Added CSFR-token to delete-URLs (#679)

View #670 for full vulnerability disclosure.
This commit is contained in:
Tim 2018-11-22 01:50:32 +01:00 committed by GitHub
parent 267002ba20
commit 3524aaa782
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
9 changed files with 39 additions and 8 deletions

View File

@ -5,6 +5,10 @@ Changelog
Not yet released
----------------
v3.3.2 (released November 22, 2018)
--------------------------------
* #679: Fixed CSRF vulnerability, added CSRF-token to delete-URLs.
v3.3.1 (released August 10, 2018)
--------------------------------

View File

@ -5,7 +5,7 @@ PHP Server Monitor
:alt: Join the chat at https://gitter.im/erickrf/nlpnet
:target: https://gitter.im/phpservermon/phpservermon
Version 3.3.0
Version 3.3.2
PHP Server Monitor is a script that checks whether your websites and servers are up and running.

View File

@ -29,7 +29,7 @@
/**
* Current PSM version
*/
define('PSM_VERSION', '3.3.1');
define('PSM_VERSION', '3.3.2');
/**
* URL to check for updates. Will not be checked if turned off on config page.

View File

@ -175,6 +175,25 @@ class Router {
}
}
}
if ($request->getMethod() == 'GET' && $request->query->get('action', '') == "delete") {
// require CSRF token for all GET calls that delete something
$session = $this->container->get('user')->getSession();
$token_in = $request->query->get('csrf', '');
$csrf_key = $controller->getCSRFKey();
if (empty($csrf_key)) {
if (!hash_equals($session->get('csrf_token'), $token_in)) {
throw new \InvalidArgumentException('invalid_csrf_token');
}
} else {
if (!hash_equals(
hash_hmac('sha256', $csrf_key, $session->get('csrf_token2')),
$token_in
)) {
throw new \InvalidArgumentException('invalid_csrf_token');
}
}
}
// get min required level for this controller and make sure the user matches
$min_lvl = $controller->getMinUserLevelRequired();

View File

@ -1,3 +1,7 @@
{% macro csrf_input() %}
<input type="hidden" name="csrf" value="{{ csrf_token(csrf_key|default('')) }}" />
{% endmacro %}
{% macro csrf_query() %}
&csrf={{ csrf_token(csrf_key|default('')) }}
{% endmacro %}

View File

@ -1,5 +1,6 @@
{% import 'main/macros.tpl.html' as macro %}
{% if has_admin_actions %}
<a class="btn btn-danger show-modal" href="{{ url_delete|raw }}" title="Delete" data-modal-id="delete" data-modal-param="{{ label }}">
<a class="btn btn-danger show-modal" href="{{ url_delete|raw }}{{ macro.csrf_query() }}" title="Delete" data-modal-id="delete" data-modal-param="{{ label }}">
<i class="icon-trash icon-white"></i>&nbsp;{{ label_clear_log }}
</a>
<br><br>

View File

@ -1,3 +1,4 @@
{% import 'main/macros.tpl.html' as macro %}
<table class="table table-bordered table-striped">
<thead>
<tr>
@ -39,7 +40,7 @@
<a class="btn btn-small" href="{{ server.url_view|raw }}"><i class="icon-chart"></i></a>
{% if user_level == 10 %}
<a class="btn btn-small" href="{{ server.url_edit|raw }}" title="{{ label_edit }}"><i class="icon-pencil"></i></a>
<a class="btn btn-small btn-danger show-modal" href="{{ server.url_delete|raw }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ server.label }}"><i class="icon-remove icon-white"></i></a>
<a class="btn btn-small btn-danger show-modal" href="{{ server.url_delete|raw }}{{ macro.csrf_query() }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ server.label }}"><i class="icon-remove icon-white"></i></a>
{% endif %}
</div>
</td>
@ -53,7 +54,7 @@
&nbsp;<a class="btn btn-small" href="{{ server.url_view|raw }}"><i class="icon-chart"></i></a>
{% if user_level == 10 %}
<a class="btn btn-small" href="{{ server.url_edit|raw }}" title="{{ label_edit }}"><i class="icon-pencil"></i></a>
<a class="btn btn-small btn-danger show-modal" href="{{ server.url_delete|raw }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ server.label }}"><i class="icon-remove icon-white"></i></a>
<a class="btn btn-small btn-danger show-modal" href="{{ server.url_delete|raw }}{{ macro.csrf_query() }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ server.label }}"><i class="icon-remove icon-white"></i></a>
{% endif %}
</div>
</div>

View File

@ -1,3 +1,4 @@
{% import 'main/macros.tpl.html' as macro %}
<table class="table table-bordered">
<colgroup>
<col class="oce-first" />
@ -100,7 +101,7 @@
<a class="btn btn-success" href="{{ url_edit|raw }}">
<i class="icon-edit icon-white"></i>&nbsp;{{ label_edit }}
</a>
<a class="btn btn-danger show-modal" href="{{ url_delete|raw }}" data-modal-id="delete" data-modal-param="{{ label }}">
<a class="btn btn-danger show-modal" href="{{ url_delete|raw }}{{ macro.csrf_query() }}" data-modal-id="delete" data-modal-param="{{ label }}">
<i class="icon-remove icon-white"></i>&nbsp;{{ label_delete }}
</a>
</td>

View File

@ -1,3 +1,4 @@
{% import 'main/macros.tpl.html' as macro %}
<table class="table table-bordered table-striped">
<thead>
<tr>
@ -33,7 +34,7 @@
<a class="btn btn-small" href="{{ user.url_edit|raw }}" title="{{ user.label_edit }}">
<i class="icon-pencil"></i>
</a>
<a class="btn btn-small btn-danger show-modal" href="{{ user.url_delete|raw }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ user.user_name }}">
<a class="btn btn-small btn-danger show-modal" href="{{ user.url_delete|raw }}{{ macro.csrf_query() }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ user.user_name }}">
<i class="icon-remove icon-white"></i>
</a>
</div>
@ -56,7 +57,7 @@
<a class="btn btn-small" href="{{ user.url_edit|raw }}" title="{{ label_edit }}">
<i class="icon-pencil"></i>
</a>
<a class="btn btn-small btn-danger show-modal" href="{{ user.url_delete|raw }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ user.user_name }}">
<a class="btn btn-small btn-danger show-modal" href="{{ user.url_delete|raw }}{{ macro.csrf_query() }}" title="{{ label_delete }}" data-modal-id="delete" data-modal-param="{{ user.user_name }}">
<i class="icon-remove icon-white"></i>
</a>
</td>