Headline
CVE-2022-0231: CSRF for file configuration URL · LiveHelperChat/livehelperchat@6ad1349
livehelperchat is vulnerable to Cross-Site Request Forgery (CSRF)
Permalink
Browse files
CSRF for file configuration URL
- Loading branch information
1 parent f59ffb0 commit 6ad1349dc5e7503b00c5017499a0a895d7654a61
Showing with 8 additions and 0 deletions.
- +2 −0 lhc_web/design/defaulttheme/tpl/lhfile/configuration.tpl.php
- +6 −0 lhc_web/modules/lhfile/configuration.php
@@ -10,6 +10,8 @@
<form action="" ng-non-bindable method="post">
<?php include(erLhcoreClassDesign::designtpl(‘lhkernel/csfr_token.tpl.php’));?>
<div class="row">
<div class="col-6">
<div class="form-group">
@@ -7,6 +7,12 @@
if (isset($_POST[‘StoreFileConfiguration’])) {
if (!isset($_POST[‘csfr_token’]) || !$currentUser->validateCSFRToken($_POST[‘csfr_token’])) {
erLhcoreClassModule::redirect(‘file/configuration’);
exit;
}
$definition = array(
‘AllowedFileTypes’ => new ezcInputFormDefinitionElement(
ezcInputFormDefinitionElement::OPTIONAL, ‘string’
0 comments on commit 6ad1349
Please sign in to comment.