From 0c3c162f767f5587f5fad7375151f8efca3689b3 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Fri, 13 Jan 2017 16:19:45 +0100 Subject: [PATCH] Bug 17905: FIX CSRF in member-flags If an attacker can get an authenticated Koha user to visit their page with the url below, privilege escalation is possible The exploit can be simulated triggering /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian Test plan: Trigger the url above => Without this patch, 42 is now superlibrarian => With this patch, you will get the "Wrong CSRF token" error. This vulnerability has been reported by MDSec. Signed-off-by: Mirko Tietgen Signed-off-by: Marcel de Rooy Signed-off-by: Kyle M Hall --- .../prog/en/modules/members/member-flags.tt | 1 + members/member-flags.pl | 17 +++++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt index 20429655f2..524c0a1cd6 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt @@ -122,6 +122,7 @@ [% INCLUDE 'members-toolbar.inc' %]
+

Set permissions for [% surname %], [% firstname %]

diff --git a/members/member-flags.pl b/members/member-flags.pl index 7849760171..d54984adb9 100755 --- a/members/member-flags.pl +++ b/members/member-flags.pl @@ -8,6 +8,8 @@ use strict; use warnings; use CGI qw ( -utf8 ); +use Digest::MD5 qw(md5_base64); +use Encode qw( encode ); use C4::Output; use C4::Auth qw(:DEFAULT :EditPermissions); use C4::Context; @@ -19,6 +21,7 @@ use Koha::Patron::Categories; use C4::Output; use Koha::Patron::Images; +use Koha::Token; my $input = new CGI; @@ -42,6 +45,15 @@ my %member2; $member2{'borrowernumber'}=$member; if ($input->param('newflags')) { + + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf({ + id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), + secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), + token => scalar $input->param('csrf_token'), + }); + + my $dbh=C4::Context->dbh(); my @perms = $input->multi_param('flag'); @@ -205,6 +217,11 @@ $template->param( is_child => ($bor->{'category_type'} eq 'C'), activeBorrowerRelationship => (C4::Context->preference('borrowerRelationship') ne ''), RoutingSerials => C4::Context->preference('RoutingSerials'), + csrf_token => Koha::Token->new->generate_csrf( + { id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ), + secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ), + } + ), ); output_html_with_http_headers $input, $cookie, $template->output; -- 2.39.5