5566 added chech on referer to ensure it is in the pages array, to pr…

…event remote access via CSRF
atutor · Feb 28, 2015 · 068b8aa · 068b8aa
1 parent cd967a5
commit 068b8aa
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/mods/_core/users/admins/create.php b/mods/_core/users/admins/create.php
@@ -15,6 +15,13 @@
 define('AT_INCLUDE_PATH', '../../../../include/');
 require(AT_INCLUDE_PATH.'vitals.inc.php');
 admin_authenticate(AT_ADMIN_PRIV_ADMIN);
+if($_SERVER['HTTP_REFERER'] != $_SERVER['PHP_SELF']){
+    $referer_script = preg_replace('#'.$_base_href.'#', '', $_SERVER['HTTP_REFERER']);
+    if(!in_array($_pages[$referer_script], $_pages)){
+    echo "not a valid referer";
+    exit;
+    }
+}
 
 if (isset($_POST['cancel'])) {
 	$msg->addFeedback('CANCELLED');