Add the validation of the CSRF token. It is missing in some cases when it is sent by GET or POST.

2025-07-05 12:36:23 -07:00 · 2019-04-21 00:11:36 +02:00 · 2019-04-21 00:11:36 +02:00 · 7603cdea7a
commit 7603cdea7a
parent 2da2c539f1
9 changed files with 49 additions and 1 deletions
--- a/web/add/cron/autoupdate/index.php
+++ b/web/add/cron/autoupdate/index.php
@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
    exec (VESTA_CMD."v-add-cron-vesta-autoupdate", $output, $return_var);
    $_SESSION['error_msg'] = __('Autoupdate has been successfully enabled');
--- a/web/add/cron/reports/index.php
+++ b/web/add/cron/reports/index.php
@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 exec (VESTA_CMD."v-add-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully enabled');
 unset($output);
--- a/web/add/firewall/banlist/index.php
+++ b/web/add/firewall/banlist/index.php
@ -15,6 +15,12 @@ if ($_SESSION['user'] != 'admin') {
 // Check POST request
 if (!empty($_POST['ok'])) {

+    // Check token
+    if ((!isset($_POST['token'])) || ($_SESSION['token'] != $_POST['token'])) {
+        header('location: /login/');
+        exit();
+    }
+
    // Check empty fields
    if (empty($_POST['v_chain'])) $errors[] = __('banlist');
    if (empty($_POST['v_ip'])) $errors[] = __('ip address');
--- a/web/delete/cron/autoupdate/index.php
+++ b/web/delete/cron/autoupdate/index.php
@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
    exec (VESTA_CMD."v-delete-cron-vesta-autoupdate", $output, $return_var);
    $_SESSION['error_msg'] = __('Autoupdate has been successfully disabled');
--- a/web/delete/cron/reports/index.php
+++ b/web/delete/cron/reports/index.php
@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 exec (VESTA_CMD."v-delete-cron-reports ".$user, $output, $return_var);
 $_SESSION['error_msg'] = __('Cronjob email reporting has been successfully disabled');
 unset($output);
--- a/web/restart/service/index.php
+++ b/web/restart/service/index.php
@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
    if (!empty($_GET['srv'])) {
        if ($_GET['srv'] == 'iptables') {
--- a/web/restart/system/index.php
+++ b/web/restart/system/index.php
@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
    if (!empty($_GET['hostname'])) {
        exec (VESTA_CMD."v-restart-system yes", $output, $return_var);
--- a/web/templates/admin/list_services.html
+++ b/web/templates/admin/list_services.html
@ -54,7 +54,7 @@
          <div class="l-unit-toolbar__col l-unit-toolbar__col--right noselect">
            <div class="actions-panel clearfix">
              <div class="actions-panel__col actions-panel__configure shortcut-enter" key-action="href"><a href="/edit/server/"><?=__('configure')?> <i></i></a><span class="shortcut enter">&nbsp;&#8629;</span></div>
-              <div class="actions-panel__col actions-panel__restart shortcut-r" key-action="href"><a href="/restart/system/?hostname=<?php echo $sys['sysinfo']['HOSTNAME'] ?>"><?=__('restart')?> <i></i></a><span class="shortcut">&nbsp;R</span></div>
+              <div class="actions-panel__col actions-panel__restart shortcut-r" key-action="href"><a href="/restart/system/?hostname=<?php echo $sys['sysinfo']['HOSTNAME'] ?>&token=<?=$_SESSION['token']?>"><?=__('restart')?> <i></i></a><span class="shortcut">&nbsp;R</span></div>
            </div>
            <!-- /.actions-panel -->
          </div>
--- a/web/update/vesta/index.php
+++ b/web/update/vesta/index.php
@ -5,6 +5,12 @@ ob_start();
 session_start();
 include($_SERVER['DOCUMENT_ROOT']."/inc/main.php");

+// Check token
+if ((!isset($_GET['token'])) || ($_SESSION['token'] != $_GET['token'])) {
+    header('location: /login/');
+    exit();
+}
+
 if ($_SESSION['user'] == 'admin') {
    if (!empty($_GET['pkg'])) {
        $v_pkg = escapeshellarg($_GET['pkg']);