Skip to content

Commit 1b2ceac

Browse files
committed
Added fixes to avoid users to be manipulated with invalid CSRF token
1 parent ada218c commit 1b2ceac

File tree

4 files changed

+8
-0
lines changed

4 files changed

+8
-0
lines changed

Diff for: scripts/lua/admin/add_user.lua

+2
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ require "lua_utils"
88

99
sendHTTPHeader('text/html; charset=iso-8859-1')
1010

11+
if(_GET["csrf"] ~= nil) then
1112
if(haveAdminPrivileges()) then
1213
username = _GET["username"]
1314
full_name = _GET["full_name"]
@@ -33,3 +34,4 @@ if(haveAdminPrivileges()) then
3334
print ("{ \"result\" : -1, \"message\" : \"Error while adding new user\" }")
3435
end
3536
end
37+
end

Diff for: scripts/lua/admin/change_user_prefs.lua

+2
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ require "lua_utils"
88

99
sendHTTPHeader('application/json')
1010

11+
if(_GET["csrf"] ~= nil) then
1112
username = _GET["username"]
1213
host_role = _GET["host_role"]
1314
networks = _GET["networks"]
@@ -40,3 +41,4 @@ if(allowed_interface ~= nil) then
4041
end
4142

4243
print ("{ \"result\" : 0, \"message\" : \"Parameters Updated\" }")
44+
end

Diff for: scripts/lua/admin/delete_user.lua

+2
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ require "lua_utils"
88

99
sendHTTPHeader('text/html; charset=iso-8859-1')
1010

11+
if(_GET["csrf"] ~= nil) then
1112
if(haveAdminPrivileges()) then
1213
username = _GET["username"]
1314

@@ -22,3 +23,4 @@ if(haveAdminPrivileges()) then
2223
print ("{ \"result\" : -1, \"message\" : \"Error deleting user\" }")
2324
end
2425
end
26+
end

Diff for: scripts/lua/admin/password_reset.lua

+2
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@ require "lua_utils"
88

99
sendHTTPHeader('text/html; charset=iso-8859-1')
1010

11+
if(_GET["csrf"] ~= nil) then
1112
username = _GET["username"]
1213
old_password = _GET["old_password"]
1314
new_password = _GET["new_password"]
@@ -36,3 +37,4 @@ if(ntop.resetUserPassword(_SESSION["user"], username, old_password, new_password
3637
else
3738
print ("{ \"result\" : -1, \"message\" : \"Unable to set the new user password: perhaps the old password was invalid ?\" }")
3839
end
40+
end

0 commit comments

Comments
 (0)