Headline
CVE-2023-38349: Add CSRF Token to Template View and AJAX Controller by martialblog · Pull Request #17 · pnp4nagios/pnp4nagios
PNP4Nagios through 81ebfc5 lacks CSRF protection in the AJAX controller. This affects 0.6.26.
Hello,
The controller was missing CSRF protection. This fix uses per-session tokens that are send with each POST request to the controller.
For this, I backported the Security.php from a newer Kohana, since an update of the entire Framework seemed counterproductive for this particular fix.
I’m not super fluent in PHP and therefore decided on a guard clause pattern, hope that’s OK. Let me know if I should adjust anything.
Regards
Markus