From 72e51404e811fe02f3733197a3826d891738106e Mon Sep 17 00:00:00 2001 From: Harald Ponce de Leon Date: Fri, 12 Dec 2008 13:32:10 +0000 Subject: [PATCH] Protect forms with a token ID that is assigned to a customers session. --- catalog/account_edit.php | 4 ++-- catalog/account_newsletters.php | 4 ++-- catalog/account_notifications.php | 4 ++-- catalog/account_password.php | 4 ++-- catalog/address_book_process.php | 8 ++++---- catalog/checkout_payment.php | 2 +- catalog/checkout_payment_address.php | 4 ++-- catalog/checkout_shipping.php | 4 ++-- catalog/checkout_shipping_address.php | 4 ++-- catalog/create_account.php | 7 +++++-- catalog/includes/application_top.php | 6 ++++++ catalog/includes/functions/html_output.php | 8 +++++++- catalog/login.php | 7 +++++-- catalog/password_forgotten.php | 4 ++-- catalog/product_reviews_write.php | 4 ++-- catalog/tell_a_friend.php | 4 ++-- 16 files changed, 48 insertions(+), 30 deletions(-) diff --git a/catalog/account_edit.php b/catalog/account_edit.php index 48a4c685d..955bd4eec 100644 --- a/catalog/account_edit.php +++ b/catalog/account_edit.php @@ -20,7 +20,7 @@ // needs to be included earlier to set the success message in the messageStack require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_ACCOUNT_EDIT); - if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process')) { + if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { if (ACCOUNT_GENDER == 'true') $gender = tep_db_prepare_input($HTTP_POST_VARS['gender']); $firstname = tep_db_prepare_input($HTTP_POST_VARS['firstname']); $lastname = tep_db_prepare_input($HTTP_POST_VARS['lastname']); @@ -142,7 +142,7 @@ - +
-
diff --git a/catalog/account_newsletters.php b/catalog/account_newsletters.php index 45fd71e99..cac299969 100644 --- a/catalog/account_newsletters.php +++ b/catalog/account_newsletters.php @@ -23,7 +23,7 @@ $newsletter_query = tep_db_query("select customers_newsletter from " . TABLE_CUSTOMERS . " where customers_id = '" . (int)$customer_id . "'"); $newsletter = tep_db_fetch_array($newsletter_query); - if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process')) { + if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { if (isset($HTTP_POST_VARS['newsletter_general']) && is_numeric($HTTP_POST_VARS['newsletter_general'])) { $newsletter_general = tep_db_prepare_input($HTTP_POST_VARS['newsletter_general']); } else { @@ -79,7 +79,7 @@ function checkBox(object) {
+
-
diff --git a/catalog/account_notifications.php b/catalog/account_notifications.php index 68182468e..bd93ad0bc 100644 --- a/catalog/account_notifications.php +++ b/catalog/account_notifications.php @@ -23,7 +23,7 @@ $global_query = tep_db_query("select global_product_notifications from " . TABLE_CUSTOMERS_INFO . " where customers_info_id = '" . (int)$customer_id . "'"); $global = tep_db_fetch_array($global_query); - if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process')) { + if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { if (isset($HTTP_POST_VARS['product_global']) && is_numeric($HTTP_POST_VARS['product_global'])) { $product_global = tep_db_prepare_input($HTTP_POST_VARS['product_global']); } else { @@ -105,7 +105,7 @@ function checkBox(object) {
+
-
diff --git a/catalog/account_password.php b/catalog/account_password.php index f36bc45cc..2109363bb 100644 --- a/catalog/account_password.php +++ b/catalog/account_password.php @@ -20,7 +20,7 @@ // needs to be included earlier to set the success message in the messageStack require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_ACCOUNT_PASSWORD); - if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process')) { + if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { $password_current = tep_db_prepare_input($HTTP_POST_VARS['password_current']); $password_new = tep_db_prepare_input($HTTP_POST_VARS['password_new']); $password_confirmation = tep_db_prepare_input($HTTP_POST_VARS['password_confirmation']); @@ -87,7 +87,7 @@
+
-
diff --git a/catalog/address_book_process.php b/catalog/address_book_process.php index 693526171..a6cb2019b 100644 --- a/catalog/address_book_process.php +++ b/catalog/address_book_process.php @@ -20,7 +20,7 @@ // needs to be included earlier to set the success message in the messageStack require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_ADDRESS_BOOK_PROCESS); - if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'deleteconfirm') && isset($HTTP_GET_VARS['delete']) && is_numeric($HTTP_GET_VARS['delete'])) { + if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'deleteconfirm') && isset($HTTP_GET_VARS['delete']) && is_numeric($HTTP_GET_VARS['delete']) && isset($HTTP_GET_VARS['formid']) && ($HTTP_GET_VARS['formid'] == md5($sessiontoken))) { tep_db_query("delete from " . TABLE_ADDRESS_BOOK . " where address_book_id = '" . (int)$HTTP_GET_VARS['delete'] . "' and customers_id = '" . (int)$customer_id . "'"); $messageStack->add_session('addressbook', SUCCESS_ADDRESS_BOOK_ENTRY_DELETED, 'success'); @@ -30,7 +30,7 @@ // error checking when updating or adding an entry $process = false; - if (isset($HTTP_POST_VARS['action']) && (($HTTP_POST_VARS['action'] == 'process') || ($HTTP_POST_VARS['action'] == 'update'))) { + if (isset($HTTP_POST_VARS['action']) && (($HTTP_POST_VARS['action'] == 'process') || ($HTTP_POST_VARS['action'] == 'update')) && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { $process = true; $error = false; @@ -270,7 +270,7 @@
+ -
diff --git a/catalog/checkout_payment.php b/catalog/checkout_payment.php index e838d9911..6b5061fe1 100644 --- a/catalog/checkout_payment.php +++ b/catalog/checkout_payment.php @@ -138,7 +138,7 @@ function rowOutEffect(object) {
@@ -329,7 +329,7 @@ - +
' . tep_image_button('button_back.gif', IMAGE_BUTTON_BACK) . ''; ?>' . tep_image_button('button_delete.gif', IMAGE_BUTTON_DELETE) . ''; ?>' . tep_image_button('button_delete.gif', IMAGE_BUTTON_DELETE) . ''; ?>
+
-
diff --git a/catalog/checkout_payment_address.php b/catalog/checkout_payment_address.php index 1d1e49887..f4491cea8 100644 --- a/catalog/checkout_payment_address.php +++ b/catalog/checkout_payment_address.php @@ -28,7 +28,7 @@ $error = false; $process = false; - if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'submit')) { + if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'submit') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { // process a new billing address if (tep_not_null($HTTP_POST_VARS['firstname']) && tep_not_null($HTTP_POST_VARS['lastname']) && tep_not_null($HTTP_POST_VARS['street_address'])) { $process = true; @@ -263,7 +263,7 @@ function check_form_optional(form_name) {
+
-
diff --git a/catalog/checkout_shipping.php b/catalog/checkout_shipping.php index e0c54051e..666056e9b 100644 --- a/catalog/checkout_shipping.php +++ b/catalog/checkout_shipping.php @@ -95,7 +95,7 @@ } // process the selected shipping method - if ( isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process') ) { + if ( isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken) ) { if (!tep_session_is_registered('comments')) tep_session_register('comments'); if (tep_not_null($HTTP_POST_VARS['comments'])) { $comments = tep_db_prepare_input($HTTP_POST_VARS['comments']); @@ -205,7 +205,7 @@ function rowOutEffect(object) {
+
-
diff --git a/catalog/checkout_shipping_address.php b/catalog/checkout_shipping_address.php index 4b8c80ea3..77a099af1 100644 --- a/catalog/checkout_shipping_address.php +++ b/catalog/checkout_shipping_address.php @@ -41,7 +41,7 @@ $error = false; $process = false; - if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'submit')) { + if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'submit') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { // process a new shipping address if (tep_not_null($HTTP_POST_VARS['firstname']) && tep_not_null($HTTP_POST_VARS['lastname']) && tep_not_null($HTTP_POST_VARS['street_address'])) { $process = true; @@ -275,7 +275,7 @@ function check_form_optional(form_name) {
+
-
diff --git a/catalog/create_account.php b/catalog/create_account.php index 1c5cec06b..f078656f3 100644 --- a/catalog/create_account.php +++ b/catalog/create_account.php @@ -16,7 +16,7 @@ require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_CREATE_ACCOUNT); $process = false; - if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process')) { + if (isset($HTTP_POST_VARS['action']) && ($HTTP_POST_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { $process = true; if (ACCOUNT_GENDER == 'true') { @@ -226,6 +226,9 @@ tep_session_register('customer_country_id'); tep_session_register('customer_zone_id'); +// reset session token + $sessiontoken = md5(tep_rand() . tep_rand() . tep_rand() . tep_rand()); + // restore cart contents $cart->restore_contents(); @@ -274,7 +277,7 @@
+
-
diff --git a/catalog/includes/application_top.php b/catalog/includes/application_top.php index 22d5dfdcc..cf2663512 100644 --- a/catalog/includes/application_top.php +++ b/catalog/includes/application_top.php @@ -199,6 +199,12 @@ extract($_SESSION, EXTR_OVERWRITE+EXTR_REFS); } +// initialize a session token + if (!tep_session_is_registered('sessiontoken')) { + $sessiontoken = md5(tep_rand() . tep_rand() . tep_rand() . tep_rand()); + tep_session_register('sessiontoken'); + } + // set SID once, even if empty $SID = (defined('SID') ? SID : ''); diff --git a/catalog/includes/functions/html_output.php b/catalog/includes/functions/html_output.php index 2ecd0d6ca..03e509e90 100644 --- a/catalog/includes/functions/html_output.php +++ b/catalog/includes/functions/html_output.php @@ -145,13 +145,19 @@ function tep_draw_separator($image = 'pixel_black.gif', $width = '100%', $height //// // Output a form - function tep_draw_form($name, $action, $method = 'post', $parameters = '') { + function tep_draw_form($name, $action, $method = 'post', $parameters = '', $tokenize = false) { + global $sessiontoken; + $form = ''; + } + return $form; } diff --git a/catalog/login.php b/catalog/login.php index 7676f7d04..28d349b5a 100644 --- a/catalog/login.php +++ b/catalog/login.php @@ -20,7 +20,7 @@ require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_LOGIN); $error = false; - if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process')) { + if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { $email_address = tep_db_prepare_input($HTTP_POST_VARS['email_address']); $password = tep_db_prepare_input($HTTP_POST_VARS['password']); @@ -54,6 +54,9 @@ tep_db_query("update " . TABLE_CUSTOMERS_INFO . " set customers_info_date_of_last_logon = now(), customers_info_number_of_logons = customers_info_number_of_logons+1 where customers_info_id = '" . (int)$customer_id . "'"); +// reset session token + $sessiontoken = md5(tep_rand() . tep_rand() . tep_rand() . tep_rand()); + // restore cart contents $cart->restore_contents(); @@ -101,7 +104,7 @@ function session_win() {
+
-
diff --git a/catalog/password_forgotten.php b/catalog/password_forgotten.php index 69813eb53..c6879adb4 100644 --- a/catalog/password_forgotten.php +++ b/catalog/password_forgotten.php @@ -14,7 +14,7 @@ require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_PASSWORD_FORGOTTEN); - if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process')) { + if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { $email_address = tep_db_prepare_input($HTTP_POST_VARS['email_address']); $check_customer_query = tep_db_query("select customers_firstname, customers_lastname, customers_password, customers_id from " . TABLE_CUSTOMERS . " where customers_email_address = '" . tep_db_input($email_address) . "'"); @@ -61,7 +61,7 @@
+
-
diff --git a/catalog/product_reviews_write.php b/catalog/product_reviews_write.php index 97b3c1962..8ce06292a 100644 --- a/catalog/product_reviews_write.php +++ b/catalog/product_reviews_write.php @@ -27,7 +27,7 @@ $customer_query = tep_db_query("select customers_firstname, customers_lastname from " . TABLE_CUSTOMERS . " where customers_id = '" . (int)$customer_id . "'"); $customer = tep_db_fetch_array($customer_query); - if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process')) { + if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { $rating = tep_db_prepare_input($HTTP_POST_VARS['rating']); $review = tep_db_prepare_input($HTTP_POST_VARS['review']); @@ -122,7 +122,7 @@ function popupWindow(url) {
+
-
diff --git a/catalog/tell_a_friend.php b/catalog/tell_a_friend.php index 059a8fe58..8527402ee 100644 --- a/catalog/tell_a_friend.php +++ b/catalog/tell_a_friend.php @@ -33,7 +33,7 @@ require(DIR_WS_LANGUAGES . $language . '/' . FILENAME_TELL_A_FRIEND); - if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process')) { + if (isset($HTTP_GET_VARS['action']) && ($HTTP_GET_VARS['action'] == 'process') && isset($HTTP_POST_VARS['formid']) && ($HTTP_POST_VARS['formid'] == $sessiontoken)) { $error = false; $to_email_address = tep_db_prepare_input($HTTP_POST_VARS['to_email_address']); @@ -115,7 +115,7 @@
+