From c34b0407663a842760725041d3036dee0e79e291 Mon Sep 17 00:00:00 2001
From: Roland Gruber <post@rolandgruber.de>
Date: Thu, 14 May 2015 09:18:45 +0000
Subject: [PATCH] added CSRF protection

---
 lam/HISTORY                       |  1 +
 lam/lib/html.inc                  | 10 ++++--
 lam/lib/modules.inc               |  3 +-
 lam/lib/modules/inetOrgPerson.inc |  7 ++--
 lam/lib/modules/ldapPublicKey.inc | 11 +++++--
 lam/lib/security.inc              | 53 ++++++++++++++++++++++++++++++-
 lam/lib/selfService.inc           | 11 ++++++-
 lam/templates/lib/500_lam.js      |  2 +-
 lam/templates/login.php           |  1 +
 lam/templates/misc/ajax.php       |  7 ++--
 10 files changed, 92 insertions(+), 14 deletions(-)

diff --git a/lam/HISTORY b/lam/HISTORY
index e7e0aff9..3fd01e18 100644
--- a/lam/HISTORY
+++ b/lam/HISTORY
@@ -1,4 +1,5 @@
 June 215
+  - Security: added CSRF protection
   - Zarafa users: allow to change display format of "Send As"
 
 
diff --git a/lam/lib/html.inc b/lam/lib/html.inc
index 80ce6293..7ccd6f76 100644
--- a/lam/lib/html.inc
+++ b/lam/lib/html.inc
@@ -591,12 +591,16 @@ class htmlInputField extends htmlElement {
 			';
 		}
 		if ($this->checkPasswordStrength) {
-			$ajaxPath = "../templates/misc/ajax.php";
+			$tokenSuffix = '?' . getSecurityTokenName() . '=' . getSecurityTokenValue();
+			if (isSelfService()) {
+				$tokenSuffix .= '&selfservice=1';
+			}
+			$ajaxPath = "../templates/misc/ajax.php" . $tokenSuffix;
 			if (is_file("../../templates/misc/ajax.php")) {
-				$ajaxPath = "../../templates/misc/ajax.php";
+				$ajaxPath = "../../templates/misc/ajax.php" . $tokenSuffix;
 			}
 			elseif (is_file("../../../templates/misc/ajax.php")) {
-				$ajaxPath = "../../../templates/misc/ajax.php";
+				$ajaxPath = "../../../templates/misc/ajax.php" . $tokenSuffix;
 			}
 			echo '<script type="text/javascript">
 					checkPasswordStrength("' . $this->fieldName . '", "' . $ajaxPath . '");
diff --git a/lam/lib/modules.inc b/lam/lib/modules.inc
index ee0dc19b..6adfd25b 100644
--- a/lam/lib/modules.inc
+++ b/lam/lib/modules.inc
@@ -1238,7 +1238,8 @@ class accountContainer {
 			$passwordButton = new htmlButton('accountContainerPassword', _('Set password'));
 			$passwordButton->setIconClass('passwordButton');
 			$passwordButton->setOnClick('passwordShowChangeDialog(\'' . _('Set password') . '\', \'' . _('Ok') . '\', \''
-				 . _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange\');');
+				 . _('Cancel') . '\', \'' . _('Set random password') . '\', \'../misc/ajax.php?function=passwordChange&'
+				 . getSecurityTokenName() . '=' . getSecurityTokenValue() . '\');');
 			$leftButtonGroup->addElement($passwordButton);
 		}
 		$table->addElement($leftButtonGroup);
diff --git a/lam/lib/modules/inetOrgPerson.inc b/lam/lib/modules/inetOrgPerson.inc
index a3dcc09e..5d110e26 100644
--- a/lam/lib/modules/inetOrgPerson.inc
+++ b/lam/lib/modules/inetOrgPerson.inc
@@ -2972,7 +2972,9 @@ class inetOrgPerson extends baseModule implements passwordService {
 					"action": "delete",
 					"id": id
 				};
-				jQuery.post(\'../misc/ajax.php?selfservice=1&module=inetOrgPerson&scope=user\', {jsonInput: actionJSON}, function(data) {inetOrgPersonDeleteCertificateHandleReply(data);}, \'json\');
+				jQuery.post(\'../misc/ajax.php?selfservice=1&module=inetOrgPerson&scope=user'
+				 . '&' . getSecurityTokenName() . '=' . getSecurityTokenValue()
+				 . '\', {jsonInput: actionJSON}, function(data) {inetOrgPersonDeleteCertificateHandleReply(data);}, \'json\');
 			}
 			
 			function inetOrgPersonDeleteCertificateHandleReply(data) {
@@ -2990,7 +2992,8 @@ class inetOrgPerson extends baseModule implements passwordService {
 					element: document.getElementById(elementID),
 					listElement: uploadStatus,
 					request: {
-						endpoint: \'../misc/ajax.php?selfservice=1&module=inetOrgPerson&scope=user\',
+						endpoint: \'../misc/ajax.php?selfservice=1&module=inetOrgPerson&scope=user'
+						 . '&' . getSecurityTokenName() . '=' . getSecurityTokenValue() . '\',
 						forceMultipart: true,
 						params: {
 							action: \'ajaxCertUpload\'
diff --git a/lam/lib/modules/ldapPublicKey.inc b/lam/lib/modules/ldapPublicKey.inc
index 9e144145..a4173060 100644
--- a/lam/lib/modules/ldapPublicKey.inc
+++ b/lam/lib/modules/ldapPublicKey.inc
@@ -305,7 +305,9 @@ class ldapPublicKey extends baseModule {
 				for (c = 0; c < count; c++) {
 					actionJSON["sshPublicKey_" + c] = jQuery(\'#sshPublicKey_\' + c).val();
 				}
-				jQuery.post(\'../misc/ajax.php?selfservice=1&module=ldapPublicKey&scope=user\', {jsonInput: actionJSON}, function(data) {ldapPublicKeyDeleteKeyHandleReply(data);}, \'json\');
+				jQuery.post(\'../misc/ajax.php?selfservice=1&module=ldapPublicKey&scope=user'
+					. '&' . getSecurityTokenName() . '=' . getSecurityTokenValue()
+					. '\', {jsonInput: actionJSON}, function(data) {ldapPublicKeyDeleteKeyHandleReply(data);}, \'json\');
 			}
 			
 			function ldapPublicKeyDeleteKeyHandleReply(data) {
@@ -324,7 +326,9 @@ class ldapPublicKey extends baseModule {
 				for (c = 0; c < count; c++) {
 					actionJSON["sshPublicKey_" + c] = jQuery(\'#sshPublicKey_\' + c).val();
 				}
-				jQuery.post(\'../misc/ajax.php?selfservice=1&module=ldapPublicKey&scope=user\', {jsonInput: actionJSON}, function(data) {ldapPublicKeyAddKeyHandleReply(data);}, \'json\');
+				jQuery.post(\'../misc/ajax.php?selfservice=1&module=ldapPublicKey&scope=user'
+					. '&' . getSecurityTokenName() . '=' . getSecurityTokenValue()
+					. '\', {jsonInput: actionJSON}, function(data) {ldapPublicKeyAddKeyHandleReply(data);}, \'json\');
 			}
 			
 			function ldapPublicKeyAddKeyHandleReply(data) {
@@ -348,7 +352,8 @@ class ldapPublicKey extends baseModule {
 					element: document.getElementById(elementID),
 					listElement: uploadStatus,
 					request: {
-						endpoint: \'../misc/ajax.php?selfservice=1&module=ldapPublicKey&scope=user\',
+						endpoint: \'../misc/ajax.php?selfservice=1&module=ldapPublicKey&scope=user'
+						. '&' . getSecurityTokenName() . '=' . getSecurityTokenValue() . '\',
 						forceMultipart: true,
 						paramsInBody: true,
 						params: parameters
diff --git a/lam/lib/security.inc b/lam/lib/security.inc
index 2e9cce8d..13569693 100644
--- a/lam/lib/security.inc
+++ b/lam/lib/security.inc
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2014  Roland Gruber
+  Copyright (C) 2006 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -497,4 +497,55 @@ function getClientIPForLogging() {
 	return $ip;
 }
 
+/**
+ * Adds a security token to the session to prevent CSRF attacks.
+ */
+function addSecurityTokenToSession() {
+	$_SESSION[getSecurityTokenName()] = getRandomNumber();
+}
+
+/**
+ * Checks if the security token from SESSION matches POST data.
+ * 
+ * @param $post use POST, set to false for GET (default: true)
+ */
+function validateSecurityToken($post = true) {
+	$vars = $post ? $_POST : $_GET;
+	if (empty($vars)) {
+		return;
+	}
+	if (empty($vars[getSecurityTokenName()]) || ($vars[getSecurityTokenName()] != $_SESSION[getSecurityTokenName()])) {
+		logNewMessage(LOG_ERR, 'Security token does not match POST data.');
+		die();
+	}
+}
+
+/**
+ * Adds a hidden input field to the given meta HTML table.
+ * Should be used to add token at the end of table.
+ * 
+ * @param htmlTable $container table
+ */
+function addSecurityTokenToMetaHTML(&$container) {
+	$container->addElement(new htmlHiddenInput(getSecurityTokenName(), $_SESSION[getSecurityTokenName()]), true);
+}
+
+/**
+ * Returns the name of the security token parameter.
+ * 
+ * @return String name
+ */
+function getSecurityTokenName() {
+	return 'sec_token';
+}
+
+/**
+ * Returns the value of the security token parameter.
+ * 
+ * @return String value
+ */
+function getSecurityTokenValue() {
+	return $_SESSION[getSecurityTokenName()];
+}
+
 ?>
\ No newline at end of file
diff --git a/lam/lib/selfService.inc b/lam/lib/selfService.inc
index ed3b358d..2ee52f86 100644
--- a/lam/lib/selfService.inc
+++ b/lam/lib/selfService.inc
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2006 - 2014  Roland Gruber
+  Copyright (C) 2006 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -285,6 +285,15 @@ function checkSelfServiceSettings($scope, &$options, &$profile) {
 	return $return;
 }
 
+/**
+ * Returns if script runs inside self service.
+ * 
+ * @return boolean is self service
+ */
+function isSelfService() {
+	return session_name() == 'SELFSERVICE';
+}
+
 
 /**
  * Includes all settings of a self service profile.
diff --git a/lam/templates/lib/500_lam.js b/lam/templates/lib/500_lam.js
index 0dee7223..f8736a9f 100644
--- a/lam/templates/lib/500_lam.js
+++ b/lam/templates/lib/500_lam.js
@@ -560,7 +560,7 @@ function checkPasswordStrength(fieldID, ajaxURL) {
 					"password": value
 			};
 			// make AJAX call
-			jQuery.post(ajaxURL + "?function=passwordStrengthCheck", {jsonInput: pwdJSON}, function(data) {checkPasswordStrengthHandleReply(data, fieldID);}, 'json');
+			jQuery.post(ajaxURL + "&function=passwordStrengthCheck", {jsonInput: pwdJSON}, function(data) {checkPasswordStrengthHandleReply(data, fieldID);}, 'json');
 		};
 	jQuery(field).keyup(check);
 }
diff --git a/lam/templates/login.php b/lam/templates/login.php
index 36d3b697..8c60f767 100644
--- a/lam/templates/login.php
+++ b/lam/templates/login.php
@@ -615,6 +615,7 @@ if(!empty($_POST['checklogin'])) {
 		$_SESSION['sec_session_id'] = session_id();
 		$_SESSION['sec_client_ip'] = $_SERVER['REMOTE_ADDR'];
 		$_SESSION['sec_sessionTime'] = time();
+		addSecurityTokenToSession();
 		// logging
 		logNewMessage(LOG_NOTICE, 'User ' . $username . ' (' . $clientSource . ') successfully logged in.');
 		// Load main frame
diff --git a/lam/templates/misc/ajax.php b/lam/templates/misc/ajax.php
index bd19ee0b..e06748e0 100644
--- a/lam/templates/misc/ajax.php
+++ b/lam/templates/misc/ajax.php
@@ -3,7 +3,7 @@
 $Id$
 
   This code is part of LDAP Account Manager (http://www.ldap-account-manager.org/)
-  Copyright (C) 2011 - 2014  Roland Gruber
+  Copyright (C) 2011 - 2015  Roland Gruber
 
   This program is free software; you can redistribute it and/or modify
   it under the terms of the GNU General Public License as published by
@@ -58,6 +58,9 @@ class lamAjax {
 	 * Manages an AJAX request.
 	 */
 	public static function handleRequest() {
+		// check token
+		validateSecurityToken(false);
+		
 		if (isset($_GET['module']) && isset($_GET['scope']) && in_array($_GET['module'], getAvailableModules($_GET['scope']))) {
 			if (isset($_GET['useContainer']) && ($_GET['useContainer'] == '1')) {
 				if (!isset($_SESSION['account'])) die();
@@ -76,8 +79,8 @@ class lamAjax {
 		if (!isset($_POST['jsonInput'])) {
 			die();
 		}
+
 		$jsonInput = $_POST['jsonInput'];
-		
 		if ($function == 'passwordChange') {
 			lamAjax::managePasswordChange($jsonInput);
 		}