composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-12 23:14:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°7124 - [SECU] Cross-Site Request Forgery (CSRF) in several iTop pages (finalize implementation)

Browse Source
This commit is contained in:
jf-cbd
2024-06-07 14:18:14 +02:00
parent d4b342a35d
commit 98f946c871
10 changed files with 31 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
pages/ajax.render.php
View File

@@ -29,12 +29,12 @@ require_once('../approot.inc.php');
// check if header contains X-Combodo-Ajax for POST request (CSRF protection for ajax calls)
/*if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
$sReferer = utils::HtmlEntities($_SERVER['HTTP_REFERER']);
IssueLog::Error("Unprotected ajax call from: $sReferer", 'SECURITY');
header('HTTP/1.1 401 Unauthorized');
die('Unauthorized access. Please see https://www.itophub.io/wiki/page?id=3_2_0:release:developer#checking_for_the_presence_of_specific_header_in_the_post_to_enhance_protection_against_csrf_attacks');
}*/
}
function LogErrorMessage($sMsgPrefix, $aContextInfo) {