Merge pull request #98 from moonmoon/anti-csrf

Implement a mitigation against CSRF attacks

6 files changed, 22 insertions, 4 deletions

diff --git a/admin/administration.php b/admin/administration.php
index 34afe73..26f6710 100755
--- a/admin/administration.php
+++ b/admin/administration.php
@@ -24,6 +24,7 @@ $page_content = <<<"FRAGMENT"
             <div class="widget">
                 <h3>{$l10n->getString('Clear cache')}</h3>
                 <form action="purgecache.php" method="post" id="frmPurge">
+                    <input type="hidden" value="{$csrf->generate('frmPurge')}" name="_csrf">
                     <p><label>{$l10n->getString('Clear cache:')}</label><input type="submit" class="submit delete" name="purge" id="purge" value="{$l10n->getString('Clear')}" /></p>
                     <p class="help">{$l10n->getString('Clearing the cache will make moonmoon reload all feeds.')}</p>
                 </form>
@@ -32,6 +33,7 @@ $page_content = <<<"FRAGMENT"
             <div class="widget">
                 <h3>{$l10n->getString('Change administrator password')}</h3>
                 <form action="changepassword.php" method="post" id="frmPassword">
+                    <input type="hidden" value="{$csrf->generate('frmPassword')}" name="_csrf">
                     <p><label for="password">{$l10n->getString('New password:')}</label> <input type="password" class="text" value="" name="password" id="password" size="20" /> <input type="submit" class="submit delete" name="changepwd" id="changepwd" value="{$l10n->getString('Change password')}" /></p>
                 </form>
             </div>
diff --git a/admin/changepassword.php b/admin/changepassword.php
index 8c38769..3b4500e 100644
--- a/admin/changepassword.php
+++ b/admin/changepassword.php
@@ -1,7 +1,9 @@
 <?php
+
+require_once __DIR__.'/../app/app.php';
 require_once __DIR__.'/inc/auth.inc.php';
 
-if (isset($_POST['password']) && ('' != $_POST['password'])){
+if ($csrf->verify($_POST['_csrf'], 'frmPassword') && isset($_POST['password']) && ('' != $_POST['password'])) {
     $out = '<?php $login="admin"; $password="'.md5($_POST['password']).'"; ?>';
     file_put_contents(__DIR__.'/inc/pwd.inc.php', $out);
     die("Password changed. <a href='administration.php'>Login</a>");
diff --git a/admin/index.php b/admin/index.php
index a01b77b..0118923 100755
--- a/admin/index.php
+++ b/admin/index.php
@@ -79,6 +79,7 @@ ob_start();
                         <input type="submit" class="submit add" name="add" value="<?=_g('Add Feed')?>" />
                     </fieldset>
                     <p class="help"><?=_g('Accepted formats are RSS and ATOM. If the link is not a feed, moonmoon will try to autodiscover the feed.')?></p>
+                <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf">
                 </form>
             </div>
 
@@ -87,6 +88,7 @@ ob_start();
                 <form action="subscriptions.php" method="post" id="feedmanage">
                 <p class="action">
                 <span class="count"><?php echo sprintf(_g('Number of feeds: %s'), $count_feeds)?></span>
+                <input type="hidden" value="<?php echo $csrf->generate('feedmanage'); ?>" name="_csrf">
                 <input type="submit" class="submit save" name="save" id="save" value="<?=_g('Save changes')?>" />
                 <input type="submit" class="submit delete" name="delete" id="delete" value="<?=_g('Delete selected Feeds')?>" />
                 </p>
diff --git a/admin/login.php b/admin/login.php
index 3ba4d2b..a95e59f 100755
--- a/admin/login.php
+++ b/admin/login.php
@@ -1,10 +1,13 @@
 <?php
+
+require_once __DIR__ . '/../app/app.php';
+
 if (isset($_POST['password'])) {
+    session_regenerate_id();
     setcookie('auth',md5($_POST['password']));
     header('Location: index.php');
 }
 
-require_once __DIR__ . '/../app/app.php';
 $page_content = <<<FRAGMENT
             <form action="" method="post" class="login">
                 <fieldset>
diff --git a/admin/logout.php b/admin/logout.php
index 6dd32aa..adb843f 100644
--- a/admin/logout.php
+++ b/admin/logout.php
@@ -1,5 +1,10 @@
 <?php
+
+require_once __DIR__ . '/../app/app.php';
+
 setcookie('auth','', time()-3600);
+session_destroy();
+session_regenerate_id();
+
 header('Location: login.php');
-die;
-?>
\ No newline at end of file
+die();
diff --git a/admin/subscriptions.php b/admin/subscriptions.php
index f63af8f..7b2fb6f 100755
--- a/admin/subscriptions.php
+++ b/admin/subscriptions.php
@@ -7,6 +7,10 @@ function removeSlashes(&$item, $key){
     $item = stripslashes($item);
 }
 
+if (!$csrf->verify($_POST['_csrf'], 'feedmanage')) {
+    die('Invalid CSRF token!');
+}
+
 if (isset($_POST['opml']) || isset($_POST['add'])) {
 
     // Load old OPML