Headline
CVE-2022-4397: Add CSRF-token for comments · morontt/zend-blog-number-2@36b2d4a
A vulnerability was found in morontt zend-blog-number-2. It has been classified as problematic. Affected is an unknown function of the file application/forms/Comment.php of the component Comment Handler. The manipulation leads to cross-site request forgery. It is possible to launch the attack remotely. The name of the patch is 36b2d4abe20a6245e4f8df7a4b14e130b24d429d. It is recommended to apply a patch to fix this issue. VDB-215250 is the identifier assigned to this vulnerability.
@@ -154,6 +154,7 @@ public function topicAction()
$form = new Application_Form_Comment();
$form->topicId->setValue($post->id);
$form->getElement(‘csrfToken’)->setValue($this->generateCommentToken());
$this->view->form = $form;
@@ -234,7 +235,10 @@ public function ajaxaddcommentAction()
if ($form->isValid($this->getRequest()->getPost())) {
$formData = $form->getValues();
$this->saveComment($topicId, $url, $formData);
if ($this->validCommentToken($formData[‘csrfToken’])) {
$this->saveComment($topicId, $url, $formData);
}
$result[‘valid’] = true;
} else {
$formView = new Zend_View;
@@ -413,4 +417,29 @@ protected function isCDN()
&& (stripos($_SERVER[‘HTTP_VIA’], ‘BunnyCDN’) !== false
|| strpos($_SERVER[‘HTTP_VIA’], ‘cdn77’) !== false);
}
private function generateCommentToken($time = null): string
{
$time = $time ?? time();
$userAgent = $_SERVER[‘HTTP_USER_AGENT’] ?? '’;
return base64_encode($time . ‘:’ . hash('md5’, ‘MD5_’ . $userAgent . $time, true));
}
private function validCommentToken($token): bool
{
$raw = base64_decode($token, true);
if ($raw === false) {
return false;
}
$position = strpos($raw, ‘:’);
if ($position === false) {
return false;
}
$time = substr($raw, 0, $position);
return hash_equals($this->generateCommentToken($time), $token);
}
}