Skip to content
Permalink
Browse files Browse the repository at this point in the history
5566 check to make sure user is not being created via CRSF remote form
  • Loading branch information
atutorlangs committed Feb 22, 2015
1 parent a0142dd commit 0ee8273
Showing 1 changed file with 8 additions and 0 deletions.
8 changes: 8 additions & 0 deletions mods/_core/users/create_user.php
Expand Up @@ -15,6 +15,14 @@
define('AT_INCLUDE_PATH', '../../../include/');
require(AT_INCLUDE_PATH.'vitals.inc.php');
admin_authenticate(AT_ADMIN_PRIV_USERS);
// Prevent remote access via CSRF: 5566
if($_SERVER['HTTP_REFERER'] != $_SERVER['PHP_SELF']){
$referer_script = preg_replace('#'.$_base_href.'#', '', $_SERVER['HTTP_REFERER']);
if(!in_array($_pages[$referer_script], $_pages)){
echo "not a valid referer";
exit;
}
}

if (isset($_POST['cancel'])) {
header('Location: '.AT_BASE_HREF.'mods/_core/users/users.php');
Expand Down

0 comments on commit 0ee8273

Please sign in to comment.