From 06d1259e56e7a662b1449fa54b9b408afdbf6cc8 Mon Sep 17 00:00:00 2001
From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Thu, 28 Jul 2016 11:54:11 +0100
Subject: [PATCH] Bug 16992: FIX CSRF in member-password.pl

If an attacker can get an authenticated Koha user to visit their page with the
url below, they can change patrons' passwords
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

Test plan:

Trigger
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
---
 .../prog/en/modules/members/member-password.tt      |  6 +++++-
 members/member-password.pl                          | 13 +++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt
index 5d55ef5cdb..786125e7d4 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt
@@ -114,7 +114,11 @@
 	</li>
 	</ol>
 </fieldset>
-	<fieldset class="action"><input type="submit" value="Save" /> <a class="cancel" href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% borrowernumber %]">Cancel</a></fieldset>
+    <fieldset class="action">
+        <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
+        <input type="submit" value="Save" />
+        <a class="cancel" href="/cgi-bin/koha/members/moremember.pl?borrowernumber=[% borrowernumber %]">Cancel</a>
+    </fieldset>
 </form>[% END %]
 
 </div>
diff --git a/members/member-password.pl b/members/member-password.pl
index c24a26213b..43c4489c4c 100755
--- a/members/member-password.pl
+++ b/members/member-password.pl
@@ -17,6 +17,7 @@ use C4::Circulation;
 use CGI qw ( -utf8 );
 use C4::Members::Attributes qw(GetBorrowerAttributes);
 use Koha::Patron::Images;
+use Koha::Token;
 
 use Digest::MD5 qw(md5_base64);
 
@@ -63,6 +64,14 @@ my $minpw = C4::Context->preference('minPasswordLength');
 push( @errors, 'SHORTPASSWORD' ) if ( $newpassword && $minpw && ( length($newpassword) < $minpw ) );
 
 if ( $newpassword && !scalar(@errors) ) {
+
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf({
+            id     => C4::Context->userenv->{id},
+            secret => md5_base64( C4::Context->config('pass') ),
+            token  => scalar $input->param('csrf_token'),
+        });
+
     my $digest = Koha::AuthUtils::hash_password( $input->param('newpassword') );
     my $uid    = $input->param('newuserid') || $bor->{userid};
     my $dbh    = C4::Context->dbh;
@@ -141,6 +150,10 @@ $template->param(
     activeBorrowerRelationship => ( C4::Context->preference('borrowerRelationship') ne '' ),
     minPasswordLength          => $minpw,
     RoutingSerials             => C4::Context->preference('RoutingSerials'),
+    csrf_token                 => Koha::Token->new->generate_csrf({
+        id     => C4::Context->userenv->{id},
+        secret => md5_base64( C4::Context->config('pass') ),
+    }),
 );
 
 if ( scalar(@errors) ) {
-- 
2.39.2