Skip to content
Permalink
Browse files Browse the repository at this point in the history
Added fixes to avoid users to be manipulated with invalid CSRF token
  • Loading branch information
lucaderi committed Jan 12, 2017
1 parent ada218c commit 1b2ceac
Show file tree
Hide file tree
Showing 4 changed files with 8 additions and 0 deletions.
2 changes: 2 additions & 0 deletions scripts/lua/admin/add_user.lua
Expand Up @@ -8,6 +8,7 @@ require "lua_utils"

sendHTTPHeader('text/html; charset=iso-8859-1')

if(_GET["csrf"] ~= nil) then
if(haveAdminPrivileges()) then
username = _GET["username"]
full_name = _GET["full_name"]
Expand All @@ -33,3 +34,4 @@ if(haveAdminPrivileges()) then
print ("{ \"result\" : -1, \"message\" : \"Error while adding new user\" }")
end
end
end
2 changes: 2 additions & 0 deletions scripts/lua/admin/change_user_prefs.lua
Expand Up @@ -8,6 +8,7 @@ require "lua_utils"

sendHTTPHeader('application/json')

if(_GET["csrf"] ~= nil) then
username = _GET["username"]
host_role = _GET["host_role"]
networks = _GET["networks"]
Expand Down Expand Up @@ -40,3 +41,4 @@ if(allowed_interface ~= nil) then
end

print ("{ \"result\" : 0, \"message\" : \"Parameters Updated\" }")
end
2 changes: 2 additions & 0 deletions scripts/lua/admin/delete_user.lua
Expand Up @@ -8,6 +8,7 @@ require "lua_utils"

sendHTTPHeader('text/html; charset=iso-8859-1')

if(_GET["csrf"] ~= nil) then
if(haveAdminPrivileges()) then
username = _GET["username"]

Expand All @@ -22,3 +23,4 @@ if(haveAdminPrivileges()) then
print ("{ \"result\" : -1, \"message\" : \"Error deleting user\" }")
end
end
end
2 changes: 2 additions & 0 deletions scripts/lua/admin/password_reset.lua
Expand Up @@ -8,6 +8,7 @@ require "lua_utils"

sendHTTPHeader('text/html; charset=iso-8859-1')

if(_GET["csrf"] ~= nil) then
username = _GET["username"]
old_password = _GET["old_password"]
new_password = _GET["new_password"]
Expand Down Expand Up @@ -36,3 +37,4 @@ if(ntop.resetUserPassword(_SESSION["user"], username, old_password, new_password
else
print ("{ \"result\" : -1, \"message\" : \"Unable to set the new user password: perhaps the old password was invalid ?\" }")
end
end

0 comments on commit 1b2ceac

Please sign in to comment.