Jonathan Druart
11bf7e7bef
If an attacker can get an authenticated Koha user to visit their page with the url below, they can change or delete patrons' images /tools/picture-upload.pl?op=Delete&borrowernumber=42 Test plan: 1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42 And confirm that you get a "Wrong CSRF token" error 2/ Go on the patron detail page with a patron's image 3/ Click on the Delete link (note the csrf_token param) 4/ The image will be deleted and you are redirected to the patron detail page. Regression tests: Upload an image from the patron detail page and from the "upload patron images" tool. Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> |
||
|---|---|---|
| .. | ||
| js | ||
| lib | ||
| prog | ||