From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 13:56:56 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 24409] New: admin/authorised_values.pl?op=add_form :
Add New Category is vulnerable for CSRF attacks
Date: Mon, 13 Jan 2020 12:56:55 +0000
Message-ID:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5519088296829280295=="
--===============5519088296829280295==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24409
Bug ID: 24409
Summary: admin/authorised_values.pl?op=add_form : Add New
Category is vulnerable for CSRF attacks
Change sponsored?: ---
Product: Koha
Version: 19.11
Hardware: All
OS: Linux
Status: NEW
Severity: major
Priority: P5 - low
Component: System Administration
Assignee: koha-bugs@lists.koha-community.org
Reporter: aman.mishra77@gmail.com
QA Contact: testopia@bugs.koha-community.org
CC: gmcharlt@gmail.com
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
--===============5519088296829280295==--
From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 13:59:26 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 24409] admin/authorised_values.pl?op=add_form : Add
New Category is vulnerable for CSRF attacks
Date: Mon, 13 Jan 2020 12:59:25 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============1371473764882175095=="
--===============1371473764882175095==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D24409
--- Comment #1 from Aman Mishra ---
When we use this script it is allow to create new category
=20
=20
=20
--=20
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
--===============1371473764882175095==--
From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 14:12:54 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 24409] admin/authorised_values.pl?op=add_form : Add
New Category is vulnerable for CSRF attacks
Date: Mon, 13 Jan 2020 13:12:53 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5645943591231379016=="
--===============5645943591231379016==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D24409
--- Comment #2 from Aman Mishra ---
I resolved this please chek and update this is right way or not?
Add CSRF token in /usr/share/koha/intranet/cgi-bin/admin/authorised_values.pl
+ after line 32
+use Koha::Token;
+ after line 172
+my $TokenCheck =3D Koha::Token->new->check_csrf({
session_id =3D> scalar $input->cookie('CGISESSID'),
token =3D> scalar $input->param('csrf_token'),
});
+ after line 180
+if( $TokenCheck ){
+ after line 204
+ }
else {
push @messages, {type =3D> 'error', code =3D> 'wrong_csrf_token' };
}
+ after line 81
+ $template->param(
csrf_token =3D> Koha::Token->new->generate_csrf({
session_id =3D> scalar $input->cookie('CGISESSID'),
}),
);
Add CSRF in
/usr/share/koha/intranet/htdocs/intranet-tmpl/prog/en/modules/admin/authorise=
d_values.tt
+ after line 63
+
+ after line 184
+ [% CASE 'wrong_csrf_token' %]
The form submission failed (Wrong CSRF
token). Try to come back, refresh the page, then try again.
=20
Now test your application.
Thanks
Aman Mishra
Sr. Software Engineer=20
Total IT Software Solutions Pvt. Ltd.
India
--=20
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
--===============5645943591231379016==--
From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 14:14:07 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 24409] admin/authorised_values.pl?op=add_form : Add
New Category is vulnerable for CSRF attacks
Date: Mon, 13 Jan 2020 13:14:06 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============6759671733314319181=="
--===============6759671733314319181==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=24409
Aman Mishra changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |aman.mishra77@gmail.com
--
You are receiving this mail because:
You are watching all bug changes.
--===============6759671733314319181==--
From bugzilla-daemon@bugs.koha-community.org Mon Jan 13 16:00:49 2020
From: bugzilla-daemon@bugs.koha-community.org
To: koha-bugs@lists.koha-community.org
Subject: [Koha-bugs] [Bug 24409] admin/authorised_values.pl?op=add_form : Add
New Category is vulnerable for CSRF attacks
Date: Mon, 13 Jan 2020 15:00:49 +0000
Message-ID:
In-Reply-To:
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8223914370827227594=="
--===============8223914370827227594==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=3D24409
Jonathan Druart changed:
What |Removed |Added
----------------------------------------------------------------------------
See Also| |https://bugs.koha-community
| |.org/bugzilla3/show_bug.cgi
| |?id=3D22990
Version|19.11 |unspecified
CC| |jonathan.druart@bugs.koha-c
| |ommunity.org
--- Comment #3 from Jonathan Druart =
---
Yes, that may work. However we are going to fix them globally, see bug 22990
for more information.
--=20
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
--===============8223914370827227594==--