From 06d1259e56e7a662b1449fa54b9b408afdbf6cc8 Mon Sep 17 00:00:00 2001 From: Jonathan Druart Date: Thu, 28 Jul 2016 11:54:11 +0100 Subject: [PATCH] Bug 16992: FIX CSRF in member-password.pl If an attacker can get an authenticated Koha user to visit their page with the url below, they can change patrons' passwords /members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked Test plan: Trigger /members/member-password.pl?member=42&newpassword=hacked&newpassword2=hacked => Without this patch, the password will be updated => With this patch applied you will get a crash "Wrong CSRF token" (no need to stylish) Signed-off-by: Marcel de Rooy Signed-off-by: Katrin Fischer Signed-off-by: Kyle M Hall --- .../prog/en/modules/members/member-password.tt | 6 +++++- members/member-password.pl | 13 +++++++++++++ 2 files changed, 18 insertions(+), 1 deletion(-) diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt index 5d55ef5cdb..786125e7d4 100644 --- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt +++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-password.tt @@ -114,7 +114,11 @@ -
Cancel
+
+ + + Cancel +
[% END %] diff --git a/members/member-password.pl b/members/member-password.pl index c24a26213b..43c4489c4c 100755 --- a/members/member-password.pl +++ b/members/member-password.pl @@ -17,6 +17,7 @@ use C4::Circulation; use CGI qw ( -utf8 ); use C4::Members::Attributes qw(GetBorrowerAttributes); use Koha::Patron::Images; +use Koha::Token; use Digest::MD5 qw(md5_base64); @@ -63,6 +64,14 @@ my $minpw = C4::Context->preference('minPasswordLength'); push( @errors, 'SHORTPASSWORD' ) if ( $newpassword && $minpw && ( length($newpassword) < $minpw ) ); if ( $newpassword && !scalar(@errors) ) { + + die "Wrong CSRF token" + unless Koha::Token->new->check_csrf({ + id => C4::Context->userenv->{id}, + secret => md5_base64( C4::Context->config('pass') ), + token => scalar $input->param('csrf_token'), + }); + my $digest = Koha::AuthUtils::hash_password( $input->param('newpassword') ); my $uid = $input->param('newuserid') || $bor->{userid}; my $dbh = C4::Context->dbh; @@ -141,6 +150,10 @@ $template->param( activeBorrowerRelationship => ( C4::Context->preference('borrowerRelationship') ne '' ), minPasswordLength => $minpw, RoutingSerials => C4::Context->preference('RoutingSerials'), + csrf_token => Koha::Token->new->generate_csrf({ + id => C4::Context->userenv->{id}, + secret => md5_base64( C4::Context->config('pass') ), + }), ); if ( scalar(@errors) ) { -- 2.39.5