Anti CSRF - Setup.php

Related: http://www.paulosyibelo.com/2014/09/dvwa-unintended-security-issues.html http://pastebin.com/A7WV5MbK
IT-Consulting-Services · Sep 16, 2015 · 59b0898 · 59b0898
1 parent 1fe27ab
commit 59b0898
Show file tree

Hide file tree

Showing 2 changed files with 30 additions and 0 deletions.
diff --git a/dvwa/includes/dvwaPage.inc.php b/dvwa/includes/dvwaPage.inc.php
@@ -513,6 +513,30 @@ function dvwaGuestbook() {
 // -- END (XSS Stored guestbook)
 
 
+// Token functions --
+function generateTokens() {  # Generate a brand new TOKEN
+	destroyTokens( $_SESSION[ 'user_token' ] );
+	$_SESSION[ 'user_token' ] = md5( uniqid() );
+}
+
+function checkTokens( $token , $returnURL ) {  # Validate the Given TOKEN
+	if( $token !== $_SESSION[ 'user_token' ] ) {
+		dvwaRedirect( $returnURL );
+	}
+}
+
+function destroyTokens( $token ) {  # Destroy any session with the name 'User_token'
+	if( isset( $_SESSION[ 'user_token' ] ) ) {
+		unset( $_SESSION['user_token'] );
+	}
+}
+
+function tokenField() {  # Return a field for the token
+	return "<input type='hidden' name='token' value='" . $_SESSION[ 'user_token' ] . "' />";
+}
+// -- END (Token functions)
+
+
 $phpSafeMode      = 'PHP safe mode: <em>' . ( ini_get( 'safe_mode' )  ? 'Enabled' : 'Disabled' ) . '</em>';
 $phpDisplayErrors = 'PHP display errors: <em>'.( ini_get( 'display_errors' )  ? 'Enabled</em> <i>(Easy Mode!)</i>' : 'Disabled</em>' );
 $phpURLInclude    = 'PHP allow URL Include: <em>'.( ini_get( 'allow_url_include' )  ? 'Enabled' : 'Disabled' ) . '</em>';

diff --git a/setup.php b/setup.php
@@ -10,6 +10,9 @@
 $page[ 'page_id' ] = 'setup';
 
 if( isset( $_POST[ 'create_db' ] ) ) {
+	// Anti-CSRF
+	checkTokens( $_POST[ 'token' ] , "setup.php");
+
 	if($DBMS == 'MySQL') {
 		include_once DVWA_WEB_PAGE_TO_ROOT.'dvwa/includes/DBMS/MySQL.php';
 	}
@@ -24,6 +27,8 @@
 	}
 }
 
+// Anti-CSRF
+generateTokens();
 
 $page[ 'body' ] .= "
 <div class=\"body_padded\">
@@ -59,6 +64,7 @@
 	<!-- Create db button -->
 	<form action=\"#\" method=\"post\">
 		<input name=\"create_db\" type=\"submit\" value=\"Create / Reset Database\">
+		".tokenField()."
 	</form>
 </div>
 ";