From 5eab39720040df4b7e78bbe1bcd076b9067bb90c Mon Sep 17 00:00:00 2001
From: Daniel Winzen <d@winzen4.de>
Date: Mon, 7 Jan 2019 22:24:21 +0100
Subject: [PATCH] Randomise DB (user)names to reduce attack surface + allow
 multiple DBs per user

---
 var/www/common.php        | 38 ++++++++++++++++++++++++++++++++++++++
 var/www/html/home.php     | 20 ++++++++++++++------
 var/www/html/register.php | 12 +++---------
 3 files changed, 55 insertions(+), 15 deletions(-)

diff --git a/var/www/common.php b/var/www/common.php
index 9f1ae36..7ff451a 100644
--- a/var/www/common.php
+++ b/var/www/common.php
@@ -101,6 +101,7 @@ server {
 	}
 }
 ';
+const MAX_NUM_USER_DBS = 5; //maximum number of databases a user may have
 
 function get_onion_v2($pkey) : string {
 	$keyData = openssl_pkey_get_details($pkey);
@@ -468,3 +469,40 @@ php_admin_value[session.save_path] = /tmp
 		exec("service php$version-fpm@$key restart");
 	}
 }
+
+function add_mysql_user(PDO $db, string $password) : string {
+	$mysql_user = '';
+	$stmt = $db->prepare('SELECT null FROM users WHERE mysql_user = ?;');
+	do {
+		$mysql_user = substr(preg_replace('/[^a-z0-9]/i', '', base64_encode(random_bytes(32))), 0, 32);
+		$stmt->execute([$mysql_user]);
+	} while($stmt->fetch());
+	$create_user = $db->prepare("CREATE USER ?@'%' IDENTIFIED BY ?;");
+	$create_user->execute([$mysql_user, $password]);
+	return $mysql_user;
+}
+
+function add_user_db(PDO $db, int $user_id) : ?string {
+	$mysql_db = '';
+	$stmt = $db->prepare('SELECT COUNT(*) FROM mysql_databases WHERE user_id = ?;');
+	$stmt->execute([$user_id]);
+	$count = $stmt->fetch(PDO::FETCH_NUM);
+	if($count[0]>=MAX_NUM_USER_DBS) {
+		return null;
+	}
+	$stmt = $db->prepare('SELECT null FROM mysql_databases WHERE mysql_database = ?;');
+	do {
+		$mysql_db = substr(preg_replace('/[^a-z0-9]/i', '', base64_encode(random_bytes(32))), 0, 32);
+		$stmt->execute([$mysql_db]);
+	} while($stmt->fetch());
+	$stmt = $db->prepare('INSERT INTO mysql_databases (user_id, mysql_database) VALUES (?, ?);');
+	$stmt->execute([$user_id, $mysql_db]);
+	$db->exec("CREATE DATABASE IF NOT EXISTS `" . $mysql_db . "`;");
+	$stmt = $db->prepare('SELECT mysql_user FROM users WHERE id = ?;');
+	$stmt->execute([$user_id]);
+	$user = $stmt->fetch(PDO::FETCH_ASSOC);
+	$stmt=$db->prepare("GRANT ALL PRIVILEGES ON `" . $mysql_db . "`.* TO ?@'%';");
+	$stmt->execute([$user['mysql_user']]);
+	$db->exec('FLUSH PRIVILEGES;');
+	return $mysql_db;
+}
diff --git a/var/www/html/home.php b/var/www/html/home.php
index dcb38c1..c5cc3c3 100644
--- a/var/www/html/home.php
+++ b/var/www/html/home.php
@@ -7,11 +7,14 @@ try{
 }
 session_start();
 $user=check_login();
+if(isset($_REQUEST['action']) && $_REQUEST['action']==='add_db'){
+	add_user_db($db, $user['id']);
+}
 if(isset($_REQUEST['action']) && isset($_REQUEST['onion']) && $_REQUEST['action']==='edit'){
-	$stmt=$db->prepare('SELECT onions.version FROM onions INNER JOIN users ON (users.id=onions.user_id) WHERE onions.onion=? AND users.id=? AND onions.enabled IN (0, 1);');
+	$stmt=$db->prepare('SELECT onions.version FROM onions INNER JOIN users ON (users.id=onions.user_id) WHERE onions.onion = ? AND users.id = ? AND onions.enabled IN (0, 1);');
 	$stmt->execute([$_REQUEST['onion'], $user['id']]);
 	if($onion=$stmt->fetch(PDO::FETCH_NUM)){
-		$stmt=$db->prepare('UPDATE onions SET enabled = ?, enable_smtp = ?, num_intros = ?, max_streams = ? WHERE onion=?;');
+		$stmt=$db->prepare('UPDATE onions SET enabled = ?, enable_smtp = ?, num_intros = ?, max_streams = ? WHERE onion = ?;');
 		$enabled = isset($_REQUEST['enabled']) ? 1 : 0;
 		$enable_smtp = isset($_REQUEST['enable_smtp']) ? 1 : 0;
 		$num_intros = intval($_REQUEST['num_intros']);
@@ -29,7 +32,7 @@ if(isset($_REQUEST['action']) && isset($_REQUEST['onion']) && $_REQUEST['action'
 			$max_streams = 65535;
 		}
 		$stmt->execute([$enabled, $enable_smtp, $num_intros, $max_streams, $_REQUEST['onion']]);
-		$stmt=$db->prepare('UPDATE service_instances SET reload = 1 WHERE id=?');
+		$stmt=$db->prepare('UPDATE service_instances SET reload = 1 WHERE id = ?');
 		$stmt->execute([substr($_REQUEST['onion'], 0, 1)]);
 	}
 }
@@ -46,7 +49,7 @@ echo "<p>Enter system account password to check your $user[system_account]@" . A
 echo '<h3>Domains</h3>';
 echo '<table border="1">';
 echo '<tr><th>Onion</th><th>Private key</th><th>Enabled</th><th>SMTP enabled</th><th>Nr. of intros</th><th>Max streams per rend circuit</th><th>Save</th></tr>';
-$stmt=$db->prepare('SELECT onion, private_key, enabled, enable_smtp, num_intros, max_streams FROM onions WHERE user_id=?;');
+$stmt=$db->prepare('SELECT onion, private_key, enabled, enable_smtp, num_intros, max_streams FROM onions WHERE user_id = ?;');
 $stmt->execute([$user['id']]);
 while($onion=$stmt->fetch(PDO::FETCH_ASSOC)){
 	echo "<form action=\"home.php\" method=\"post\"><input type=\"hidden\" name=\"onion\" value=\"$onion[onion]\"><tr><td><a href=\"http://$onion[onion].onion\" target=\"_blank\">$onion[onion].onion</a></td><td>";
@@ -68,18 +71,23 @@ while($onion=$stmt->fetch(PDO::FETCH_ASSOC)){
 	}else{
 		echo '<td>Unavailable</td>';
 	}
-	echo '</tr>';
+	echo '</tr></form>';
 }
 echo '</table>';
 echo '<h3>MySQL Database</h3>';
 echo '<table border="1">';
 echo '<tr><th>Database</th><th>Host</th><th>User</th></tr>';
-$stmt=$db->prepare('SELECT mysql_database  FROM mysql_databases WHERE user_id=?;');
+$stmt=$db->prepare('SELECT mysql_database FROM mysql_databases WHERE user_id = ?;');
 $stmt->execute([$user['id']]);
+$count_dbs = 0;
 while($mysql=$stmt->fetch(PDO::FETCH_ASSOC)){
+	++$count_dbs;
 	echo "<tr><td>$mysql[mysql_database]</td><td>localhost</td><td>$user[mysql_user]</td></tr>";
 }
 echo '</table>';
+if($count_dbs<MAX_NUM_USER_DBS){
+	echo '<p><form action="home.php" method="post"><button type="submit" name="action" value="add_db">Add new database</button></form></p>';
+}
 echo '<p><a href="password.php?type=sql">Change MySQL password</a></p>';
 echo '<p>You can use <a href="/phpmyadmin/" target="_blank">PHPMyAdmin</a> and <a href="/adminer/" target="_blank">Adminer</a> for web based database administration.</p>';
 echo '<h3>System Account</h3>';
diff --git a/var/www/html/register.php b/var/www/html/register.php
index 76f29e5..e6050b3 100644
--- a/var/www/html/register.php
+++ b/var/www/html/register.php
@@ -105,19 +105,13 @@ if($_SERVER['REQUEST_METHOD']==='POST'){
 		echo '<p style="color:red;">To prevent abuse a site can only be registered every 60 seconds, but one has already been registered within the last 60 seconds. Please try again.</p>';
 		$ok=false;
 	}elseif($ok){
+		$mysql_user = add_mysql_user($db, $_POST['pass']);
 		$stmt=$db->prepare('INSERT INTO users (username, system_account, password, dateadded, public, php, autoindex, mysql_user) VALUES (?, ?, ?, ?, ?, ?, ?, ?);');
-		$stmt->execute([$_POST['username'], substr("$onion.onion", 0, 32), $hash, time(), $public_list, $php, $autoindex, substr("$onion.onion", 0, 32)]);
+		$stmt->execute([$_POST['username'], substr("$onion.onion", 0, 32), $hash, time(), $public_list, $php, $autoindex, $mysql_user]);
 		$user_id = $db->lastInsertId();
-		$stmt=$db->prepare('INSERT INTO mysql_databases (user_id, mysql_database) VALUES (?, ?);');
-		$stmt->execute([$user_id, substr($onion, 0, 32)]);
 		$stmt=$db->prepare('INSERT INTO onions (user_id, onion, private_key, version) VALUES (?, ?, ?, ?);');
 		$stmt->execute([$user_id, $onion, $priv_key, $onion_version]);
-		$create_user=$db->prepare("CREATE USER ?@'%' IDENTIFIED BY ?;");
-		$create_user->execute([substr("$onion.onion", 0, 32), $_POST['pass']]);
-		$db->exec("CREATE DATABASE IF NOT EXISTS `" . substr($onion, 0, 32) . "`;");
-		$stmt=$db->prepare("GRANT ALL PRIVILEGES ON `" . substr($onion, 0, 32) . "`.* TO ?@'%';");
-		$stmt->execute([substr("$onion.onion", 0, 32)]);
-		$db->exec('FLUSH PRIVILEGES;');
+		add_user_db($db, $user_id);
 		$stmt=$db->prepare('INSERT INTO new_account (user_id, password) VALUES (?, ?);');
 		$stmt->execute([$user_id, get_system_hash($_POST['pass'])]);
 		if(EMAIL_TO!==''){