kienan
/
AlternC
mirror of https://github.com/kienanstewart/AlternC.git
1
0
Fork 0
Code Issues Releases Wiki Activity

[wip] securing *all* forms through CSRF management (requires a new table)

This commit is contained in:
Benjamin Sonntag 2016-05-20 14:21:47 +02:00
parent d9bdfaf1ac
commit 6043e9c3d7
67 changed files with 112 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
bureau/admin/adm_add.php Normal file → Executable file
View File

@ -60,7 +60,7 @@ if (isset($error) && $error) {
}
?>
<form method="post" action="adm_doadd.php" id="main" name="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/adm_authip_whitelist.php Normal file → Executable file
View File

@ -44,6 +44,7 @@ $list_ip = $authip->list_ip_whitelist();
<legend><?php __("Add an IP");?> - <a href="javascript:edit_ip('','<?php echo htmlentities(get_remote_ip())."','Home IP'";?>);" ><?php echo __("Add my current IP"); ?></a></legend>
<span id="form_add_ip">
<form method="post" action="adm_authip_whitelist.php" name="main" id="main">
<?php csrf_get(); ?>
<p id="reset_edit_ip" style="display:none;"><a href="javascript:reset_edit_ip();"><?php __("Cancel edit")?></a></p>
<input type="hidden" name="id" value="" id="edit_id" />
<p>

1
bureau/admin/adm_deactivate.php Normal file → Executable file
View File

@ -69,6 +69,7 @@ if (! ($confirmed ) ) {
?>
<form action="<?php echo $_SERVER['PHP_SELF'];?>" method="POST">
<?php csrf_get(); ?>
<input type="hidden" name="uid" value="<?php echo $uid?>" />
<?php __("Redirection URL:") ?> <input type="text" name="redirect" class="int" value="http://example.com/" />
<input type="submit" name="submit" class="inb" value="<?php __("Confirm")?>" />

3
bureau/admin/adm_defquotas.php Normal file → Executable file
View File

@ -59,6 +59,7 @@ if (isset($error) && $error) {
}
?>
<form method="post" action="adm_dodefquotas.php">
<?php csrf_get(); ?>
<p>
<input type="hidden" name="action" value="add" />
<input type="text" name="type" class="int" />
@ -69,6 +70,7 @@ if (isset($error) && $error) {
<?php
?>
<form method="post" action="adm_dodefquotas.php">
<?php csrf_get(); ?>
<table border="0" cellpadding="4" cellspacing="0">
<tr class="lst">
<td>
@ -90,6 +92,7 @@ foreach($quota->listtype() as $type) {
<span class="inb"><a href="adm_defquotas.php?synchronise=1"><?php __("Synchronise user's quota (only to upper value)"); ?></a></span>
<form method="post" action="adm_dodefquotas.php">
<?php csrf_get(); ?>
<div>
<input type="hidden" name="action" value="modify" />
<?php

1
bureau/admin/adm_dodefquotas.php Normal file → Executable file
View File

@ -66,6 +66,7 @@ if($action == "add") {
<h3><?php printf(_("Deleting quota %s"),$type); ?> : </h3>
<form action="adm_dodefquotas.php" method="post">
<?php csrf_get(); ?>
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="type" value="<?php echo $type ?>" />
<input type="hidden" name="del_confirm" value="y" />

1
bureau/admin/adm_dodel.php Normal file → Executable file
View File

@ -67,6 +67,7 @@ if($del_confirm == "y"){
<body>
<h3><?php printf(_("Deleting users")); ?> : </h3>
<form action="adm_dodel.php" method="post">
<?php csrf_get(); ?>
<input type="hidden" name="action" value="delete" />
<input type="hidden" name="del_confirm" value="y" />
<p class="alert alert-warning"><?php __("WARNING : Confirm the deletion of the users"); ?></p>

1
bureau/admin/adm_doms.php Normal file → Executable file
View File

@ -65,6 +65,7 @@ $c=$admin->dom_list(true,$forcecheck);
<?php __("If you want to force the check of NS, MX, IP on domains, click the link"); ?> <a href="adm_doms.php?force=1"><?php __("Show domain list with refreshed checked NS, MX, IP information"); ?></a>
</p>
<form method="post" action="adm_dodom.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlist" id="dom_list_table">
<thead>
<tr><th></th><th><?php __("Action"); ?></th><th><?php __("Domain"); ?></th><th><?php __("Creator"); ?></th><th><?php __("Connect as"); ?></th><th><?php __("OK?"); ?></th><th><?php __("Status"); ?></th></tr>

1
bureau/admin/adm_doms_def_type.php Normal file → Executable file
View File

@ -43,6 +43,7 @@ if (!empty($domup)) {
$tab = $dom->lst_default_subdomains();
?>
<form method="post" action="adm_doms_def_type.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlist">
<tr><th>&nbsp;</th><th><?php __("Sub"); ?></th><th><?php __("Type"); ?></th><th><?php __("settings"); ?></th><th><?php __("Concerned"); ?></th><th><?php __("Activation"); ?></th></tr>
<?php for ($i = 0; $i < count($tab) + 1; $i++) { ?>

1
bureau/admin/adm_domstypeedit.php Normal file → Executable file
View File

@ -68,6 +68,7 @@ if (isset($error_edit) && $error_edit) {
} ?>
<form action="adm_domstypedoedit.php" method="post" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="name" value="<?php echo $d['name']; ?>" />
<table class="tedit">
<tr>

3
bureau/admin/adm_edit.php Normal file → Executable file
View File

@ -63,7 +63,7 @@ if (!$r=$admin->get($uid)) {
}
?>
<form method="post" action="adm_doedit.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />
@ -136,6 +136,7 @@ if (!$r=$admin->get($uid)) {
<?php if($r['duration']) { ?>
<form method="post" action="adm_dorenew.php">
<?php csrf_get(); ?>
<input type="hidden" name="uid" value="<?php echo $uid ?>" />
<table border="1" cellspacing="0" cellpadding="4" class="tedit">
<tr>

2
bureau/admin/adm_email.php Normal file → Executable file
View File

@ -57,7 +57,7 @@ if (isset($error) && $error) {
?>
<form method="post" action="adm_email.php">
<?php csrf_get(); ?>
<table cellspacing="1" cellpadding="4" border="0" align="center" class='tedit'>
<tr>
<th align="right"><b><?php __("From");?></b></th>

2
bureau/admin/adm_list.php Normal file → Executable file
View File

@ -89,6 +89,7 @@ if ($mem->user["admlist"] == 0) { // Normal (large) mode
<fieldset style="clear:both;">
<legend><?php __("Filters"); ?></legend>
<form method="post" action="adm_list.php">
<?php csrf_get(); ?>
<p>
<label>
<input type="radio" name="pattern_type" value="login" id="pattern_type_login" <?php if (!$pattern_type || $pattern_type === 'login') echo ' checked="checked" '; ?>/>
@ -149,6 +150,7 @@ if (!is_array($accountList) || empty($accountList)) {
?>
<form method="post" action="adm_dodel.php">
<?php csrf_get(); ?>
<?php
// Depending on the admin's choice, let's show a short list or a long list.

2
bureau/admin/adm_mxaccount.php Normal file → Executable file
View File

@ -91,7 +91,7 @@ for($i=0;$i<count($c);$i++) { ?>
<?php } ?>
<p><?php __("If you want to allow a new server to access your mx-hosted domain list, give him an account."); ?></p>
<form method="post" action="adm_mxaccount.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/adm_passpolicy.php Normal file → Executable file
View File

@ -84,6 +84,7 @@ if (!empty($edit)) {
<p><b><?php echo $c[$edit]["description"]; ?></b></p>
<form method="post" action="adm_passpolicy.php">
<?php csrf_get(); ?>
<input type="hidden" name="doedit" value="<?php echo $edit; ?>"/>
<table class="tlist">
<tr>

1
bureau/admin/adm_quotaedit.php Normal file → Executable file
View File

@ -63,6 +63,7 @@ $mem->unsu();
}
?>
<form method="post" action="adm_quotadoedit.php">
<?php csrf_get(); ?>
<table class="tedit">
<tr><th><input type="hidden" name="uid" value="<?php echo $uid ?>" />
<?php __("Username"); ?></th><td colspan="3"><code><big><?php echo $us["login"]; ?></big></code>&nbsp;</td></tr>

3
bureau/admin/adm_slavedns.php Normal file → Executable file
View File

@ -110,6 +110,7 @@ if (is_array($c)) { ?>
<p><?php __("If you want to allow an ip address or class to connect to your dns server, enter it here. Choose 32 as a prefix for single ip address."); ?></p>
<form method="post" action="adm_slavedns.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tedit">
<tr><th><label for="newip"><?php __("IP Address"); ?></label></th><th><label for="newclass"><?php __("Prefix"); ?></label></th></tr>
<tr>
@ -154,7 +155,7 @@ if (is_array($c)) { ?>
<p><?php __("If you want to allow a new server to access your domain list, give him an account."); ?></p>
<form method="post" action="adm_slavedns.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/adm_tld.php Normal file → Executable file
View File

@ -69,6 +69,7 @@ $c=$admin->listtld();
</p>
<p><span class="ina"><a href="adm_tldadd.php"><?php __("Add a new TLD"); ?></a></span></p>
<form method="post" action="adm_tld.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlist">
<tr><th colspan="2"> </th><th><?php __("TLD"); ?></th><th><?php __("Allowed Mode"); ?></th></tr>
<?php

2
bureau/admin/adm_tldadd.php Normal file → Executable file
View File

@ -60,7 +60,7 @@ include_once ("head.php");
</p>
<form method="post" action="adm_tlddoadd.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tedit">
<tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><input type="text" id="tld" name="tld" class="int" value="<?php ehe( (isset($tld)?$tld:'') ); ?>" size="20" maxlength="64" /></td></tr>
<tr><th><label for="mode"><?php __("Allowed Mode"); ?></label></th><td><select name="mode" id="mode" class="inl">

1
bureau/admin/adm_tldedit.php Normal file → Executable file
View File

@ -60,6 +60,7 @@ include_once("head.php");
<h3><?php __("Edit a TLD"); ?></h3>
<form method="post" action="adm_tlddoedit.php">
<?php csrf_get(); ?>
<table id="main" class="tedit">
<tr><th><label for="tld"><?php __("TLD"); ?></label></th><td><code><?php echo $tld; ?></code><input type="hidden" name="tld" id="tld" value="<?php echo $tld; ?>" /></td></tr>
<tr><th><label for="mode"><?php __("Allowed Mode"); ?></label></th><td><select name="mode" class="inl" id="mode">

1
bureau/admin/adm_variables.php Normal file → Executable file
View File

@ -53,6 +53,7 @@ include_once ("head.php");
</p>
<form method="post" action="adm_variables.php">
<?php csrf_get(); ?>
<table border="0" cellpadding="4" cellspacing="0" class='tlist'>
<tr><th><?php __("Names"); ?></th><th><?php __("Value"); ?></th><th><?php __("Comment"); ?></th></tr>
<?php

1
bureau/admin/bro_editor.php Normal file → Executable file
View File

@ -80,6 +80,7 @@ $content=$bro->content($R,$editfile);
?>
<form action="bro_editor.php" method="post"><br />
<?php csrf_get(); ?>
<div id="tabsfile">
<ul>
<li class="view"><a href="#tabsfile-view"><?php __("View"); ?></a></li>

6
bureau/admin/bro_main.php Normal file → Executable file
View File

@ -96,6 +96,7 @@ if (!empty($formu) && $formu) {
?>
<h3><?php printf(_("Deleting files and/or directories")); ?> : </h3>
<form action="bro_main.php" method="post" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="formu" value="2" />
<input type="hidden" name="actdel" value="1" />
<input type="hidden" name="R" value="<?php ehe($R)?>" />
@ -184,6 +185,7 @@ if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
<td class="formcell">
<form action="bro_main.php" enctype="multipart/form-data" method="post">
<?php csrf_get(); ?>
<input type="hidden" name="R" value="<?php echo $R; ?>" />
<input type="hidden" name="formu" value="3" />
@ -200,6 +202,7 @@ if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
<?php __("New file or folder:"); ?><br />
<form action="bro_main.php" method="post" name="nn" id="nn">
<?php csrf_get(); ?>
<input type="hidden" name="R" value="<?php echo $R; ?>" />
<table><tr>
<td><input type="text" class="int" name="nomfich" id="nomfich" size="22" maxlength="255" /></td>
@ -221,6 +224,7 @@ if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
if (isset($formu) && $formu==2 && isset($actrename) && $actrename && count($d)) {
echo "<table cellpadding=\"6\">\n";
echo "<form action=\"bro_main.php\" method=\"post\">\n";
csrf_get();
echo "<input type=\"hidden\" name=\"R\" value=\"$R\" />\n";
echo "<input type=\"hidden\" name=\"formu\" value=\"4\" />\n";
echo "<tr><th colspan=\"2\">"._("Rename")."</th></tr>";
@ -237,6 +241,7 @@ if (isset($formu) && $formu==2 && isset($actrename) && $actrename && count($d))
/* [ML] Changer les permissions : */
if ($formu==2 && ! (empty($actperms)) && count($d)) {
echo "<form action=\"bro_main.php\" method=\"post\">\n";
csrf_get();
echo "<input type=\"hidden\" name=\"R\" value=\"$R\" />\n";
echo "<input type=\"hidden\" name=\"formu\" value=\"7\" />\n";
echo "<p>"._("Permissions")."</p>";
@ -277,6 +282,7 @@ if (count($c)) {
?>
<form action="bro_main.php" method="post" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="R" value="<?php echo $R; ?>" />
<input type="hidden" name="formu" value="2" />

2
bureau/admin/bro_pref.php Normal file → Executable file
View File

@ -60,7 +60,7 @@ include_once("head.php");
<hr id="topbar"/>
<br />
<form action="bro_pref.php" method="post">
<?php csrf_get(); ?>
<table cellpadding="6" border="1" cellspacing="0" class='tedit'>
<tr><th><?php __("Horizontal window size"); ?></th><td><select class="inl" name="editsizex">

1
bureau/admin/browseforfolder2.php Normal file → Executable file
View File

@ -139,6 +139,7 @@ if ($errbrowsefold) {
reset($ar);
?>
<form method="post" id="main" name="main" action="browseforfolder2.php">
<?php csrf_get(); ?>
<p>
<input type="hidden" name="caller" value="<?php echo $caller; ?>" />
<input type="hidden" name="lastcurdir" value="<?php echo $curdir; ?>" />

2
bureau/admin/cron.php Normal file → Executable file
View File

@ -27,7 +27,7 @@ $lst_cron = $cron->lst_cron();
<?php } ?>
<form method="post" action="cron.php" id="main" name="cron" >
<?php csrf_get(); ?>
<table class="tlist">
<!--

1
bureau/admin/dom_add.php Normal file → Executable file
View File

@ -53,6 +53,7 @@ exit();
if (isset($error) && $error) echo "<p class=\"alert alert-danger\">$error</p>";
?>
<form method="post" action="dom_doadd.php" id="main">
<?php csrf_get(); ?>
<p>
<label for="newdomain"><b><?php __("Domain name"); ?> :</b></label> <span class="int" id="newdomwww">www.</span><input type="text" class="int" id="newdomain" name="newdomain" value="<?php ehe($newdomain); ?>" size="32" maxlength="255" /> <a class="inb configure" href="dom_import.php"><?php __("Advanced import"); ?></a>
</p>

1
bureau/admin/dom_dodel.php Normal file → Executable file
View File

@ -68,6 +68,7 @@ if ($del_confirm!="y") {
<?php __("This will delete the related sub-domains too."); ?></p>
<form method="post" action="dom_dodel.php" id="main">
<?php csrf_get(); ?>
<p>
<input type="hidden" name="del_confirm" value="y" />
<input type="hidden" name="domain" value="<?php echo $domain ?>" />

1
bureau/admin/dom_edit.inc.php Normal file → Executable file
View File

@ -29,6 +29,7 @@ $dom->unlock();
?>
<form action="dom_subdoedit.php" method="post" name="main" id="main">
<?php csrf_get(); ?>
<table border="0">
<tr>
<td>

3
bureau/admin/dom_edit.php Normal file → Executable file
View File

@ -263,7 +263,7 @@ if (!$r['noerase']) {
<div id="tabsdom-params">
<h3><?php __("DNS &amp; Email parameters"); ?></h3>
<form action="dom_editdns.php?domain=<?php echo urlencode($r["name"]) ?>" method="post" id="fdns" name="fdns" onSubmit="return destruction_alert();">
<?php csrf_get(); ?>
<table class="tlist2">
<tr>
<td><?php __("Manage the DNS on the server ?"); ?></td>
@ -321,6 +321,7 @@ if (!$r['noerase']) {
<h3><?php __("Domain removal"); ?></h3>
<?php printf(_("If you want to destroy the domain %s, click on the button below. Warning: this also deletes all FTP accounts, email, mailing lists associated with the domain and subdomains."),$domain); ?><br />
<form action="dom_dodel.php?domain=<?php echo urlencode($domain) ?>" method="post">
<?php csrf_get(); ?>
<p>
<input type="submit" class="inb delete" name="detruire" value="<?php printf(_("Delete %s from this server"),$domain); ?>" />
</p>

1
bureau/admin/dom_import.php Normal file → Executable file
View File

@ -90,6 +90,7 @@ if ($save) {
<form method="post" action="dom_import.php">
<?php csrf_get(); ?>
<table>
<tr>
<td>

1
bureau/admin/dom_subdel.php Normal file → Executable file
View File

@ -59,6 +59,7 @@ if (isset($error) && $error) {
<hr id="topbar"/>
<br />
<form action="dom_subdodel.php" method="post">
<?php csrf_get(); ?>
<p class="alert alert-warning">
<input type="hidden" name="sub_domain_id" value="<?php echo $sub_domain_id ?>" />
<?php __("WARNING : You are going to delete a sub-domain."); ?></p>

1
bureau/admin/ftp_del.php Normal file → Executable file
View File

@ -76,6 +76,7 @@ if(!empty($confirm_del)) {
</ul>
<form method="post" action="ftp_del.php" name="main" id="main">
<?php csrf_get(); ?>
<?php foreach($lst_todel as $t) {
echo "<input type='hidden' name='del_$t' value='$t' >\n";
} ?>

1
bureau/admin/ftp_doedit.php Normal file → Executable file
View File

@ -39,7 +39,6 @@ $fields = array (
);
getFields($fields);
if ($pass != $passconf) {
$error = _("Passwords do not match");
include_once("head.php");

2
bureau/admin/ftp_edit.php Normal file → Executable file
View File

@ -65,7 +65,7 @@ if (isset($error) && $error) {
}
?>
<form method="post" action="ftp_doedit.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/ftp_list.php Normal file → Executable file
View File

@ -68,6 +68,7 @@ if (isset($error) && $error && !$noftp) {
?>
<form method="post" action="ftp_del.php">
<?php csrf_get(); ?>
<table class="tlist" id="ftp_list_table">
<thead>
<tr><th colspan="2"> </th><th><?php __("Enabled"); ?></th><th><?php __("Username"); ?></th><th><?php __("Folder"); ?></th></tr>

1
bureau/admin/hta_add.php Normal file → Executable file
View File

@ -50,6 +50,7 @@ if (isset($error) && $error) {
} ?>
<form method="post" action="hta_doadd.php" name="main" id="main">
<?php csrf_get(); ?>
<table border="1" cellspacing="0" cellpadding="4" class='tedit'>
<tr>
<th><label for="dir"><?php __("Folder"); ?></label></th>

2
bureau/admin/hta_adduser.php Normal file → Executable file
View File

@ -45,7 +45,7 @@ getFields($fields);
?>
<form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/hta_dodeluser.php Normal file → Executable file
View File

@ -57,6 +57,7 @@ include_once('head.php');
</ul>
<form method="post" action="hta_dodeluser.php" name="main" id="main">
<?php csrf_get(); ?>
<input type='hidden' name='dir' value='<?php echo $dir;?>' >
<?php foreach($d as $t) {
echo "<input type='hidden' name='d[$t]' value='$t' >\n";

3
bureau/admin/hta_edit.php Normal file → Executable file
View File

@ -57,6 +57,7 @@ if (!$dir) {
reset($r);
?>
<form method="post" action="hta_dodeluser.php">
<?php csrf_get(); ?>
<table cellspacing="0" cellpadding="4" class='tlist'>
<tr>
<th colspan="2" ><input type="hidden" name="dir" value="<?php echo $dir?>"> </th>
@ -91,7 +92,7 @@ for($i=0;$i<count($r);$i++){ ?>
<legend><h3><?php __("Adding an authorized user"); ?></h3></legend>
<form method="post" action="hta_doadduser.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

1
bureau/admin/hta_edituser.php Normal file → Executable file
View File

@ -44,6 +44,7 @@ getFields($fields);
<?php if (!empty($error) ) { echo "<p class=\"alert alert-danger\">$error</p>"; } ?>
<form method="post" action="hta_doedituser.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />

1
bureau/admin/hta_list.php Normal file → Executable file
View File

@ -64,6 +64,7 @@ $mem->show_help("hta_list2");
</p>
<form method="post" action="hta_del.php">
<?php csrf_get(); ?>
<table class="tlist">
<tr><th colspan="2"> </th><th><?php __("Folder"); ?></th></tr>
<?php

1
bureau/admin/index.php Normal file → Executable file
View File

@ -93,6 +93,7 @@ if ( empty($logo) || ! $logo ) {
<?php if (!empty($authip_token)) { echo "<p style='color:red;'>";__("You are attemping to connect without IP restriction."); echo "</p>"; } ?>
<div class="menu-title"><?php __("AlternC access"); ?></div>
<form action="login.php" method="post" name="loginform" target="_top">
<?php csrf_get(); ?>
<div class="menu-content">
<div><label for="username"><?php echo _("Username"); ?></label></td><td><input type="text" class="int" name="username" id="username" value="" maxlength="128" autocapitalize="none" /></div>
<div><label for="password"><?php echo _("Password"); ?></label></td><td><input type="password" class="int" name="password" id="password" value="" maxlength="128" /></div>

2
bureau/admin/ip_main.php Normal file → Executable file
View File

@ -89,6 +89,7 @@ $lac = $authip->list_affected();
<p><?php __("You need to have some 'Known IP and networks' defined below to define a new rule.") ?></p>
<?php } else { ?>
<form method="post" action="ip_main.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlistb">
<tbody>
<tr valign="top">
@ -176,6 +177,7 @@ foreach($list_ip as $i) {
<p><a href="javascript:edit_ip('','<?php echo htmlentities(get_remote_ip())."','Home IP'";?>);" ><?php echo __("Add my current IP"); ?></a></p>
<span id="form_add_ip">
<form method="post" action="ip_main.php" name="main" >
<?php csrf_get(); ?>
<p id="reset_edit_ip" style="display:none;"><a href="javascript:reset_edit_ip();"><?php __("Cancel edit")?></a></p>
<input type="hidden" name="id" value="" id="edit_id" />

1
bureau/admin/mail_del.php Normal file → Executable file
View File

@ -56,6 +56,7 @@ if ($confirm=="y") {
<br />
<p><?php __("Please confirm the deletion of the following mail accounts:"); ?></p>
<form method="post" action="mail_del.php" id="main">
<?php csrf_get(); ?>
<p>
<input type="hidden" name="confirm" value="y" />
<input type="hidden" name="domain_id" value="<?php echo $domain_id; ?>" />

2
bureau/admin/mail_edit.php Normal file → Executable file
View File

@ -62,7 +62,7 @@ if (isset($error)) {
?>
<form action="mail_doedit.php" method="post" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
<input type="password" style="display: none" id="fakePassword" name="fakePassword" value="" />

2
bureau/admin/mail_list.php Normal file → Executable file
View File

@ -77,6 +77,7 @@ if ($fatal) {
<td>
<?php if ($quota->cancreate("mail")) { ?>
<form method="post" action="mail_doadd.php" id="main" name="mail_create">
<?php csrf_get(); ?>
<input type="text" class="int intleft" style="text-align: right" name="mail_arg" value="<?php ehe($mail_arg); ?>" size="24" id="mail_arg" maxlength="255" /><span id="emaildom" class="int intright"><?php echo "@".$domain; ?></span>
<input type="hidden" name="domain_id" value="<?php echo $domain_id;?>" />
<input type="submit" name="submit" class="inb add" value="<?php __("Create this email address"); ?>" onClick="return false_if_empty('mail_arg', '<?php echo addslashes(_("Can't have empty mail."));?>');" />
@ -122,6 +123,7 @@ if (empty($allmails_list) && empty($search)) {
</td></tr></table>
<form method="post" action="mail_del.php">
<?php csrf_get(); ?>
<input type="hidden" name="domain_id" value="<?php echo $domain_id; ?>" />
<table class="tlist">
<tr><th></th><th></th><th><?php __("Enabled");?></th><th style="text-align:right"><?php __("Address"); ?></th><th><?php __("Pop/Imap"); ?></th><th><?php __("Other recipients"); ?></th><th><?php __("Last login time"); ?></th></tr>

4
bureau/admin/mem_param.php Normal file → Executable file
View File

@ -78,6 +78,7 @@ echo "<p>";
__("help_chg_passwd"); ?>
</p>
<form method="post" action="mem_passwd.php" name="main" id="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />
@ -96,6 +97,7 @@ echo "<p>";
<div id="tabsmem-mail">
<h3><?php __("Change the email of the account"); ?></h3>
<form method="post" action="mem_chgmail.php">
<?php csrf_get(); ?>
<table border="1" cellspacing="0" cellpadding="4" class="tedit">
<tr><td colspan="2"><?php __("help_chg_mail"); ?></td></tr>
<tr><th><?php __("Current mailbox"); ?></th><td><big><code><?php echo $mem->user["mail"]; ?></code></big></td></tr>
@ -107,6 +109,7 @@ echo "<p>";
<div id="tabsmem-help">
<h3><?php __("Online help settings"); ?></h3>
<form method="post" action="mem_param.php">
<?php csrf_get(); ?>
<table border="1" cellspacing="0" cellpadding="4" class="tedit">
<tr><td colspan="2"><?php __("help_help_settings"); ?></td></tr>
<tr><th><label for="showhelp"><?php __("Do you want to see the help texts and links on each page?"); ?></label></th><td><input type="checkbox" class="inc" id="showhelp" name="showhelp" value="1" <?php if ($mem->get_help_param()) echo "checked=\"checked\""; ?> /></td></tr>
@ -120,6 +123,7 @@ if ($mem->user["su"]) {
<div id="tabsmem-admin">
<h3><?php __("Admin preferences"); ?></h3>
<form method="post" action="mem_admin.php">
<?php csrf_get(); ?>
<table border="1" cellspacing="0" cellpadding="4" class="tedit">
<tr><th><?php __("Members list view"); ?></th><td><select name="admlist" class="inl">
<option value="0"<?php if ($mem->user["admlist"]==0) echo " selected=\"selected\""; ?>><?php __("Large view"); ?></option>

1
bureau/admin/piwik_site_dodel.php Normal file → Executable file
View File

@ -66,6 +66,7 @@ include_once('head.php');
<br />
<form method="post" action="piwik_site_dodel.php" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="siteid" value="<?php echo $siteid;?>" />
<input type="submit" class="inb" name="confirm_del" value="<?php __("Delete")?>" />
<input type="button" class="inb" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location='piwik_sitelist.php'" />

2
bureau/admin/piwik_sitelist.php Normal file → Executable file
View File

@ -82,6 +82,7 @@ if ($quota->cancreate("piwik")) {
?>
<h3><?php __("Add a new website");?></h3>
<form method="post" action="piwik_addsites.php" id="main" name="addsites" >
<?php csrf_get(); ?>
<input type="text" class="int" name="site_urls" size="50" id="site_name" maxlength="255" value="" placeholder="<?php __("URL of the website")?>"/>
<input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" />
</form>
@ -162,6 +163,7 @@ foreach ($sitelist as $site ){
// If a site was selected
if ($site_id != -1 && in_array($site_id, $piwik_alternc_sites)) {
echo '<form method="post">';
csrf_get();
echo '<dl>';
foreach ($piwik->get_users_access_from_site($site_id) AS $piwik_user => $cred) {
printf("<dt>%s:</dt>\n\t<dd>%s</dd>\n", $piwik_user, piwik_right_widget('right', $piwik_user, $cred));

1
bureau/admin/piwik_user_dodel.php Normal file → Executable file
View File

@ -64,6 +64,7 @@ include_once('head.php');
<br />
<form method="post" action="piwik_user_dodel.php" name="main" id="main">
<?php csrf_get(); ?>
<input type="hidden" name="login" value="<?php echo $login;?>" />
<input type="submit" class="inb" name="confirm_del" value="<?php __("Delete")?>" />
<input type="button" class="inb" name="cancel" value="<?php __("Cancel"); ?>" onclick="document.location='piwik_userlist.php'" />

1
bureau/admin/piwik_useradmin.php Normal file → Executable file
View File

@ -131,6 +131,7 @@ if (count($available_user_sites)>0)
foreach ($available_user_sites AS $current_id_site => $available_user_site)
{
printf('<li>%s <form method="post"><input type="hidden" name="site_id" value="%d">
<input type="hidden" name="csrf" value="'.csrf_get(true).'" />
<select name="right">
<option value="noaccess">%s</option>
<option value="view">%s</option>

2
bureau/admin/piwik_userlist.php Normal file → Executable file
View File

@ -40,6 +40,7 @@ if ($quota->cancreate("piwik")) {
?>
<h3><?php __("Create a new piwik account");?></h3>
<form method="post" action="piwik_addaccount.php" id="main" name="addaccount" >
<?php csrf_get(); ?>
<input type="text" class="int" name="account_name" size="20" id="account_name" maxlength="32" value="<?php if ($quotapiwik['u']==0) {echo $mem->user["login"];}?>"/>
<input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" />
</form>
@ -52,6 +53,7 @@ if ($quotapiwik['u']>0) {
?>
<h3><?php __("Add a new website");?></h3>
<form method="post" action="piwik_addsites.php" id="main" name="addsites" >
<?php csrf_get(); ?>
<input type="text" class="int" name="site_urls" size="50" id="site_name" maxlength="255" value="" placeholder="<?php __("URL of the website")?>"/>
<input type="submit" name="submit" class="inb" value="<?php __("Create"); ?>" />
</form>

1
bureau/admin/sql_bck.php Normal file → Executable file
View File

@ -65,6 +65,7 @@ if (is_array($r)) {
<h3><?php printf(_("Manage the SQL backup for database %s"),$r["db"]); ?></h3>
<form action="sql_dobck.php" method="post" id="main" name="main">
<?php csrf_get(); ?>
<table class="tedit">
<tr>
<th><label><?php __("Do MySQL backup?"); ?></label></th>

1
bureau/admin/sql_del.php Normal file → Executable file
View File

@ -75,6 +75,7 @@ if (!$found) {
<p class="alert alert-warning"><?php __("WARNING"); ?></big><br /><?php __("Confirm the deletion of the following SQL databases"); ?><br />
<?php __("This will delete all the tables currently in those db."); ?></p>
<form method="post" action="sql_del.php" id="main">
<?php csrf_get(); ?>
<p>
<input type="hidden" name="confirm" value="y" />
<?php

2
bureau/admin/sql_list.php Normal file → Executable file
View File

@ -50,6 +50,7 @@ $r=$mysql->get_userslist();
if($rdb){
?>
<form method="post" action="sql_del.php" name="main" id="main">
<?php csrf_get(); ?>
<table class="tlist">
<tr><th>&nbsp;</th><th><?php __("Database"); ?></th><?php if ( variable_get('sql_allow_users_backups') ) { ?><th><?php __("Backup"); ?></th><?php } // sql_allow_users_backups ?><th><?php __("Restore"); ?></th><th><?php __("Show Settings"); ?></th><th><?php __("Size"); ?></th></tr>
@ -91,6 +92,7 @@ for($i=0;$i<count($rdb);$i++) {
<?php }else{
?>
<form method="post" action="sql_doadd.php" id="main2" name="main2">
<?php csrf_get(); ?>
<table class="tedit">
<tr>
<th><label for="dbn"><?php __("MySQL Database"); ?></label></th>

1
bureau/admin/sql_restore.php Normal file → Executable file
View File

@ -62,6 +62,7 @@ __("Warning: Write the complete path and the filename. <br />For example if your
echo "</p>";
?>
<form action="sql_dorestore.php" method="post">
<?php csrf_get(); ?>
<input type="hidden" name="id" value="<?php echo $id ?>" />
<p><label for="restfile"><?php __("Please enter the path and the filename containing SQL data to be restored."); ?></label></p>
<p><input type="text" class="int" id="restfile" name="restfile" size="35" maxlength="255" value="<?php ehe($filename); ?>" /> <input class="inb" type="submit" name="submit" onClick='return restfilenotempty();' value="<?php __("Restore my database"); ?>" /><i><?php __("Tip: you can restore a file directly in the File Browser");?></i></p>

1
bureau/admin/sql_users_add.php Normal file → Executable file
View File

@ -54,6 +54,7 @@ getFields($fields);
}
?>
<form method="post" action="sql_users_doadd.php" id="main" name="main" autocomplete="off">
<?php csrf_get(); ?>
<!-- honeypot fields -->
<input type="text" style="display: none" id="fakeUsername" name="fakeUsername" value="" />

2
bureau/admin/sql_users_del.php Normal file → Executable file
View File

@ -32,6 +32,7 @@ $fields = array (
"confirm" => array ("post", "string", ""),
);
getFields($fields);
if(!isset($error)){
$error="";
}
@ -61,6 +62,7 @@ include_once("head.php");
<p class="alert alert-warning"><?php __("WARNING"); ?></big><br /><?php __("Confirm the deletion of the following MySQL users"); ?><br />
</p>
<form method="post" action="sql_users_del.php" id="main">
<?php csrf_get(); ?>
<p>
<input type="hidden" name="confirm" value="y" />
<?php

1
bureau/admin/sql_users_doadd.php Normal file → Executable file
View File

@ -36,7 +36,6 @@ $fields = array (
);
getFields($fields);
if(!empty($usern)){
if (!$mysql->add_user($usern,$password,$passconf)) {
$error=$err->errstr();

1
bureau/admin/sql_users_list.php Normal file → Executable file
View File

@ -47,6 +47,7 @@ if (isset($error) && $error) {
if($r){ // if there is some userlist
?>
<form method="post" action="sql_users_del.php">
<?php csrf_get(); ?>
<table cellspacing="0" cellpadding="4" class="tlist">
<tr><th>&nbsp;</th><th><?php __("User"); ?></th><th><?php __("Rights"); ?></th><th><?php __("Password");?></th></tr>
<?php

1
bureau/admin/sql_users_password.php Normal file → Executable file
View File

@ -53,6 +53,7 @@ if (! empty($error) ) {
?>
<form method="post" action="sql_users_dopassword.php" autocomplete="off">
<?php csrf_get(); ?>
<input type="hidden" name="id" value="<?php echo $id; ?>" />
<!-- honeypot fields -->

1
bureau/admin/sql_users_rights.php Normal file → Executable file
View File

@ -54,6 +54,7 @@ if ($r) {
?>
<form method="post" action="sql_users_dorights.php">
<?php csrf_get(); ?>
<input type="hidden" name="id" value="<?php echo $id; ?>" />
<table cellspacing="0" cellpadding="4" class="tlist ombrage">
<tr class="petit">

2
bureau/admin/vm.php Normal file → Executable file
View File

@ -68,6 +68,7 @@ include_once("head.php");
?>
<p class="alert alert-info"><?php __("You can start a virtual machine."); ?></p>
<form method="post" action="vm.php">
<?php csrf_get(); ?>
<input type="hidden" name="action" value="start" />
<input type="submit" class="inb ok" name="go" value="<?php __("Click here to start a virtual machine."); ?>" />
</form>
@ -85,6 +86,7 @@ include_once("head.php");
?>
<p class="alert alert-info"><?php __("You can stop your virtual machine."); ?></p>
<form method="post" action="vm.php">
<?php csrf_get(); ?>
<input type="hidden" name="action" value="stop" />
<input type="submit" class="inb cancel" name="go" value="<?php __("Click here to stop your running virtual machine."); ?>" />
</form>

11
bureau/class/config.php Normal file → Executable file
View File

@ -209,6 +209,17 @@ if ($oldid && $oldid != $cuid) {
$isinvited = true;
}
// CHECK CSRF for ALL POSTS :
// you MUST add <?php csrf_get(); ?> after ALL <form method="post" in AlternC !
if (count($_POST)) {
if (csrf_check()<=0) {
$error=$err->errstr();
require_once("main.php");
exit();
}
}
// Init some vars
variable_get('hosting_tld', '', 'This is a FQDN that designates the main hostname of the service. For example, hosting_tld determines in what TLD the "free" user domain is created. If this is set to "example.com", a checkbox will appear in the user creation dialog requesting the creator if he wants to create the domain "username.example.com".', array('desc' => 'Wanted FQDN', 'type' => 'string'));

24
bureau/class/functions.php Normal file → Executable file
View File

@ -1080,14 +1080,20 @@ function panel_islocked() {
* to the session cookie. We also need the $db pdo object
* @return the csrf cookie to add into a csrf hidden field in your form
*/
function csrf_get() {
function csrf_get($return=false) {
global $db;
static $token="";
if (!isset($_SESSION["csrf"])) {
$_SESSION["csrf"]=md5(rand().rand().rand());
}
$token=md5(rand().rand().rand());
$db->query("INSERT INTO csrf SET cookie=?, token=?, created=NOW(), used=0;",array($_SESSION["csrf"],$token));
return $token;
if ($token=="") {
$token=md5(rand().rand().rand());
$db->query("INSERT INTO csrf SET cookie=?, token=?, created=NOW(), used=0;",array($_SESSION["csrf"],$token));
}
if ($return)
return $token;
echo '<input type="hidden" name="csrf" value="'.$token.'" />';
return true;
}
/** Check a CSRF token against the current session
@ -1096,8 +1102,11 @@ function csrf_get() {
* @return $result integer 0 for invalid token, 1 for good token, -1 for expired token (already used)
* if a token is invalid or expired, an $err is raised, that can be displayed
*/
function csrf_check($token) {
function csrf_check($token=null) {
global $db,$err;
if (is_null($token)) $token=$_POST["csrf"];
if (!isset($_SESSION["csrf"])) {
$err->raise("functions", _("The posted form token is incorrect. Maybe you need to allow cookies"));
return 0; // no csrf cookie :/
@ -1120,6 +1129,7 @@ function csrf_check($token) {
$err->raise("functions", _("Your token is expired. Please refill the form."));
return -1; // expired
}
$db->query("UPDATE csrf SET used=1 WHERE cookie=? AND token=?;",array($_SESSION["csrf"],$token));
$db->query("UPDATE csrf SET used=1 WHERE cookie=? AND token=?;",array($_SESSION["csrf"],$token));
$db->exec("DELETE FROM csrf WHERE created<DATE_SUB(NOW(), INTERVAL 1 DAY);");
return 1;
}
}

0
bureau/class/local.php Normal file → Executable file
View File

2
install/upgrades/3.4.5.sql Normal file → Executable file
View File

@ -7,4 +7,4 @@ CREATE TABLE IF NOT EXISTS `csrf` (
`used` tinyint(3) unsigned NOT NULL DEFAULT '0'
) ENGINE=InnoDB DEFAULT CHARSET=latin1 COMMENT='csrf tokens for AlternC forms';
ALTER TABLE `csrf` ADD PRIMARY KEY (`session`,`token`), ADD KEY `created` (`created`);
ALTER TABLE `csrf` ADD PRIMARY KEY (`cookie`,`token`), ADD KEY `created` (`created`);