]> git.koha-community.org Git - koha.git/commit
Bug 17097: Fix CSRF in deletemem.pl
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Tue, 9 Aug 2016 21:29:25 +0000 (22:29 +0100)
committerMason James <mtj@kohaaloha.com>
Wed, 3 May 2017 02:01:26 +0000 (14:01 +1200)
commit08ec3cd0d0aedd3996938e1fb55d7ae855278d7a
tree6314529a2f52b60459c6a2a22bb1cf8081344840
parenta0b7acfae15efb6bf120a8b62daf55eff72b56a0
Bug 17097: Fix CSRF in deletemem.pl

If an attacker can get an authenticated Koha user to visit their page
with the url below, they can delete patrons details.

  /members/deletemem.pl?member=42

Test plan:

0/ Do not apply any patches
1/ Adapt and hit the url above
=> The patron will be deleted without confirmation
2/ Apply first patch
3/ Hit the url
=> you will get a confirmation page
4/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> The patron will be deleted without confirmation
5/ Apply the second patch (this one)
6/ Hit /members/deletemem.pl?member=42&delete_confirmed=1
=> you will get a crash "Wrong CSRF token" (no need to stylish)
7/ Delete a patron from the detail page and confirm the deletion
=> you will be redirected to the patron module home page and the patron
has been deleted

Signed-off-by: Chris Cormack <chrisc@catalyst.net.nz>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Mason James <mtj@kohaaloha.com>
koha-tmpl/intranet-tmpl/prog/en/modules/members/deletemem.tt
members/deletemem.pl