]> git.koha-community.org Git - koha.git/commit
Bug 16992: FIX CSRF in member-password.pl
authorJonathan Druart <jonathan.druart@bugs.koha-community.org>
Thu, 28 Jul 2016 10:54:11 +0000 (11:54 +0100)
committerKyle M Hall <kyle@bywatersolutions.com>
Wed, 10 Aug 2016 13:34:02 +0000 (13:34 +0000)
commit06d1259e56e7a662b1449fa54b9b408afdbf6cc8
treedac89e01668391d7b74e6d492e4d3de4653d4393
parent2785183a6b3c1bc231f78a0e506617379ea3998e
Bug 16992: FIX CSRF in member-password.pl

If an attacker can get an authenticated Koha user to visit their page with the
url below, they can change patrons' passwords
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

Test plan:

Trigger
/members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked

=> Without this patch, the password will be updated
=> With this patch applied you will get a crash "Wrong CSRF token" (no
need to stylish)

Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Katrin Fischer <katrin.fischer.83@web.de>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt
members/member-password.pl