From 99a2c87fc1fe730a428fa5080ac0167656c718f5 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 13 Jan 2017 16:19:45 +0100
Subject: [PATCH] Bug 17905: FIX CSRF in member-flags

If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible

The exploit can be simulated triggering
    /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian

Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
(cherry picked from commit 0c3c162f767f5587f5fad7375151f8efca3689b3)
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
---
 .../prog/en/modules/members/member-flags.tt     |  1 +
 members/member-flags.pl                         | 17 +++++++++++++++++
 2 files changed, 18 insertions(+)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
index 039c8ecdbf..75bc2967e2 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
@@ -121,6 +121,7 @@
 [% INCLUDE 'members-toolbar.inc' %]
 
 <form method="post" action="/cgi-bin/koha/members/member-flags.pl">
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <input type="hidden" name="member" id="borrowernumber" value="[% borrowernumber %]" />
     <input type="hidden" name="newflags" value="1" />
     <h1>Set permissions for [% surname %], [% firstname %]</h1>
diff --git a/members/member-flags.pl b/members/member-flags.pl
index 629a5c922c..ccddc395a2 100755
--- a/members/member-flags.pl
+++ b/members/member-flags.pl
@@ -8,6 +8,8 @@ use strict;
 use warnings;
 
 use CGI qw ( -utf8 );
+use Digest::MD5 qw(md5_base64);
+use Encode qw( encode );
 use C4::Output;
 use C4::Auth qw(:DEFAULT :EditPermissions);
 use C4::Context;
@@ -18,6 +20,7 @@ use C4::Members::Attributes qw(GetBorrowerAttributes);
 
 use C4::Output;
 use Koha::Patron::Images;
+use Koha::Token;
 
 my $input = new CGI;
 
@@ -41,6 +44,15 @@ my %member2;
 $member2{'borrowernumber'}=$member;
 
 if ($input->param('newflags')) {
+
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf({
+            id     => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ),
+            secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ),
+            token  => scalar $input->param('csrf_token'),
+        });
+
+
     my $dbh=C4::Context->dbh();
 
     my @perms = $input->multi_param('flag');
@@ -196,6 +208,11 @@ $template->param(
 		is_child        => ($bor->{'category_type'} eq 'C'),
 		activeBorrowerRelationship => (C4::Context->preference('borrowerRelationship') ne ''),
         RoutingSerials => C4::Context->preference('RoutingSerials'),
+        csrf_token => Koha::Token->new->generate_csrf(
+            {   id     => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ),
+                secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ),
+            }
+        ),
 		);
 
     output_html_with_http_headers $input, $cookie, $template->output;
-- 
2.20.1