If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible
The exploit can be simulated triggering
/cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian
Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.
This vulnerability has been reported by MDSec.
Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
[% INCLUDE 'members-toolbar.inc' %]
<form method="post" action="/cgi-bin/koha/members/member-flags.pl">
[% INCLUDE 'members-toolbar.inc' %]
<form method="post" action="/cgi-bin/koha/members/member-flags.pl">
+ <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
<input type="hidden" name="member" id="borrowernumber" value="[% borrowernumber %]" />
<input type="hidden" name="newflags" value="1" />
<h1>Set permissions for [% surname %], [% firstname %]</h1>
<input type="hidden" name="member" id="borrowernumber" value="[% borrowernumber %]" />
<input type="hidden" name="newflags" value="1" />
<h1>Set permissions for [% surname %], [% firstname %]</h1>
use warnings;
use CGI qw ( -utf8 );
use warnings;
use CGI qw ( -utf8 );
+use Digest::MD5 qw(md5_base64);
+use Encode qw( encode );
use C4::Output;
use C4::Auth qw(:DEFAULT :EditPermissions);
use C4::Context;
use C4::Output;
use C4::Auth qw(:DEFAULT :EditPermissions);
use C4::Context;
use C4::Output;
use Koha::Patron::Images;
use C4::Output;
use Koha::Patron::Images;
$member2{'borrowernumber'}=$member;
if ($input->param('newflags')) {
$member2{'borrowernumber'}=$member;
if ($input->param('newflags')) {
+
+ die "Wrong CSRF token"
+ unless Koha::Token->new->check_csrf({
+ id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ),
+ secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ),
+ token => scalar $input->param('csrf_token'),
+ });
+
+
my $dbh=C4::Context->dbh();
my @perms = $input->multi_param('flag');
my $dbh=C4::Context->dbh();
my @perms = $input->multi_param('flag');
is_child => ($bor->{'category_type'} eq 'C'),
activeBorrowerRelationship => (C4::Context->preference('borrowerRelationship') ne ''),
RoutingSerials => C4::Context->preference('RoutingSerials'),
is_child => ($bor->{'category_type'} eq 'C'),
activeBorrowerRelationship => (C4::Context->preference('borrowerRelationship') ne ''),
RoutingSerials => C4::Context->preference('RoutingSerials'),
+ csrf_token => Koha::Token->new->generate_csrf(
+ { id => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ),
+ secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ),
+ }
+ ),
);
output_html_with_http_headers $input, $cookie, $template->output;
);
output_html_with_http_headers $input, $cookie, $template->output;