Merge pull request #15 from jrmhaig/csrf

Guard against CSRF

includes/admin.php

@@ -13,6 +13,7 @@ function Status($message, $level='success', $dismissable=true) {
 function DisplayAuthConfig($username, $password){
 	$status = '';
 	if (isset($_POST['UpdateAdminPassword'])) {
+		if (CSRFValidate()) {
 			if (password_verify($_POST['oldpass'], $password)) {
 				$new_username=trim($_POST['username']);
 				if ($_POST['newpass'] != $_POST['newpassagain']) {
@@ -33,6 +34,9 @@ function DisplayAuthConfig($username, $password){
 			} else {
 				$status = Status('Old password does not match', 'danger');
 			}
+    } else {
+			error_log('CSRF violation');
+    }
   }
 ?>
 	<div class="row">
@@ -42,6 +46,7 @@ function DisplayAuthConfig($username, $password){
 				<div class="panel-body">
 					<p><?php echo $status; ?></p>
 					<form role="form" action="/?page=auth_conf" method="POST">
+						<?php CSRFToken() ?>
 						<div class="row">
 							<div class="form-group col-md-4">
 								<label for="username">Username</label>

includes/functions.php

@@ -1,5 +1,25 @@
 <?php
 
+/**
+*
+* Add CSRF Token to form
+*
+*/
+function CSRFToken() {
+?>
+<input type="hidden" name="csrf_token" value="<?php echo $_SESSION['csrf_token']; ?>" />
+<?php
+}
+
+/**
+*
+* Validate CSRF Token
+*
+*/
+function CSRFValidate() {
+  return hash_equals($_POST['csrf_token'], $_SESSION['csrf_token']);
+}
+
 /**
 *
 * @param string $input

index.php

@@ -44,6 +44,16 @@ include_once( 'includes/functions.php' );
 
 $output = $return = 0;
 $page = $_GET['page'];
+
+session_start();
+if (empty($_SESSION['csrf_token'])) {
+    if (function_exists('mcrypt_create_iv')) {
+        $_SESSION['csrf_token'] = bin2hex(mcrypt_create_iv(32, MCRYPT_DEV_URANDOM));
+    } else {
+        $_SESSION['csrf_token'] = bin2hex(openssl_random_pseudo_bytes(32));
+    }
+}
+$csrf_token = $_SESSION['csrf_token'];
 ?>
 
 <!DOCTYPE html>