Skip to content

Commit

Permalink
Bugfix: XSS in print-user.php, CSRF in user-edit.php. Fixes #2326
Browse files Browse the repository at this point in the history
  • Loading branch information
@GaryAllan
GaryAllan committed Dec 1, 2018
1 parent ee5ef63 commit 552fbb0
Show file tree
Hide file tree
Showing 8 changed files with 21 additions and 1 deletion.
2 changes: 1 addition & 1 deletion app/admin/users/print-user.php
View file
Expand Up @@ -133,7 +133,7 @@
</tr>
<tr>
<td><?php print _('Theme'); ?></td>
<td><?php print $user->theme=="" ? _("Default") : $user->theme ?></td>
<td><?php print $user->theme=="" ? _("Default") : escape_input($user->theme) ?></td>
</tr>
<tr>
<td><?php print _('Compress override'); ?></td>
Expand Down
1 change: 1 addition & 0 deletions app/tools/user-menu/2fa.php
View file
Expand Up @@ -49,6 +49,7 @@
<?php } ?>
</tr>
</table>
<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
</form>

<!-- result -->
Expand Down
3 changes: 3 additions & 0 deletions app/tools/user-menu/2fa_save.php
View file
Expand Up @@ -20,6 +20,9 @@
# verify that user is logged in
$User->check_user_session();

# validate csrf cookie
$User->Crypto->csrf_cookie ("validate", "user-menu", $_POST['csrf_cookie']) === false ? $Result->show("danger", _("Invalid CSRF cookie"), true) : "";

# change ?
if(@$_POST['2fa']=="1" && $User->user->{'2fa'}=="1") {
$Result->show("info", _("No change"), true);
Expand Down
1 change: 1 addition & 0 deletions app/tools/user-menu/account.php
View file
Expand Up @@ -216,6 +216,7 @@
</tr>

</table>
<input type="hidden" name="csrf_cookie" value="<?php print $csrf; ?>">
</form>


Expand Down
3 changes: 3 additions & 0 deletions app/tools/user-menu/index.php
View file
Expand Up @@ -7,6 +7,9 @@
# verify that user is logged in
$User->check_user_session();

# create csrf token
$csrf = $User->Crypto->csrf_cookie ("create", "user-menu");

# fetch all languages
$langs = $User->fetch_langs();

Expand Down
8 changes: 8 additions & 0 deletions app/tools/user-menu/user-edit.php
View file
Expand Up @@ -20,6 +20,9 @@
# verify that user is logged in
$User->check_user_session();

# validate csrf cookie
$User->Crypto->csrf_cookie ("validate", "user-menu", $_POST['csrf_cookie']) === false ? $Result->show("danger", _("Invalid CSRF cookie"), true) : "";

# verify email
if(!filter_var($_POST['email'], FILTER_VALIDATE_EMAIL)) { $Result->show("danger alert-absolute", _('Email not valid!'), true); }

Expand All @@ -35,6 +38,11 @@
if (!$Password_check->validate ($_POST['password1'])) { $Result->show("danger alert-danger ", _('Password validation errors').":<br> - ".implode("<br> - ", $Password_check->get_errors ()), true); }
}

# Verify Theme
if (!empty($_POST['theme'])) {
if (!in_array($_POST['theme'], ['default', 'white', 'dark'])) { $Result->show("danger alert-absolute", _('Invalid theme'), true); }
}

# set override
$_POST['compressOverride'] = @$_POST['compressOverride']=="Uncompress" ? "Uncompress" : "default";

Expand Down
3 changes: 3 additions & 0 deletions app/tools/user-menu/user-widgets-set.php
View file
Expand Up @@ -14,6 +14,9 @@
$Result = new Result;
$User = new User ($Database);

# verify that user is logged in
$User->check_user_session();

/* save widgets */
if (!$User->self_update_widgets ($_POST['widgets'])) { $Result->show("danger", _('Error updating'),true); }
else { $Result->show("success", _('Widgets updated'),true); }
Expand Down
1 change: 1 addition & 0 deletions misc/CHANGELOG
View file
Expand Up @@ -50,6 +50,7 @@
+ Hide SNMP community (#2197);
+ Hide LDAP/AD/Radius username / password and secret from logs and syslog (#2006);
+ XSS in phpipamredirect cookie (#2338);
+ XSS in print-user.php, CSRF in user-edit.php (#2326);

== 1.3.2

Expand Down

0 comments on commit 552fbb0

Please sign in to comment.