Jonathan Druart
06d1259e56
If an attacker can get an authenticated Koha user to visit their page with the url below, they can change patrons' passwords /members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked Test plan: Trigger /members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked => Without this patch, the password will be updated => With this patch applied you will get a crash "Wrong CSRF token" (no need to stylish) Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl> Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de> Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
132 lines
5.8 KiB
Text
132 lines
5.8 KiB
Text
[% INCLUDE 'doc-head-open.inc' %]
|
|
<title>Koha › Patrons › [% IF ( newpassword ) %]Password updated [% ELSE %]Update password for [% surname %], [% firstname %][% END %]</title>
|
|
[% INCLUDE 'doc-head-close.inc' %]
|
|
<script type="text/JavaScript">
|
|
//<![CDATA[
|
|
|
|
function check_password( password ) {
|
|
if ( password.match(/^\s/) || password.match(/\s$/)) {
|
|
return false;
|
|
}
|
|
return true;
|
|
}
|
|
|
|
$(document).ready(function() {
|
|
var MSG_PASSWORD_CONTAINS_TRAILING_SPACES = _("Password contains leading and/or trailing spaces.");
|
|
$("#changepasswordf").submit(function(){
|
|
if($("input[name='newpassword']").val() != $("input[name='newpassword2']").val()){
|
|
alert(_("Passwords do not match"));
|
|
return false;
|
|
} else {
|
|
if ( ! check_password( $("input[name='newpassword']").val() ) ) {
|
|
alert(MSG_PASSWORD_CONTAINS_TRAILING_SPACES);
|
|
return false;
|
|
} else {
|
|
return true;
|
|
}
|
|
}
|
|
});
|
|
$("body").on('click', "#fillrandom",function(e) {
|
|
e.preventDefault();
|
|
$.get("/cgi-bin/koha/members/member-password.pl?member=[% userid %]", function(response) {
|
|
var defaultnewpass = $(response).find("#defaultnewpassfield").val();
|
|
$("#newpassword").after("<input type=\"text\" name=\"newpassword\" id=\"newpassword\" value=\"" + defaultnewpass + "\">").remove();
|
|
$("#newpassword2").after("<input type=\"text\" name=\"newpassword2\" id=\"newpassword2\" value=\"" + defaultnewpass + "\">").remove();
|
|
});
|
|
});
|
|
$("div.hint").eq(0).after(" <div class=\"hint\"><a href=\"#\" id=\"fillrandom\">"+_("Click to fill with a randomly generated suggestion. ")+"<strong>"+_("Passwords will be displayed as text")+"</strong>.</a></div>");
|
|
|
|
$(document).ajaxStart(function () {
|
|
$("input[name^=newpassword]").hide();
|
|
$("label[for=newpassword2]").hide();
|
|
$(".hint:last").after($(".loading").show());
|
|
});
|
|
$(document).ajaxStop(function () {
|
|
$("input[name^=newpassword]").show();
|
|
$("label[for=newpassword2]").show();
|
|
$(".loading").hide();
|
|
});
|
|
});
|
|
//]]>
|
|
</script>
|
|
</head>
|
|
<body id="pat_member-password" class="pat">
|
|
[% INCLUDE 'header.inc' %]
|
|
[% INCLUDE 'patron-search.inc' %]
|
|
|
|
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> › <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a> › <a href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% borrowernumber %]">[% firstname %] [% surname %]</a> › [% IF ( newpassword ) %]Password Updated[% ELSE %]Change username and/or password[% END %]</div>
|
|
|
|
<div id="doc3" class="yui-t2">
|
|
|
|
<div id="bd">
|
|
<div id="yui-main">
|
|
<div class="yui-b">
|
|
[% INCLUDE 'members-toolbar.inc' %]
|
|
|
|
[% IF ( newpassword ) %]
|
|
<h1>Password Updated</h1>
|
|
|
|
[% ELSE %]
|
|
|
|
<form method="post" id="changepasswordf" action="/cgi-bin/koha/members/member-password.pl">
|
|
<input type="hidden" name="destination" value="[% destination %]" />
|
|
<input type="hidden" name="cardnumber" value="[% cardnumber %]" />
|
|
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrowernumber %]" />
|
|
[% IF ( errormsg ) %]
|
|
<div class="dialog alert">
|
|
<h4>The following errors have occurred:</h4>
|
|
<ul>
|
|
[% IF ( BADUSERID ) %]
|
|
<li>You have entered a username that already exists. Please choose another one.</li>
|
|
[% END %]
|
|
[% IF ( SHORTPASSWORD ) %]
|
|
<li><strong>The password entered is too short</strong>. Password must be at least [% minPasswordLength %] characters.</li>
|
|
[% END %]
|
|
[% IF ( NOPERMISSION ) %]
|
|
<li>You do not have permission to edit this patron's login information.</li>
|
|
[% END %]
|
|
[% IF ( NOMATCH ) %]
|
|
<li><strong>The passwords entered do not match</strong>. Please re-enter the new password.</li>
|
|
[% END %]
|
|
</ul>
|
|
</div>
|
|
[% END %]
|
|
|
|
|
|
<fieldset class="brief"><legend>Change username and/or password for [% firstname %] [% surname %]</legend>
|
|
<ol>
|
|
<li><label for="newuserid">New username:</label>
|
|
<input type="hidden" name="member" value="[% borrowernumber %]" /><input type="text" id="newuserid" name="newuserid" size="20" value="[% userid %]" /></li>
|
|
<li><label for="newpassword">New password:</label>
|
|
<div class="hint">Koha cannot display existing passwords. Leave the field blank to leave password unchanged.</div>
|
|
[% IF ( minPasswordLength ) %]<div class="hint">Minimum password length: [% minPasswordLength %]</div>[% END %]
|
|
[% IF ( NOMATCH ) %]
|
|
<input name="newpassword" id="newpassword" type="password" size="20" class="focus" />
|
|
<input name="newpassword" id="newpassword_random" readonly="readonly" disabled="disabled" type="hidden" />
|
|
[% ELSE %]
|
|
<input name="newpassword" id="newpassword" type="password" size="20" />
|
|
<input name="newpassword" readonly="readonly" disabled="disabled" type="hidden" />
|
|
[% END %]
|
|
</li>
|
|
<li><label for="newpassword2">Confirm new password:</label>
|
|
<input name="newpassword2" id="newpassword2" type="password" size="20" />
|
|
<input name="newpassword2" id="newpassword2_random" readonly="readonly" disabled="disabled" type="hidden" />
|
|
</li>
|
|
</ol>
|
|
</fieldset>
|
|
<fieldset class="action">
|
|
<input type="hidden" name="csrf_token" value="[% csrf_token %]" />
|
|
<input type="submit" value="Save" />
|
|
<a class="cancel" href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% borrowernumber %]">Cancel</a>
|
|
</fieldset>
|
|
</form>[% END %]
|
|
|
|
</div>
|
|
</div>
|
|
<input type="hidden" name="defaultnewpassfield" id="defaultnewpassfield" value="[% defaultnewpassword %]" />
|
|
<div class="loading hide"><strong>Processing...</strong><img src="[% interface %]/[% theme %]/img/loading.gif" alt="" /></div>
|
|
<div class="yui-b">
|
|
[% INCLUDE 'circ-menu.inc' %]
|
|
</div>
|
|
</div>
|
|
[% INCLUDE 'intranet-bottom.inc' %]
|