From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 13:56:56 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 24409] New: admin/authorised_values.pl?op=add_form : Add New Category is vulnerable for CSRF attacks Date: Mon, 13 Jan 2020 12:56:55 +0000 Message-ID: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5519088296829280295==" --===============5519088296829280295== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24409 Bug ID: 24409 Summary: admin/authorised_values.pl?op=add_form : Add New Category is vulnerable for CSRF attacks Change sponsored?: --- Product: Koha Version: 19.11 Hardware: All OS: Linux Status: NEW Severity: major Priority: P5 - low Component: System Administration Assignee: koha-bugs@lists.koha-community.org Reporter: aman.mishra77@gmail.com QA Contact: testopia@bugs.koha-community.org CC: gmcharlt@gmail.com -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. --===============5519088296829280295==-- From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 13:59:26 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 24409] admin/authorised_values.pl?op=add_form : Add New Category is vulnerable for CSRF attacks Date: Mon, 13 Jan 2020 12:59:25 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1371473764882175095==" --===============1371473764882175095== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D24409 --- Comment #1 from Aman Mishra --- When we use this script it is allow to create new category =20 =20 =20
--=20 You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. --===============1371473764882175095==-- From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 14:12:54 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 24409] admin/authorised_values.pl?op=add_form : Add New Category is vulnerable for CSRF attacks Date: Mon, 13 Jan 2020 13:12:53 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============5645943591231379016==" --===============5645943591231379016== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D24409 --- Comment #2 from Aman Mishra --- I resolved this please chek and update this is right way or not? Add CSRF token in /usr/share/koha/intranet/cgi-bin/admin/authorised_values.pl + after line 32 +use Koha::Token; + after line 172 +my $TokenCheck =3D Koha::Token->new->check_csrf({ session_id =3D> scalar $input->cookie('CGISESSID'), token =3D> scalar $input->param('csrf_token'), }); + after line 180 +if( $TokenCheck ){ + after line 204 + } else { push @messages, {type =3D> 'error', code =3D> 'wrong_csrf_token' }; } + after line 81 + $template->param( csrf_token =3D> Koha::Token->new->generate_csrf({ session_id =3D> scalar $input->cookie('CGISESSID'), }), ); Add CSRF in /usr/share/koha/intranet/htdocs/intranet-tmpl/prog/en/modules/admin/authorise= d_values.tt + after line 63 + + after line 184 + [% CASE 'wrong_csrf_token' %]
The form submission failed (Wrong CSRF token). Try to come back, refresh the page, then try again.
=20 Now test your application. Thanks Aman Mishra Sr. Software Engineer=20 Total IT Software Solutions Pvt. Ltd. India --=20 You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. --===============5645943591231379016==-- From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 14:14:07 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 24409] admin/authorised_values.pl?op=add_form : Add New Category is vulnerable for CSRF attacks Date: Mon, 13 Jan 2020 13:14:06 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============6759671733314319181==" --===============6759671733314319181== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24409 Aman Mishra changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |aman.mishra77@gmail.com -- You are receiving this mail because: You are watching all bug changes. --===============6759671733314319181==-- From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 16:00:49 2020 From: bugzilla-daemon@bugs.koha-community.org To: koha-bugs@lists.koha-community.org Subject: [Koha-bugs] [Bug 24409] admin/authorised_values.pl?op=add_form : Add New Category is vulnerable for CSRF attacks Date: Mon, 13 Jan 2020 15:00:49 +0000 Message-ID: In-Reply-To: MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8223914370827227594==" --===============8223914370827227594== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D24409 Jonathan Druart changed: What |Removed |Added ---------------------------------------------------------------------------- See Also| |https://bugs.koha-community | |.org/bugzilla3/show_bug.cgi | |?id=3D22990 Version|19.11 |unspecified CC| |jonathan.druart@bugs.koha-c | |ommunity.org --- Comment #3 from Jonathan Druart = --- Yes, that may work. However we are going to fix them globally, see bug 22990 for more information. --=20 You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. --===============8223914370827227594==--