fix csrf vulnerabilities

interface/main/tabs/js/tabs_view_model.js

@@ -249,7 +249,7 @@ function clearPatient()
     $.ajax({
         type: "POST",
         url: webroot_url+"/library/ajax/unset_session_ajax.php",
-	  data: { func: "unset_pid"},
+	  data: { func: "unset_pid", token: jsCsrfToken},
 	  success:function( msg ) {
 
 

interface/main/tabs/main.php

@@ -122,6 +122,8 @@ function isEncounterLocked( encounterId ) {
                                                                   .',' . json_encode($userQuery['fname'])
                                                                   .',' . json_encode($userQuery['lname'])
                                                                   .',' . json_encode($_SESSION['authGroup']); ?>));
+    // Set the csrf token used in js/tabs_view_model.js script
+    var jsCsrfToken = <?php echo $_SESSION['token'];?>;
 </script>
 
 <style type="text/css">

interface/patient_file/encounter/forms.php

@@ -106,6 +106,7 @@
             { amc_id: "patient_edu_amc",
               complete: true,
               mode: mode,
+              token: <?php echo $_SESSION['token'];?>,
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
@@ -125,6 +126,7 @@
             { amc_id: "provide_sum_pat_amc",
               complete: true,
               mode: mode,
+              token: <?php echo $_SESSION['token'];?>,
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
@@ -149,6 +151,7 @@
             { amc_id: "med_reconc_amc",
               complete: false,
               mode: mode,
+              token: <?php echo $_SESSION['token'];?>,
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>
@@ -168,6 +171,7 @@
             { amc_id: "med_reconc_amc",
               complete: true,
               mode: mode,
+              token: <?php echo $_SESSION['token'];?>,
               patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>,
               object_category: "form_encounter",
               object_id: <?php echo htmlspecialchars($encounter,ENT_NOQUOTES); ?>

interface/patient_file/letter.php

@@ -33,6 +33,7 @@
 include_once($GLOBALS['srcdir'] . "/patient.inc");
 require_once($GLOBALS['srcdir']."/formatting.inc.php");
 require_once("$srcdir/headers.inc.php");
+require_once("$srcdir/CsrfToken.php");
 $DateFormat = DateFormatRead();
 $DateLocale = getLocaleCodeForDisplayLanguage($GLOBALS['language_default']);
 
@@ -94,7 +95,7 @@
     if (!isset($_POST['token'])) {
         error_log('WARNING: A POST request detected with no csrf token found');
         die('Authentication failed.');
-    } else if (!(CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/letter.php.theform'))) {
+    } else if (!(  CsrfToken::verifyCsrfTokenAndCompareHash($_POST['token'], '/letter.php.theform'))) {
         die('Authentication failed.');
     }
 }

interface/patient_file/reminder/clinical_reminders.php

@@ -242,7 +242,8 @@
         rule: this.name,
         type: 'passive_alert',
         setting: this.value,
-        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
+        token: <?php echo $_SESSION['token'];?> 
       });
     });
 
@@ -252,7 +253,8 @@
         rule: this.name,
         type: 'active_alert',
         setting: this.value,
-        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
+        token: <?php echo $_SESSION['token'];?> 
       });
     });
 
@@ -262,7 +264,8 @@
         plan: this.name,
         type: 'normal',
         setting: this.value,
-        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+        patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
+        token: <?php echo $_SESSION['token'];?> 
       });
     });
 

interface/patient_file/reminder/patient_reminders.php

@@ -346,7 +346,8 @@ function sel_patient() {
       rule: this.name,
       type: 'patient_reminder',
       setting: this.value,
-      patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>'
+      patient_id: '<?php echo htmlspecialchars($patient_id, ENT_QUOTES); ?>',
+      token: <?php echo $_SESSION['token'];?> 
     });
   });
 
@@ -361,6 +362,7 @@ function ReminderBatch(processType) {
 
    top.restoreSession();
    $.get("../../../library/ajax/collect_new_report_id.php",
+     {token: <?php echo $_SESSION['token'];?>},
      function(data){
        // Set the report id in page form
        $("#form_new_report_id").attr("value",data);
@@ -384,7 +386,7 @@ function collectStatus(report_id) {
    top.restoreSession();
    // Do not send the skip_timeout_reset parameter, so don't close window before report is done.
    $.post("../../../library/ajax/status_report.php",
-     {status_report_id: report_id},
+     {status_report_id: report_id, token: <?php echo $_SESSION['token'];?> },
      function(data){
        if (data == "PENDING") {
          // Place the pending string in the DOM

interface/patient_file/summary/demographics.php

@@ -261,11 +261,11 @@ function toggleIndicator(target,div) {
           if ( $mode == "<?php echo htmlspecialchars(xl('collapse'),ENT_QUOTES); ?>" ) {
               $(target).find(".indicator").text( "<?php echo htmlspecialchars(xl('expand'),ENT_QUOTES); ?>" );
               $("#"+div).hide();
-          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 0 });
+          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 0 , token: <?php echo $_SESSION['token'];?> });
           } else {
               $(target).find(".indicator").text( "<?php echo htmlspecialchars(xl('collapse'),ENT_QUOTES); ?>" );
               $("#"+div).show();
-          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 1 });
+          $.post( "../../../library/ajax/user_settings.php", { target: div, mode: 1 , token: <?php echo $_SESSION['token'];?>});
           }
       }
 

interface/patient_file/transaction/record_request.php

@@ -45,6 +45,7 @@
       { amc_id: "provide_rec_pat_amc",
         complete: false,
         mode: "add_force",
+        token: <?php echo $_SESSION['token'];?>,
         patient_id: <?php echo htmlspecialchars($pid,ENT_NOQUOTES); ?>
       }
     );

interface/patient_tracker/patient_tracker.php

@@ -777,6 +777,7 @@ function validateForm() {
     }
       $.post( "../../library/ajax/drug_screen_completed.php", {
         trackerid: this.id,
+        token: <?php echo $_SESSION['token'];?>,
         testcomplete: testcomplete_toggle
       });
     });

interface/reports/clinical_stats_by_demographics_report.php

@@ -148,7 +148,8 @@ function show_all_diags(){
                 diag:"<?php  echo $_POST['form_diagnosis'];   ?>",
                 ethnicity:"<?php echo $_POST['ethnicity']; ?>",
                 age_from:"<?php echo $_POST['age_from']  ; ?>",
-                age_to:"<?php echo $_POST['age_to']  ; ?>"
+                age_to:"<?php echo $_POST['age_to']  ; ?>",
+                token: <?php echo $_SESSION['token'];?>
 
             }, complete: function(){
                 $('#image').hide();

interface/reports/lab_stats_by_demographics_report.php

@@ -175,7 +175,8 @@ function lab_result_details() {
                         age_from:"<?php echo $_POST['age_from']  ; ?>",
                         age_to:"<?php echo $_POST['age_to']  ; ?>",
                         results_per_page: $('#rpp').val(),
-                        page_number: $('#nof').val()
+                        page_number: $('#nof').val(),
+                        token: <?php echo $_SESSION['token'];?>
 
                     }, complete: function(){
                         $('#image').hide();

interface/reports/username_report.php

@@ -91,7 +91,8 @@ function show_session_times(){
             data: {
                 func:"show_session_times",
                 to_date:   "<?php echo $to_date; ?>",
-                from_date:" <?php echo $from_date; ?> "
+                from_date:" <?php echo $from_date; ?> ",
+                token: <?php echo $_SESSION['token'];?>,
             }, complete: function(){
                 $('#image').hide();
             }},
@@ -160,7 +161,8 @@ function show_session_sums()
             data: {
                 func:"show_session_sums",
                 to_date:   "<?php echo $to_date; ?>",
-                from_date:" <?php echo $from_date; ?> "
+                from_date:" <?php echo $from_date; ?> ",
+                token: <?php echo $_SESSION['token'];?>,
             },
         complete: function(){
             $('#image').hide();
@@ -230,7 +232,8 @@ function show_session_details()
             data: {
                 func:"show_session_details",
                 to_date:   "<?php echo $to_date; ?>",
-                from_date:" <?php echo $from_date; ?> "
+                from_date:" <?php echo $from_date; ?> ",
+                token: <?php echo $_SESSION['token'];?>,
             },
             complete: function(){
                 $('#image').hide();
@@ -298,6 +301,8 @@ function show_session_details()
     <input hidden id = 'show_session_sums_button' value = '<?php echo isset($_POST['show_session_sums']) ? $_POST['show_session_sums'] : null ?>'>
     <input hidden id = 'show_session_times_button' value = '<?php echo isset($_POST['show_session_times']) ? $_POST['show_session_times'] : null  ?>'>
     <input hidden id = 'show_session_details_button' value = '<?php echo isset($_POST['show_session_details']) ? $_POST['show_session_details']  : null  ?>'>
+    <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
+
 
 </form>
 

interface/super/edit_layout.php

@@ -955,6 +955,7 @@ function setListItemOptions(lino, seq, init) {
   $.getScript('layout_listitems_ajax.php' +
     '?listid='  + encodeURIComponent(list_id) +
     '&target='  + encodeURIComponent(target)  +
+    '&token='   + <?php echo $_SESSION['token'];?>  +
     '&current=' + encodeURIComponent(current));
 }
 
@@ -1564,13 +1565,13 @@ function getNextSeq(group) {
 
     // show the popup choice of lists
     var ShowLists = function(btnObj) {
-        window.open("./show_lists_popup.php", "lists", "width=300,height=500,scrollbars=yes");
+        window.open("./show_lists_popup.php?token=<?php echo $_SESSION['token'];?>", "lists", "width=300,height=500,scrollbars=yes");
         selectedfield = btnObj;
     };
 
     // show the popup choice of groups
     var ShowGroups = function(btnObj) {
-        window.open("./show_groups_popup.php?layout_id=<?php echo $layout_id;?>", "groups", "width=300,height=300,scrollbars=yes");
+        window.open("./show_groups_popup.php?layout_id=<?php echo $layout_id;?>&token=<?php echo $_SESSION['token'];?>", "groups", "width=300,height=300,scrollbars=yes");
     };
 
 
@@ -1615,7 +1616,7 @@ function FieldIDClicked(elem) {
   // If the field ID is for the local form, allow direct entry.
   if (srcval == 'F') return;
   // Otherwise pop up the selection window.
-  window.open('./field_id_popup.php?source=' + srcval, 'fields',
+  window.open('./field_id_popup.php?source=' + srcval + '&token=' + <?php echo $_SESSION['token'];?>, 'fields',
     'width=600,height=600,scrollbars=yes');
 <?php } ?>
 }

interface/super/field_id_popup.php

@@ -24,6 +24,7 @@
 $fake_register_globals = false;
 
 include_once("../globals.php");
+require_once("$srcdir/CsrfToken.php");
 
 $form_encounter_layout = array(
   array('field_id'     => 'date',
@@ -90,7 +91,14 @@
         'edit_options' => '',
        ),
 );
-
+//verify csrf token
+if (!empty($_GET)) {
+  if (!isset($_GET['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+      die('Authentication failed.');
+  }
+}
 $source = empty($_REQUEST['source']) ? 'D' : $_REQUEST['source'];
 
 function gsr_fixup(&$row, $fldid, $default='') {

interface/super/layout_listitems_ajax.php

@@ -25,8 +25,17 @@
 $sanitize_all_escapes  = true;
 
 require_once("../globals.php");
+require_once("$srcdir/CsrfToken.php");
 require_once("$srcdir/formdata.inc.php");
 
+//verify csrf token
+if (!empty($_GET)) {
+  if (!isset($_GET['token'])) {
+      CsrfToken::noTokenFoundError();
+  } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+      die('Authentication failed.');
+  }
+}
 $listid  = $_GET['listid'];
 $target  = $_GET['target'];
 $current = $_GET['current'];

interface/super/show_groups_popup.php

@@ -4,7 +4,16 @@
   */
 
 include_once("../globals.php");
-
+require_once("$srcdir/CsrfToken.php");
+
+//verify csrf token
+if (!empty($_GET)) {
+    if (!isset($_GET['token'])) {
+        CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+        die('Authentication failed.');
+    }
+  }
 ?>
 
 <html>

interface/super/show_lists_popup.php

@@ -4,6 +4,16 @@
   */
 
 include_once("../globals.php");
+require_once("$srcdir/CsrfToken.php");
+
+//verify csrf token
+if (!empty($_GET)) {
+    if (!isset($_GET['token'])) {
+        CsrfToken::noTokenFoundError();
+    } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+        die('Authentication failed.');
+    }
+  }
 
 ?>
 

interface/usergroup/adminacl.php

@@ -89,6 +89,7 @@
     data: {
      control: "acl",
      action: "add",
+     token: <?php echo $_SESSION['token'];?>,
      title: title,
      identifier: identifier,    
      return_value: return_value,
@@ -160,6 +161,7 @@
     data: {
      control: "acl",
      action: "remove",
+     token: <?php echo $_SESSION['token'];?>,
      title: title,
      return_value: return_value
     },
@@ -208,6 +210,7 @@ function membership_show() {
     dataType: "xml",
     data: {
      control: "username",
+     token: <?php echo $_SESSION['token'];?>,
      action: "list"
     },
     success: function(xml){
@@ -257,6 +260,7 @@ function acl_show() {
     dataType: "xml",
     data: {
      control: "acl",
+     token: <?php echo $_SESSION['token'];?>,
      action: "list"
     },
     success: function(xml){     
@@ -371,6 +375,7 @@ function generic_click(cthis) {
     data: {
      name: identityFormatted,
      control: control,
+     token: <?php echo $_SESSION['token'];?>,
      action: action,
      'selection[]': selected,
      return_value: return_value

library/CsrfToken.php

@@ -30,6 +30,12 @@ function verifyCsrfToken($token)
             return false;
         }
     }
+
+    //log error and kill the page
+    function noTokenFoundError() {
+        error_log('WARNING: A POST request detected with no csrf token found');
+        die('Authentication failed.');
+    }
     // Function to verify a csrf token using with second token
     function verifyCsrfTokenAndCompareHash($token, $secondToken)
     {

library/ajax/addlistitem.php

@@ -16,6 +16,18 @@
 
 include_once("../../interface/globals.php");
 include_once("{$GLOBALS['srcdir']}/sql.inc");
+include_once("{$GLOBALS['srcdir']}/sql.inc");
+require_once("{$GLOBALS['srcdir']}/CsrfToken.php");
+
+//verify csrf token
+if (!empty($_GET)) {
+    if (!isset($_GET['token'])) {
+        error_log('WARNING: A POST request detected with no csrf token found');
+        die('Authentication failed.');
+    } else if (!(CsrfToken::verifyCsrfToken($_GET['token']))) {
+        die('Authentication failed.');
+    }
+  }
 
 // check for required values
 if ($_GET['listid'] == "" || trim($_GET['newitem']) == "" || trim($_GET['newitem_abbr']) == "") exit;