From 9f2275ba8099ba8c9d9b5b45231c9844d6dedaf2 Mon Sep 17 00:00:00 2001 From: Janusz Dobrowolski Date: Wed, 25 May 2011 10:16:40 +0200 Subject: [PATCH] Added CSRF attack prevention on password change. --- admin/change_current_user_password.php | 2 +- includes/ui/ui_controls.inc | 20 ++++++++++++++++++-- 2 files changed, 19 insertions(+), 3 deletions(-) diff --git a/admin/change_current_user_password.php b/admin/change_current_user_password.php index 247517a2..4ed37fb0 100644 --- a/admin/change_current_user_password.php +++ b/admin/change_current_user_password.php @@ -47,7 +47,7 @@ function can_process() return true; } -if (isset($_POST['UPDATE_ITEM'])) +if (isset($_POST['UPDATE_ITEM']) && check_csrf_token()) { if (can_process()) diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc index 6d0ccf99..8687b336 100644 --- a/includes/ui/ui_controls.inc +++ b/includes/ui/ui_controls.inc @@ -53,11 +53,27 @@ function start_form($multi=false, $dummy=false, $action="", $name="") function end_form($breaks=0) { + global $Ajax; + + $_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true)); if ($breaks) br($breaks); - echo "\n"; - echo "\n"; + hidden('_focus'); + hidden('_modified', get_post('_modified', 0)); + hidden('_token', $_SESSION['csrf_token']); echo "\n"; + $Ajax->activate('token'); +} + +function check_csrf_token() +{ + if ($_SESSION['csrf_token'] != @$_POST['_token']) + { + display_error(_("Request from outside of this page is forbidden.")); + error_log(_("CSRF attack detected from: ").@$_SERVER['HTTP_HOST'].' ('.@$_SERVER['HTTP_REFERER'].')'); + return false; + } + return true; } function start_table($class=false, $extra="", $padding='2', $spacing='0') -- 2.30.2