From c6d7fd2dd3a088eb4f5a0ad79b45cff2e257de32 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 28 Jul 2016 12:55:43 +0100 Subject: [PATCH] Bug 16993: Fix CSRF in memberentry.pl If an attacker can get an authenticated Koha user to visit their page with the url below, they can change patrons' passwords or other patrons'details members/memberentry.pl?op=save&destination=circ&borrowernumber=3435&password=ZZZ&password2=ZZZ&nodouble=1 Test plan: Trigger members/memberentry.pl?op=save&destination=circ&borrowernumber=42&password=ZZZ&password2=ZZZ&nodouble=1 => Without this patch, the password will be updated => With this patch applied you will get a crash "Wrong CSRF token" (no need to stylish) Signed-off-by: Marcel de Rooy Amended: removed the commented use Digest::MD5-line. Signed-off-by: Katrin Fischer Signed-off-by: Mason James --- .../intranet-tmpl/prog/en/modules/members/memberentrygen.tt | 3 +++ members/memberentry.pl | 5 +++-- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt index 54e755ea64..5bbd07bd16 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/memberentrygen.tt @@ -91,12 +91,14 @@ $(document).ready(function() {
+
+ @@ -164,6 +166,7 @@ $(document).ready(function() { + [% IF ( step ) %][% END %] [% IF ( opadd ) %] [% ELSIF ( opduplicate ) %] diff --git a/members/memberentry.pl b/members/memberentry.pl index 1675ebbfeb..bcb7b1ea2c 100755 --- a/members/memberentry.pl +++ b/members/memberentry.pl @@ -24,8 +24,8 @@ use warnings; # external modules use CGI qw ( -utf8 ); -# use Digest::MD5 qw(md5_base64); use List::MoreUtils qw/uniq/; +use Digest::MD5 qw(md5_base64); # internal modules use C4::Auth; @@ -42,6 +42,7 @@ use C4::Form::MessagingPreferences; use Koha::Patron::Debarments; use Koha::Cities; use Koha::DateUtils; +use Koha::Token; use Email::Valid; use Module::Load; if ( C4::Context->preference('NorwegianPatronDBEnable') && C4::Context->preference('NorwegianPatronDBEnable') == 1 ) { @@ -687,7 +688,7 @@ $template->param( category_type =>$category_type, modify => $modify, nok => $nok,#flag to know if an error - NoUpdateLogin => $NoUpdateLogin + NoUpdateLogin => $NoUpdateLogin, ); # Generate CSRF token -- 2.39.5