From: Frédéric Buclin <LpSolit@gmail.com>
Date: Mon, 6 Aug 2012 21:44:33 +0000 (+0200)
Subject: Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password... 
X-Git-Tag: bugzilla-4.2.3~19
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2137f365677d836e3d3c55c81634d0f732fecdfe;p=thirdparty%2Fbugzilla.git

Bug 706271: CSRF vulnerability in token.cgi allows possible unauthorized password reset e-mail request
r=reed a=LpSolit
---

diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl
index fbe40fb434..cb43354660 100644
--- a/template/en/default/account/auth/login-small.html.tmpl
+++ b/template/en/default/account/auth/login-small.html.tmpl
@@ -36,8 +36,8 @@
   [% IF cgi.request_method == "GET" AND cgi.query_string %]
     [% connector = "&" %]
   [% END %]
-  [% script_name = login_target _ connector _ "GoAheadAndLogIn=1" %]
-  <a id="login_link[% qs_suffix %]" href="[% script_name FILTER html %]"
+  [% script_url = login_target _ connector _ "GoAheadAndLogIn=1" %]
+  <a id="login_link[% qs_suffix %]" href="[% script_url FILTER html %]"
      onclick="return show_mini_login_form('[% qs_suffix %]')">Log In</a>
 
   [% Hook.process('additional_methods') %]
@@ -114,7 +114,7 @@
 </li>
 <li id="forgot_container[% qs_suffix %]">
   <span class="separator">| </span>
-  <a id="forgot_link[% qs_suffix %]" href="[% script_name FILTER html %]#forgot"
+  <a id="forgot_link[% qs_suffix %]" href="[% script_url FILTER html %]#forgot"
      onclick="return show_forgot_form('[% qs_suffix %]')">Forgot Password</a>
   <form action="token.cgi" method="post" id="forgot_form[% qs_suffix %]"
         class="mini_forgot bz_default_hidden">
@@ -123,6 +123,7 @@
     <input id="forgot_button[% qs_suffix %]" value="Reset Password" 
            type="submit">
     <input type="hidden" name="a" value="reqpw">
+    <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
     <a href="#" onclick="return hide_forgot_form('[% qs_suffix %]')">[x]</a>
   </form>
 </li>
diff --git a/template/en/default/account/auth/login.html.tmpl b/template/en/default/account/auth/login.html.tmpl
index 122ef6f7ce..3de52b6a0d 100644
--- a/template/en/default/account/auth/login.html.tmpl
+++ b/template/en/default/account/auth/login.html.tmpl
@@ -115,6 +115,7 @@
       enter your login name below and submit a request
       to change your password.<br>
       <input size="35" name="loginname">
+      <input type="hidden" id="token" name="token" value="[% issue_hash_token(['reqpw']) FILTER html %]">
       <input type="submit" id="request" value="Reset Password">
     </form>
   [% END %]
diff --git a/token.cgi b/token.cgi
index fa262e76a4..20870159a5 100755
--- a/token.cgi
+++ b/token.cgi
@@ -108,6 +108,11 @@ if ( $action eq 'reqpw' ) {
         ThrowUserError("password_change_requests_not_allowed");
     }
 
+    # Check the hash token to make sure this user actually submitted
+    # the forgotten password form.
+    my $token = $cgi->param('token');
+    check_hash_token($token, ['reqpw']);
+
     validate_email_syntax($login_name)
         || ThrowUserError('illegal_email_address', {addr => $login_name});