ then
mkdir simplevault-$1/img
mkdir simplevault-$1/vault
mkdir simplevault-$1/doc
cp README index.php sv.js simplevault-$1
cp README index.php sv.js svconfig.php-dist simplevault-$1
cp img/*.png simplevault-$1/img
cp img/*.ico simplevault-$1/img
cp doc/*.png doc/*.html doc/*.css simplevault-$1/doc
cp -r tpl-* simplevault-$1
cp vault/simplevault.txt-demo simplevault-$1/vault/simplevault.txt
cp -r tpl-* simplevault-$1
find simplevault-$1 -name ".*" -exec rm -rfv {} \;
cp vault/.htaccess simplevault-$1/vault/
tar -cvzf simplevault-$1.tgz simplevault-$1
rm -rf simplevault-$1
#rm -rf simplevault-$1
else
echo "you have to pass one parameter: the version number like 1.0"
fi

5
svconfig.php-dist

@ -41,13 +41,14 @@ $forcesamepf = 'c';
//
// If you are using shared hosting, ensure that the subdirectory you store the vault in is
// private or password protected using your web host's control panel.
$vaultfname = "/var/lib/simplevault/simplevault.txt";
$vaultfname = "/var/lib/simplevault/simplevault.txt"; // good location for a not web readable vault file
//$vaultfname = "vault/simplevault.txt"; // possible location for a web readable vault file (this is less secure)
// Suppress warnings about unsecure non-SSL HTTP connections. Normally SimpleVault will
// put a warning up if the connection is not encrypted. You can silence this warning by
// setting this field to "1"
$suppresshttpswarning = "0"
$suppresshttpswarning = "0";
?>

3
tpl-std/incl-entry-body.php

@ -3,7 +3,8 @@
<tr><td>Login:</td><td> <?php echo escape_for_html($decfields[1]) ?></td></tr>
<tr><td>Password:</td><td> <?php echo escape_for_html($decfields[3]) ?></td></tr>
<?php if(strlen($decfields[8]) > 0){ ?>
<tr><td><?php echo escale_for_html($decfields[8]) ?>:</td><td><?php echo escape_for_html($decfields[9]) ?></td></tr>
<tr><td><?php echo escape_for_html($decfields[8]) ?>:</td><td><?php echo escape_for_html($decfields[9]) ?></td></tr>
<?php } ?>
<tr><td>Note:</td><td><pre><?php echo escape_for_html($decfields[$nbencfields]) ?></pre></td></tr>
</table>
Loading…
Cancel
Save