From: Jonathan Druart <jonathan.druart@bugs.koha-community.org>
Date: Fri, 13 Jan 2017 15:19:45 +0000 (+0100)
Subject: Bug 17905: FIX CSRF in member-flags
X-Git-Tag: v17.05.00~802
X-Git-Url: http://koha-dev.rot13.org:8081/gitweb/?a=commitdiff_plain;h=0c3c162f767f5587f5fad7375151f8efca3689b3;p=koha_ffzg

Bug 17905: FIX CSRF in member-flags

If an attacker can get an authenticated Koha user to visit their page
with the url below, privilege escalation is possible

The exploit can be simulated triggering
    /cgi-bin/koha/members/member-flags.pl?member=42&newflags=1&flag=superlibrarian

Test plan:
Trigger the url above
=> Without this patch, 42 is now superlibrarian
=> With this patch, you will get the "Wrong CSRF token" error.

This vulnerability has been reported by MDSec.

Signed-off-by: Mirko Tietgen <mirko@abunchofthings.net>
Signed-off-by: Marcel de Rooy <m.de.rooy@rijksmuseum.nl>

Signed-off-by: Kyle M Hall <kyle@bywatersolutions.com>
---

diff --git a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
index 20429655f2..524c0a1cd6 100644
--- a/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
+++ b/koha-tmpl/intranet-tmpl/prog/en/modules/members/member-flags.tt
@@ -122,6 +122,7 @@
 [% INCLUDE 'members-toolbar.inc' %]
 
 <form method="post" action="/cgi-bin/koha/members/member-flags.pl">
+    <input type="hidden" name="csrf_token" value="[% csrf_token %]" />
     <input type="hidden" name="member" id="borrowernumber" value="[% borrowernumber %]" />
     <input type="hidden" name="newflags" value="1" />
     <h1>Set permissions for [% surname %], [% firstname %]</h1>
diff --git a/members/member-flags.pl b/members/member-flags.pl
index 7849760171..d54984adb9 100755
--- a/members/member-flags.pl
+++ b/members/member-flags.pl
@@ -8,6 +8,8 @@ use strict;
 use warnings;
 
 use CGI qw ( -utf8 );
+use Digest::MD5 qw(md5_base64);
+use Encode qw( encode );
 use C4::Output;
 use C4::Auth qw(:DEFAULT :EditPermissions);
 use C4::Context;
@@ -19,6 +21,7 @@ use Koha::Patron::Categories;
 
 use C4::Output;
 use Koha::Patron::Images;
+use Koha::Token;
 
 my $input = new CGI;
 
@@ -42,6 +45,15 @@ my %member2;
 $member2{'borrowernumber'}=$member;
 
 if ($input->param('newflags')) {
+
+    die "Wrong CSRF token"
+        unless Koha::Token->new->check_csrf({
+            id     => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ),
+            secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ),
+            token  => scalar $input->param('csrf_token'),
+        });
+
+
     my $dbh=C4::Context->dbh();
 
     my @perms = $input->multi_param('flag');
@@ -205,6 +217,11 @@ $template->param(
 		is_child        => ($bor->{'category_type'} eq 'C'),
 		activeBorrowerRelationship => (C4::Context->preference('borrowerRelationship') ne ''),
         RoutingSerials => C4::Context->preference('RoutingSerials'),
+        csrf_token => Koha::Token->new->generate_csrf(
+            {   id     => Encode::encode( 'UTF-8', C4::Context->userenv->{id} ),
+                secret => md5_base64( Encode::encode( 'UTF-8', C4::Context->config('pass') ) ),
+            }
+        ),
 		);
 
     output_html_with_http_headers $input, $cookie, $template->output;