composer/iTop
6
0
Fork 0
mirror of https://github.com/Combodo/iTop.git synced 2026-02-12 23:14:18 +01:00
Code Issues Packages Projects Releases Wiki Activity

N°7124 - [SECU] Cross-Site Request Forgery (CSRF) in several iTop pages

Browse Source
This commit is contained in:
jf-cbd
2024-06-06 17:10:49 +02:00
parent be3e55acee
commit 9d1c66296b
3 changed files with 18 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
pages/ajax.render.php
View File

@@ -27,6 +27,16 @@ use Combodo\iTop\Service\TemporaryObjects\TemporaryObjectManager;
require_once('../approot.inc.php');
// check if header contains X-Combodo-Ajax for POST request (CSRF protection for ajax calls)
if (!isset($_SERVER['HTTP_X_COMBODO_AJAX']) && $_SERVER['REQUEST_METHOD'] === 'POST') {
$sReferer = utils::HtmlEntities($_SERVER['HTTP_REFERER']);
IssueLog::Error("Unprotected ajax call from: $sReferer", 'SECURITY');
header('HTTP/1.1 401 Unauthorized');
die('Unauthorized access. Please see https://www.itophub.io/wiki/page?id=3_2_0:release:developer#checking_for_the_presence_of_specific_header_in_the_post_to_enhance_protection_against_csrf_attacks');
}
function LogErrorMessage($sMsgPrefix, $aContextInfo) {
$sCurrentUserLogin = UserRights::GetUser();
$sContextInfo = urldecode(http_build_query($aContextInfo, '', ', '));