admin/Facilitor
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FSN#37517 PENTEST PINE 4.7.1: CSRF token vaker gebruiken

Browse Source 
svn path=/Website/trunk/; revision=30481
This commit is contained in:
Erik Groener
2016-08-31 14:14:56 +00:00
parent a508c0a84b
commit 6c20f7627c
14 changed files with 218 additions and 115 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
APPL/FAC/fac_current_tab_save.asp
View File

@@ -20,6 +20,8 @@ var autoopenurl = getFParam("autoopenurl");
var autoopenttl = getFParam("autoopenttl");
var filters = getFParam("filters", "");
protectRequest.validateToken();
function cleanurl(purl)
{
var autourl = purl;

13
APPL/FAC/fac_user_messages.js
View File

@@ -6,12 +6,21 @@
*/
function DoAction(messKey, isNew, action) {
if (isNew)
MarkAsRead(messKey, isNew, 0);
MarkAsRead(messKey, isNew, 0);
FcltMgr.openDetail(action, { reuse: true });
}
function MarkAsRead(messKey, wasnew, dopurge) {
$.post("fac_user_messages_setReadFlag.asp?messKey=" + messKey+(dopurge==1 ? "&purge=1" : ""));
var purl = "fac_user_messages_setReadFlag.asp?messKey=" + messKey+(dopurge==1 ? "&purge=1" : "");
var data = {messKey: messKey};
protectRequest.dataToken(data);
$.post(purl
,data
,FcltCallback
,"json"
);
if (dopurge) $("[messKey="+messKey+"]").hide();
}

24
APPL/FAC/fac_user_messages_setReadFlag.asp
View File

@@ -6,8 +6,7 @@
*/
var deleteall = getFParamInt("deleteall", 0) == 1;
if (deleteall)
var JSON_Result = true;
var JSON_Result = true;
%>
<!-- #include file="../Shared/common.inc" -->
<!-- #include file="../Shared/json2.js" -->
@@ -28,6 +27,9 @@ else
var purge = getQParamInt("purge", 0) == 1;
var act = getQParam("act", "");
var messKey = getFParamInt("messkey");
protectRequest.validateToken();
if (messKey)
{
var sql = "";
@@ -36,18 +38,20 @@ else
sql = "DELETE FROM web_user_messages"
+ " WHERE web_user_message_key = " + messKey
+ " AND prs_perslid_key_receiver = "+ user_key; /* forces authorization */
}
else
{
sql = "UPDATE web_user_messages SET web_user_mess_action_status = '2' "
+ " WHERE web_user_message_key = " + messKey
+ " AND prs_perslid_key_receiver = "+ user_key; /* forces authorization */
}
Oracle.Execute(sql);
}
else
{
sql = "UPDATE web_user_messages SET web_user_mess_action_status = '2' "
+ " WHERE web_user_message_key = " + messKey
+ " AND prs_perslid_key_receiver = "+ user_key; /* forces authorization */
}
Oracle.Execute(sql);
}
if (act != "") {
Response.Redirect(act);
}
var result = { success: true };
Response.Write(JSON.stringify(result));
}
%>

2
APPL/INS/ins_history_delete.asp
View File

@@ -11,7 +11,7 @@ var JSON_Result = true;
<!-- #include file="../Shared/json2.js" -->
<%
//protectRequest.validateToken();
protectRequest.validateToken();
var inskenmerkdeelkey = getQParamInt("inskenmerkdeelkey", -1);
var aanmaakdatum_prev;
var insdeelkey_next;

4
APPL/INS/ins_verbruik_history.asp
View File

@@ -84,7 +84,7 @@ if (!oRs.eof)
{
var data = {};
<% protectRequest.dataToken("data"); %>
$.getJSON("./ins_history_delete.asp?inskenmerkdeelkey=" + insKenmerkDeelKey,
$.post("./ins_history_delete.asp?inskenmerkdeelkey=" + insKenmerkDeelKey,
data,
function process_history_delete(data)
{
@@ -103,7 +103,7 @@ if (!oRs.eof)
</script>
<form name=u2 action="ins_verbruik_history.asp" method=get>
<form name=u2 action="ins_verbruik_history.asp" method="get">
<% if (isNaN(insdeelkey))
{
Response.Write("Illegal call: " + Request.ServerVariables("URL"));

1
APPL/Localscripts/FcltMgr.js
View File

@@ -131,6 +131,7 @@ var FcltMgr =
fnDoSave: function (ttl, data)
{
data.autoopenttl = ttl;
protectRequest.dataToken(data);
$.post(rooturl + "/appl/fac/fac_current_tab_save.asp",
data,
FcltCallbackAndThen(function (returndata)

6
APPL/PRS/prs_perslid_qr.asp
View File

@@ -56,7 +56,11 @@
<script type='text/javascript'>
function email_link(bmid)
{
$.post("prs_perslid_qr_mail.asp?bmid=<%=safe.jsstring(bookmarkId)%>", { }, FcltCallback, "json");
var data = {bmid: "<%=safe.jsstring(bookmarkId)%>"};
<% protectRequest.dataToken("data"); %>
$.post("prs_perslid_qr_mail.asp",
data,
FcltCallback, "json");
}
function clear_sessions(bmid)
{

3
APPL/PRS/prs_perslid_qr_mail.asp
View File

@@ -16,10 +16,11 @@ var JSON_Result = true;
<!--#include file="../Shared/send_mail.inc"-->
<!--#include file="../Shared/json2.js" -->
<%
protectRequest.validateToken();
if (S("qrc_enable") != 1)
shared.simpel_page(L("lcl_no_auth"));
var bmid = getQParam("bmid");
var bmid = getFParam("bmid");
var sql = " SELECT prs_perslid_key"
+ " FROM fac_bookmark"
+ " WHERE fac_bookmark_id = " + safe.quoted_sql(bmid);

44
APPL/Shared/BijlagenForm.asp
View File

@@ -34,7 +34,7 @@
<!-- #include file="./flexfiles.inc" -->
<%
protectQS.verify(); // tamper check
protectQS.verify({ allowparams: ["no_autoscroll"]}); // tamper check
// key of folder wordt doorgegeven
var pKey = getQParamInt("key", -1);
@@ -46,7 +46,6 @@ var pMulti = getQParamInt("multi", 0) == 1;
var pReado = getQParamInt("reado", 0) == 1;
var showFilter = getFParam("showFilter", ""); // zoek mogelijkheid binnen lijst bestanden
var pDoDelete = getQParam("DoDelete", "");
var pAlgLevel = getQParam("kenmerk_module", "");
var transitParam = buildTransitParam(["key", "module", "niveau", "kenmerk_key", "encrypt", "extFilter", "pregexp", "showFilter", "reado", "multi", "tmpfolder", "kenmerk_module"]);
@@ -55,28 +54,6 @@ params = flexProps(pModule, pKey, String(pKenmerk_key), pNiveau, {alglevel: pAlg
__Log("Zoeken bestanden onder " + params.AttachPath);
if (pDoDelete != "")
{
DeleteFile(params.AttachPath + "/" + safe.filename(pDoDelete));
// Verwijderen bijlage/bestand tracken.
if (pKey > -1 && params.trackcode && (params.kenmerktype == "E" || params.kenmerktype == "F" || params.kenmerktype == "M"))
{
if (pModule == "BEZ")
{ // Voor afpraken heb ik de afspraak key nodig i.p.v. de bezoekerskey om de kenmerk omschrijving te bepalen.
var sql = "SELECT bez_afspraak_key"
+ " FROM bez_bezoekers"
+ " WHERE bez_bezoekers_key = " + pKey;
oRs = Oracle.Execute(sql);
var afspr_key = oRs("bez_afspraak_key").Value;
oRs.close();
pKey = String(afspr_key);
}
var ptxt = L("lcl_shared_attachment_delete").format(params.kenmerkoms, safe.filename(pDoDelete));
shared.trackaction(params.trackcode, pKey, ptxt);
}
}
function OpenFlexFile(fname)
{
var s = "../shared/BijlagenStream.asp"
@@ -181,11 +158,18 @@ if (fso.FolderExists(params.AttachPath))
document.forms.finder.submit();
}
function DeleteFile(fname, safeDeleteurl)
function DeleteFile(fname)
{
if (confirm(L("lcl_delete") + " " + fname + "?"))
{
window.location = safeDeleteurl;
var purl = '<%=safe.jsstring(protectQS.create("BijlagenForm_delete.asp?x=x"+transitParam))%>';
var data = {DoDelete: fname};
protectRequest.dataToken(data);
$.post(purl,
data,
FcltCallbackRefresh
);
}
}
@@ -230,8 +214,10 @@ if (fso.FolderExists(params.AttachPath))
document.forms.u2.action = "<%=protectQS.create("UploadForm_save.asp?action=insert"+transitParam)%>"
document.forms.u2.submit();
}
function uploadDone()
function uploadDone(uploaded_file)
{
FcltMgr.topmanager().window.$.toast({ text: L("lcl_appendix_added").format(uploaded_file), icon: "success", position : 'top-center'});
window.location = "<%=protectQS.create("BijlagenForm.asp?x=x"+transitParam)%>";
}
@@ -319,7 +305,7 @@ if (fso.FolderExists(params.AttachPath))
<TD align='right'><%=fileArray[i].vFileSize%></TD>
<% if (!pReado)
{ %>
<td align=center><img onClick="DeleteFile('<%=safe.jsstring(fileArray[i].vFileName)%>', '<%=safe.jsstring(protectQS.create("Bijlagenform.asp?DoDelete="+Server.URLEncode(fileArray[i].vFileName)+transitParam))%>')"
<td align=center><img onClick="DeleteFile('<%=safe.jsstring(fileArray[i].vFileName)%>')"
src='../pictures/delete.gif' title='<%=L("lcl_filedelete")%>'>
</td>
<% } %>
@@ -339,7 +325,7 @@ if (fso.FolderExists(params.AttachPath))
%> <tr><td colspan="4">
<label><%=L("lcl_upload_file")%>:</label>
<% if (params.extFilter) { Response.Write("(" + safe.html(params.extFilter) + ")"); } %>
<input type="file" name="imgfile" style="width: 95%" onchange="iface.button[this.value?'enable':'disable']('btn_upload_submit')">
<input type="file" multiple name="imgfile" style="width: 95%" onchange="iface.button[this.value?'enable':'disable']('btn_upload_submit')">
<div id="uploading" style="display:none">
Please wait...
</div>

59
APPL/Shared/BijlagenForm_delete.asp Normal file
View File

@@ -0,0 +1,59 @@
<%@language = "javascript" %>
<% /*
$Revision$
$Id$
File: BijlagenForm_delete.asp
Description: SUBMIT-form
Parameters:
Context:
Note:
*/
var JSON_Result = true;
%>
<!-- #include file="../Shared/common.inc" -->
<!-- #include file="../Shared/json2.js" -->
<!-- #include file="./flexfiles.inc" -->
<%
protectQS.verify(); // tamper check
protectRequest.validateToken();
var pKey = getQParamInt("key", -1);
var pModule = getQParamSafe("module");
var pNiveau = getQParamSafe("niveau", "");
var pKenmerk_key = getQParamInt("kenmerk_key", -1);
var pAlgLevel = getQParam("kenmerk_module", "");
var pDoDelete = getFParam("DoDelete", "");
var params = flexProps(pModule, pKey, String(pKenmerk_key), pNiveau, {alglevel: pAlgLevel});
result = { success: true, toaster: L("lcl_appendix_removed").format(pDoDelete)};
if (pDoDelete != "")
{
DeleteFile(params.AttachPath + "/" + safe.filename(pDoDelete));
// Verwijderen bijlage/bestand tracken.
if (pKey > -1 && params.trackcode && (params.kenmerktype == "E" || params.kenmerktype == "F" || params.kenmerktype == "M"))
{
if (pModule == "BEZ")
{ // Voor afpraken heb ik de afspraak key nodig i.p.v. de bezoekerskey om de kenmerk omschrijving te bepalen.
var sql = "SELECT bez_afspraak_key"
+ " FROM bez_bezoekers"
+ " WHERE bez_bezoekers_key = " + pKey;
oRs = Oracle.Execute(sql);
var afspr_key = oRs("bez_afspraak_key").Value;
oRs.close();
pKey = String(afspr_key);
}
var ptxt = L("lcl_shared_attachment_delete").format(params.kenmerkoms, safe.filename(pDoDelete));
shared.trackaction(params.trackcode, pKey, ptxt);
}
result.removed = true;
}
Response.Write(JSON.stringify(result));
Response.End;
%>

32
APPL/Shared/Shared.inc
View File

@@ -1021,13 +1021,11 @@ function abort_with_warning(warning, code)
}
else if (JSON_Result && JSON)
{
__Log("D 1");
Response.Write(JSON.stringify({ warning: warning, keepForm: true }));
}
else
{
__Log("D 2");
%>
%>
<html>
<head>
<% FCLTHeader.Generate() %>
@@ -1209,6 +1207,19 @@ var protectQS =
}
}
// http://www.owasp.org/index.php/Session_Fixation_Protection
function setASPFIXATION()
{
var FACSESSIONID = shared.random(32); // genereer grote random string.
var ASPFIXATION = Session("customerId") + FACSESSIONID;
Response.Cookies("ASPFIXATION") = ASPFIXATION; // deze controleren we weer in default.inc
Response.Cookies("ASPFIXATION").Path = rooturl + "/"; // anders niet met ServerXMLHttp
if (S("auto_https") & 2)
Response.Cookies("ASPFIXATION").Secure= true;
Session("ASPFIXATION") = ASPFIXATION; // deze controleren we weer in default.inc
Session("FACSESSIONID") = FACSESSIONID;
}
var protectRequest =
{
theToken: function () { return Session("ASPFIXATION") }, // Session ASPFIXATION token wordt gebruikt als cookie voor anti CSRF Cross Site
@@ -1226,12 +1237,13 @@ var protectRequest =
<%
},
validateToken: function ()
{ // De token van het hidden inputveld valideren met de token van de cookie
__Log("XXX");
validateToken: function (externtoken)
{ // De token van het hidden inputveld valideren met de token van de cookie.
// Voorkeur gaat uit naar het gebruik van getFParam(), maar in Multipart/form-data zijn deze niet beschikbaar.
// De form-parameters worden in upload.inc alsnog uitgelezen, zodat het token aan deze functie meegegeven kan worden.
try // API's hebben vaak inputXML.load(Request); gedaan en dan werkt getFParam niet meer
{
var verificationToken = getFParam(protectRequest.theVar, "");
var verificationToken = (externtoken ? externtoken : getFParam(protectRequest.theVar, ""));
}
catch (e)
{ // API's die buildInsert of buildUpdate doen moeten daar vaak { noValidateToken: true } bij doen
@@ -1239,21 +1251,19 @@ __Log("XXX");
INTERNAL_ERROR_TOKEN_VALIDATIE;
};
var cookieToken = protectRequest.theToken()||""; // is leeg bij self_register.asp als we nog niet zijn ingelogd.
if (verificationToken != cookieToken)
{ // Is deze functie vanuit een post aangeroepen? Dan afhandeling door post functie af laten handelen.
__Log("XXX 1");
if (typeof DOCTYPE_Disable != "undefined" && DOCTYPE_Disable == 1 && typeof JSON != "undefined")
{
__Log("XXX 2");
var result = {message: L("lcl_authentication_error")};
Response.Write(JSON.stringify(result));
Response.End;
}
else
{
__Log("XXX 3");
abort_with_warning(L("lcl_authentication_error"));
__Log("XXX 4");
}
}
}

36
APPL/Shared/UploadForm_save.asp
View File

@@ -59,13 +59,24 @@ function jslog(str) // VB Vindt de twee underscores niet leuk
__Log("Opslaan onder: " + params.AttachPath);
var found_files = [];
var found_fields = {};
function js_add_file(name, data, contenttype)
{
found_files.push({ name: name, data: data, contenttype: contenttype});
}
function js_add_field(name, data)
{
found_fields[name] = data;
}
var VB_result = VB_getfiles();
//__Log(found_fields);
protectRequest.validateToken(found_fields["__RequestVerificationToken"]);
// Obscuur: hier geen 'i' gebruiken omdat upload.inc/ getString die ook al gebruikt
// Je krijgt daar dan 'Illegal Assignment', ik verzin het niet
for (var j = 0; j < found_files.length; j++)
@@ -90,8 +101,7 @@ function jslog(str) // VB Vindt de twee underscores niet leuk
}
__DoLog(found_files);
Response.End;
var result = { message: VB_result("message"),
safefilename: VB_result("safefilename")
};
@@ -130,7 +140,7 @@ Response.End;
}
if (result.message != "")
if (result.message && result.message != "")
{
result.message = L("lcl_shared_upload_error_start") + result.message + L("lcl_shared_upload_error_end");
}
@@ -243,7 +253,7 @@ Response.End;
<% if (result.message) { %>
alert("<%=safe.jsstring(result.message)%>");
<% } %>
parent.uploadDone("<%=safe.jsstring(result.safefilename)%>"); // Zoo fout....
parent.uploadDone("<%=found_files[0].name%>"); // Zoo fout....
</script>
<%
Response.End;
@@ -283,11 +293,27 @@ Public Function VB_getfiles()
Set UploadRequest = CreateObject("Scripting.Dictionary")
BuildUploadRequest RequestBin
' Dit moet nog ini een lus voor meerdere bestanden.
contentType = UploadRequest.Item("imgfile").Item("ContentType")
filepathname = UploadRequest.Item("imgfile").Item("FileName")
value = MultiByteToBinary(UploadRequest.Item("imgfile").Item("Value"))
js_add_file filepathname, value, contentType
' Vul via de (Javascipt) functie js_add_field de globale found_fields
' met de hidden form-fields uit de header
Dim ur_key, i, var_naam, var_waarde
ur_key = UploadRequest.Keys
for i = 0 To UploadRequest.Count -1
var_naam = ur_key(i)
if UploadRequest.Item(var_naam).Exists("ContentType") then
var_waarde = UploadRequest.Item(var_naam).Item("FileName")
else
var_waarde = UploadRequest.Item(var_naam).Item("Value")
end if
js_add_field var_naam, var_waarde
next
Set VB_getfiles = result
End Function
</script>
</script>

1
APPL/Shared/login_save.asp
View File

@@ -18,6 +18,7 @@ var ANONYMOUS_Allowed = 1;
<!-- #include file="../Shared/login.inc" -->
<!-- #include file="../Shared/json2.js" -->
<%
protectRequest.validateToken();
var nm = getFParam("vis_name");
var ps = getFParam("vis_pswd");

106
APPL/Shared/upload.inc
View File

@@ -4,64 +4,64 @@
*/ %>
<script language="VBScript" runat="Server">
Sub BuildUploadRequest(RequestBin)
'Get the boundary
PosBeg = 1
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
boundary = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
boundaryPos = InstrB(1,RequestBin,boundary)
'Get all data inside the boundaries
Do until (boundaryPos=InstrB(RequestBin,boundary & getByteString("--")))
'Members variable of objects are put in a dictionary object
Dim UploadControl
Set UploadControl = CreateObject("Scripting.Dictionary")
'Get an object name
Pos = InstrB(BoundaryPos,RequestBin,getByteString("Content-Disposition"))
Pos = InstrB(Pos,RequestBin,getByteString("name="))
PosBeg = Pos+6
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
Name = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
PosFile = InstrB(BoundaryPos,RequestBin,getByteString("filename="))
PosBound = InstrB(PosEnd,RequestBin,boundary)
'Test if object is of file type
If PosFile<>0 AND (PosFile<PosBound) Then
'Get Filename, content-type and content of file
PosBeg = PosFile + 10
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
FileName = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
'Add filename to dictionary object
UploadControl.Add "FileName", FileName
Pos = InstrB(PosEnd,RequestBin,getByteString("Content-Type:"))
PosBeg = Pos+14
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
'Add content-type to dictionary object
ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
UploadControl.Add "ContentType",ContentType
'Get content of object
PosBeg = PosEnd+4
PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
Value = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
Else
'Get content of object
Pos = InstrB(Pos,RequestBin,getByteString(chr(13)))
PosBeg = Pos+4
PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
Value = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
End If
'Add content to dictionary object
UploadControl.Add "Value" , Value
'Add dictionary object to main dictionary
UploadRequest.Add name, UploadControl
'Loop to next object
BoundaryPos=InstrB(BoundaryPos+LenB(boundary),RequestBin,boundary)
Loop
'Get the boundary
PosBeg = 1
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
boundary = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
boundaryPos = InstrB(1,RequestBin,boundary)
'Get all data inside the boundaries
Do until (boundaryPos=InstrB(RequestBin,boundary & getByteString("--")))
'Members variable of objects are put in a dictionary object
Dim UploadControl
Set UploadControl = CreateObject("Scripting.Dictionary")
'Get an object name
Pos = InstrB(BoundaryPos,RequestBin,getByteString("Content-Disposition"))
Pos = InstrB(Pos,RequestBin,getByteString("name="))
PosBeg = Pos+6
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
Name = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
PosFile = InstrB(BoundaryPos,RequestBin,getByteString("filename="))
PosBound = InstrB(PosEnd,RequestBin,boundary)
'Test if object is of file type
If PosFile<>0 AND (PosFile<PosBound) Then
'Get Filename, content-type and content of file
PosBeg = PosFile + 10
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(34)))
FileName = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
'Add filename to dictionary object
UploadControl.Add "FileName", FileName
Pos = InstrB(PosEnd,RequestBin,getByteString("Content-Type:"))
PosBeg = Pos+14
PosEnd = InstrB(PosBeg,RequestBin,getByteString(chr(13)))
'Add content-type to dictionary object
ContentType = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
UploadControl.Add "ContentType",ContentType
'Get content of object
PosBeg = PosEnd+4
PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
Value = MidB(RequestBin,PosBeg,PosEnd-PosBeg)
Else
'Get content of object
Pos = InstrB(Pos,RequestBin,getByteString(chr(13)))
PosBeg = Pos+4
PosEnd = InstrB(PosBeg,RequestBin,boundary)-2
Value = getString(MidB(RequestBin,PosBeg,PosEnd-PosBeg))
End If
'Add content to dictionary object
UploadControl.Add "Value" , Value
'Add dictionary object to main dictionary
UploadRequest.Add name, UploadControl
'Loop to next object
BoundaryPos=InstrB(BoundaryPos+LenB(boundary),RequestBin,boundary)
Loop
End Sub
'String to byte string conversion
Function getByteString(StringStr)
For i = 1 to Len(StringStr)
char = Mid(StringStr,i,1)
getByteString = getByteString & chrB(AscB(char))
char = Mid(StringStr,i,1)
getByteString = getByteString & chrB(AscB(char))
Next
End Function
@@ -69,7 +69,7 @@ End Function
Function getString(StringBin)
getString =""
For intCount = 1 to LenB(StringBin)
getString = getString & chr(AscB(MidB(StringBin,intCount,1)))
getString = getString & chr(AscB(MidB(StringBin,intCount,1)))
Next
End Function