CSRF tokens in file that we can upload a file



  • I am dealing with a website vulnerable to CSRF. Let's say that the page (upload.php) has the following code

    if (isset($file_submit)) {
          //submit_file()
     }
     else {
         show_submission_form()
       }
    
    
     submission_form()
     {
         $tool_content .= <<<cData
         <form enctype="multipart/form-data" action="upload.php" method="post"  onsubmit="return 
         checkForm(this)">
         <br />
         <tbody>
         <tr>
            <th class="left">${langWorkFile}:</th>
            <td><input type="file" name="userfile" class="FormData_InputText" /></td>
         </tr>
         <tr>
            <th class="left">${m['comments']}:</th>
            <td><textarea name="stud_comments" rows="5" cols="55" class="FormData_InputText"> 
            </textarea></td>
         </tr>
         <tr>
            <th>&nbsp;</th>
            <td><input type="submit" value="${langSubmit}" name="file_submit" /><br 
            />$langNotice3</td>
         </tr>
         </tbody>
         </table>
         <br/>
         </form>
    cData;
     }
    

    In order to protect it I should use CSRF tokens and so I have change the code into this:

      if (isset($submit)) {
          if ($_REQUEST['token_form'] != $_SESSION['token']) {
            die;
          }
          //submit_file()
     }
     else {
         show_submission_form()
       }
    
    
     submission_form()
     {
         $tool_content .= <<<cData
         <form enctype="multipart/form-data" action="upload.php" method="post"  onsubmit="return 
         checkForm(this)">
         <br />
         <tbody>
         <tr>
            <th class="left">${langWorkFile}:</th>
            <td><input type="file" name="userfile" class="FormData_InputText" /></td>
         </tr>
         <tr>
            <th class="left">${m['comments']}:</th>
            <td><textarea name="stud_comments" rows="5" cols="55" class="FormData_InputText"> 
            </textarea></td>
         </tr>
         <tr>
            <th>&nbsp;</th>
            <td><input type="submit" value="${langSubmit}" name="file_submit" /><br 
            />$langNotice3</td>
         </tr>
         </tbody>
         </table>
         <br/>
         </form>
    cData;
    $tool_content .= "<td><input class='FormData_InputText' type=\"text\" size=\"40\" name=\"token_form\" value=\"$_SESSION['token']\"></td>";
     }
    

    In simpler words I have added

      if ($_REQUEST['token_form'] != $_SESSION['token']) {
        die;
      }
    

    and

    $tool_content .= "<td><input class='FormData_InputText' type=\"text\" size=\"40\" name=\"token_form\" value=\"$_SESSION['token']\"></td>";
    

    at the end.

    This creates a form that its value is the token (I will make it hidden) and when the user presses submits the token is supposed to be send. However, if ($_REQUEST['token_form'] != $_SESSION['token']) seems to be true and so I can't achieve my goal. Do you have ideas why and how I can fix it? Thanks in advance!



  • The

    <input />
    

    should be inside the

    <form></form>
    

    .

    As the

    <input name="token_form" />
    

    is currently outside the

    <form></form>
    

    , the token is not sent when you submit the form.



Suggested Topics

  • 2
  • 2
  • 2
  • 2
  • 2
  • 4
  • 2
  • 2