Bug 17905: FIX CSRF in member-flags

If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible

The exploit can be simulated triggering
    /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian

Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>
Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
index 2042965..524c0a1 100644 (file)
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
@@ -122,6 +122,7 @@
 [% INCLUDE 'members-toolbar.inc' %]
 
 <form method="post" action="/cgi-bin/koha/members/member-flags.pl">
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <input type="hidden" name="member" id="borrowernumber" value="[% borrowernumber %]" />
     <input type="hidden" name="newflags" value="1" />
     <h1>Set permissions for [% surname %], [% firstname %]</h1>

diff --git a/members/member-flags.pl b/members/member-flags.pl
index 7849760..d54984a 100755 (executable)
--- a/members/member-flags.pl
+++ b/members/member-flags.pl
@@ -8,6 +8,8 @@ use strict;
 use warnings;
 
 use CGI qw ( -utf8 );
+use Digest::MD5 qw(md5_base64);
+use Encode qw( encode );
 use C4::Output;
 use C4::Auth qw(:DEFAULT :EditPermissions);
 use C4::Context;
@@ -19,6 +21,7 @@ use Koha::Patron::Categories;
 
 use C4::Output;
 use Koha::Patron::Images;
+use Koha::Token;
 
 my $input = new CGI;
 
@@ -42,6 +45,15 @@ my %member2;
 $member2{'borrowernumber'}=$member;
 
 if ($input->param('newflags')) {
+
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf({
+            id     => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ),
+            secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ),
+            token  => scalar $input->param('csrf_token'),
+        });
+
+
     my $dbh=C4::Context->dbh();
 
     my @perms = $input->multi_param('flag');
@@ -205,6 +217,11 @@ $template->param(
                is_child        => ($bor->{'category_type'} eq 'C'),
                activeBorrowerRelationship => (C4::Context->preference('borrowerRelationship') ne ''),
         RoutingSerials => C4::Context->preference('RoutingSerials'),
+        csrf_token => Koha::Token->new->generate_csrf(
+            {   id     => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ),
+                secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ),
+            }
+        ),
                );
 
     output_html_with_http_headers $input, $cookie, $template->output;