Fix: Fix security holes

htdocs/lib/functions.lib.php

@@ -67,6 +67,7 @@ function GETPOST($paramname,$check='',$method=0)
 /**
  *  Return a prefix to use for this Dolibarr instance for session or cookie names.
  *  This prefix is unique for instance and avoid conflict between multi-instances Dolibarrs.
+ *  TODO This function is not called by main.inc.php because function is not included yet
  *  @return         string      A calculated prefix
  */
 function dol_getprefix()
@@ -80,7 +81,7 @@ function dol_getprefix()
         // Warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another
         // FIXME The fix is to use only "root url" like the one defined into $dolibarr_main_url_root
     }
-    return $realpath;
+    return md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
 }
 
 /**

htdocs/main.inc.php

@@ -125,8 +125,8 @@ $realpath='';
 if (preg_match('/^([^.]+)\/htdocs\//i', realpath($_SERVER["SCRIPT_FILENAME"]), $regs)) $realpath = isset($regs[1])?$regs[1]:'';
 if (defined('DOL_DOCUMENT_ROOT_ALT') && DOL_DOCUMENT_ROOT_ALT) $realpath=''; // warning, using alt feature is a security hole because path is not in session name, so being authenticated into an instance allow access on another
 $prefix=$realpath;
-$sessionname='DOLSESSID_'.$prefix;
-$sessiontimeout='DOLSESSTIMEOUT_'.$prefix;
+$sessionname='DOLSESSID_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
+$sessiontimeout='DOLSESSTIMEOUT_'.md5($_SERVER["SERVER_NAME"].$_SERVER["DOCUMENT_ROOT"].$realpath);
 if (! empty($_COOKIE[$sessiontimeout])) ini_set('session.gc_maxlifetime',$_COOKIE[$sessiontimeout]);
 session_name($sessionname);
 session_start();