Added CSRF attack prevention on password change.

diff --git a/admin/change_current_user_password.php b/admin/change_current_user_password.php
index 247517a24b86dbf0ff327f10d91238a3fa7d846d..4ed37fb012d1f55c2a13e4e1225179a2263a014b 100644 (file)
--- a/admin/change_current_user_password.php
+++ b/admin/change_current_user_password.php
@@ -47,7 +47,7 @@ function can_process()
        return true;
 }
 
-if (isset($_POST['UPDATE_ITEM']))
+if (isset($_POST['UPDATE_ITEM']) && check_csrf_token())
 {
 
        if (can_process())

diff --git a/includes/ui/ui_controls.inc b/includes/ui/ui_controls.inc
index 6d0ccf99b3ab0018a9a358bf7a336475e6873de7..8687b336bc7e5bdc327ba9f6ccac01ac3fe0d70a 100644 (file)
--- a/includes/ui/ui_controls.inc
+++ b/includes/ui/ui_controls.inc
@@ -53,11 +53,27 @@ function start_form($multi=false, $dummy=false, $action="", $name="")
 
 function end_form($breaks=0)
 {
+       global $Ajax;
+
+       $_SESSION['csrf_token'] = hash('sha256', uniqid(mt_rand(), true));
        if ($breaks)
                br($breaks);
-       echo "<input type=\"hidden\" name=\"_focus\" value=\"".get_post('_focus')."\">\n";
-       echo "<input type=\"hidden\" name=\"_modified\" value=\"".get_post('_modified', 0)."\">\n";
+       hidden('_focus');
+       hidden('_modified', get_post('_modified', 0));
+       hidden('_token', $_SESSION['csrf_token']);
        echo "</form>\n";
+       $Ajax->activate('token');
+}
+
+function check_csrf_token()
+{
+       if ($_SESSION['csrf_token'] != @$_POST['_token'])
+       {
+               display_error(_("Request from outside of this page is forbidden."));
+               error_log(_("CSRF attack detected from: ").@$_SERVER['HTTP_HOST'].' ('.@$_SERVER['HTTP_REFERER'].')');
+               return false;
+       }
+       return true;
 }
 
 function start_table($class=false, $extra="", $padding='2', $spacing='0')