Jonathan Druart
11bf7e7bef
If an attacker can get an authenticated Koha user to visit their page with the url below, they can change or delete patrons' images /tools/picture-upload.pl?op=Delete&borrowernumber=42 Test plan: 1/ Hit /tools/picture-upload.pl?op=Delete&borrowernumber=42 And confirm that you get a "Wrong CSRF token" error 2/ Go on the patron detail page with a patron's image 3/ Click on the Delete link (note the csrf_token param) 4/ The image will be deleted and you are redirected to the patron detail page. Regression tests: Upload an image from the patron detail page and from the "upload patron images" tool. Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz> Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com> |
||
---|---|---|
.. | ||
tables | ||
boraccount.tt | ||
deletemem.tt | ||
discharge.tt | ||
discharges.tt | ||
files.tt | ||
mancredit.tt | ||
maninvoice.tt | ||
member-flags.tt | ||
member-password.tt | ||
member.tt | ||
memberentrygen.tt | ||
members-update.tt | ||
moremember-brief.tt | ||
moremember-print.tt | ||
moremember-receipt.tt | ||
moremember.tt | ||
nl-search.tt | ||
notices.tt | ||
pay.tt | ||
paycollect.tt | ||
printfeercpt.tt | ||
printinvoice.tt | ||
purchase-suggestions.tt | ||
readingrec.tt | ||
routing-lists.tt | ||
statistics.tt | ||
update-child.tt |