Koha/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt
Jonathan Druart 06d1259e56 Bug 16992: FIX CSRF in member-password.pl
If an attacker can get an authenticated Koha user to visit their page with the
url below, they can change patrons' passwords
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

Test plan:

Trigger
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
2016-08-10 13:34:02 +00:00

132 lines
5.8 KiB
Text

[% INCLUDE 'doc-head-open.inc' %]
<title>Koha &rsaquo; Patrons &rsaquo; [% IF ( newpassword ) %]Password updated [% ELSE %]Update password for [% surname %], [% firstname %][% END %]</title>
[% INCLUDE 'doc-head-close.inc' %]
<script type="text/JavaScript">
//<![CDATA[
function check_password( password ) {
if ( password.match(/^\s/) || password.match(/\s$/)) {
return false;
}
return true;
}
$(document).ready(function() {
var MSG_PASSWORD_CONTAINS_TRAILING_SPACES = _("Password contains leading and/or trailing spaces.");
$("#changepasswordf").submit(function(){
if($("input[name='newpassword']").val() != $("input[name='newpassword2']").val()){
alert(_("Passwords do not match"));
return false;
} else {
if ( ! check_password( $("input[name='newpassword']").val() ) ) {
alert(MSG_PASSWORD_CONTAINS_TRAILING_SPACES);
return false;
} else {
return true;
}
}
});
$("body").on('click', "#fillrandom",function(e) {
e.preventDefault();
$.get("/cgi-bin/koha/members/member-password.pl?member=[% userid %]", function(response) {
var defaultnewpass = $(response).find("#defaultnewpassfield").val();
$("#newpassword").after("<input type=\"text\" name=\"newpassword\" id=\"newpassword\" value=\"" + defaultnewpass + "\">").remove();
$("#newpassword2").after("<input type=\"text\" name=\"newpassword2\" id=\"newpassword2\" value=\"" + defaultnewpass + "\">").remove();
});
});
$("div.hint").eq(0).after(" <div class=\"hint\"><a href=\"#\" id=\"fillrandom\">"+_("Click to fill with a randomly generated suggestion. ")+"<strong>"+_("Passwords will be displayed as text")+"</strong>.</a></div>");
$(document).ajaxStart(function () {
$("input[name^=newpassword]").hide();
$("label[for=newpassword2]").hide();
$(".hint:last").after($(".loading").show());
});
$(document).ajaxStop(function () {
$("input[name^=newpassword]").show();
$("label[for=newpassword2]").show();
$(".loading").hide();
});
});
//]]>
</script>
</head>
<body id="pat_member-password" class="pat">
[% INCLUDE 'header.inc' %]
[% INCLUDE 'patron-search.inc' %]
<div id="breadcrumbs"><a href="/cgi-bin/koha/mainpage.pl">Home</a> &rsaquo; <a href="/cgi-bin/koha/members/members-home.pl">Patrons</a> &rsaquo; <a href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% borrowernumber %]">[% firstname %] [% surname %]</a> &rsaquo; [% IF ( newpassword ) %]Password Updated[% ELSE %]Change username and/or password[% END %]</div>
<div id="doc3" class="yui-t2">
<div id="bd">
<div id="yui-main">
<div class="yui-b">
[% INCLUDE 'members-toolbar.inc' %]
[% IF ( newpassword ) %]
<h1>Password Updated</h1>
[% ELSE %]
<form method="post" id="changepasswordf" action="/cgi-bin/koha/members/member-password.pl">
<input type="hidden" name="destination" value="[% destination %]" />
<input type="hidden" name="cardnumber" value="[% cardnumber %]" />
<input type="hidden" name="borrowernumber" id="borrowernumber" value="[% borrowernumber %]" />
[% IF ( errormsg ) %]
<div class="dialog alert">
<h4>The following errors have occurred:</h4>
<ul>
[% IF ( BADUSERID ) %]
<li>You have entered a username that already exists. Please choose another one.</li>
[% END %]
[% IF ( SHORTPASSWORD ) %]
<li><strong>The password entered is too short</strong>. Password must be at least [% minPasswordLength %] characters.</li>
[% END %]
[% IF ( NOPERMISSION ) %]
<li>You do not have permission to edit this patron's login information.</li>
[% END %]
[% IF ( NOMATCH ) %]
<li><strong>The passwords entered do not match</strong>. Please re-enter the new password.</li>
[% END %]
</ul>
</div>
[% END %]
<fieldset class="brief"><legend>Change username and/or password for [% firstname %] [% surname %]</legend>
<ol>
<li><label for="newuserid">New username:</label>
<input type="hidden" name="member" value="[% borrowernumber %]" /><input type="text" id="newuserid" name="newuserid" size="20" value="[% userid %]" /></li>
<li><label for="newpassword">New password:</label>
<div class="hint">Koha cannot display existing passwords. Leave the field blank to leave password unchanged.</div>
[% IF ( minPasswordLength ) %]<div class="hint">Minimum password length: [% minPasswordLength %]</div>[% END %]
[% IF ( NOMATCH ) %]
<input name="newpassword" id="newpassword" type="password" size="20" class="focus" />
<input name="newpassword" id="newpassword_random" readonly="readonly" disabled="disabled" type="hidden" />
[% ELSE %]
<input name="newpassword" id="newpassword" type="password" size="20" />
<input name="newpassword" readonly="readonly" disabled="disabled" type="hidden" />
[% END %]
</li>
<li><label for="newpassword2">Confirm new password:</label>
<input name="newpassword2" id="newpassword2" type="password" size="20" />
<input name="newpassword2" id="newpassword2_random" readonly="readonly" disabled="disabled" type="hidden" />
</li>
</ol>
</fieldset>
<fieldset class="action">
<input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="submit" value="Save" />
<a class="cancel" href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% borrowernumber %]">Cancel</a>
</fieldset>
</form>[% END %]
</div>
</div>
<input type="hidden" name="defaultnewpassfield" id="defaultnewpassfield" value="[% defaultnewpassword %]" />
<div class="loading hide"><strong>Processing...</strong><img src="[% interface %]/[% theme %]/img/loading.gif" alt="" /></div>
<div class="yui-b">
[% INCLUDE 'circ-menu.inc' %]
</div>
</div>
[% INCLUDE 'intranet-bottom.inc' %]