http://bugs.cacert.org/view.php?id=608

includes/account.php

@@ -38,6 +38,7 @@
 	if($process != "" && $oldid == 1)
 	{
 		$id = 1;
+		csrf_check('addemail');
 		if(strstr($_REQUEST['newemail'], "xn--") && $_SESSION['profile']['codesign'] <= 0)
 		{
 			showheader(_("My CAcert.org Account!"));
@@ -97,7 +98,7 @@
 	if(array_key_exists("makedefault",$_REQUEST) && $_REQUEST['makedefault'] != "" && $oldid == 2)
 	{
 		$id = 2;
-		$emailid = intval($emailid);
+		$emailid = intval($_REQUEST['emailid']);
 		$query = "select * from `email` where `id`='$emailid' and `memid`='".$_SESSION['profile']['id']."' and `hash` = '' and `deleted`=0";
 		$res = mysql_query($query);
 		if(mysql_num_rows($res) <= 0)
@@ -108,13 +109,13 @@
 			exit;
 		}
 		$row = mysql_fetch_assoc($res);
-		$body  = sprintf(_("Hi %s,"),$_SESSION['_config']['user']['fname'])."\n";
+		$body  = sprintf(_("Hi %s,"),$_SESSION['profile']['fname'])."\n";
 		$body .= _("You are receiving this email because you or someone else")."\n";
 		$body .= _("has changed the default email on your account.")."\n\n";
 
 		$body .= _("Best regards")."\n"._("CAcert.org Support!");
 
-		sendmail($_SESSION['_config']['user']['email'], "[CAcert.org] "._("Default Account Changed"), $body,
+		sendmail($_SESSION['profile']['email'], "[CAcert.org] "._("Default Account Changed"), $body,
 				"support@cacert.org", "", "", "CAcert Support");
 
 		$_SESSION['profile']['email'] = $row['email'];
@@ -129,9 +130,10 @@
 	if($process != "" && $oldid == 2)
 	{
 		$id = 2;
+		csrf_check("chgdef");
 		showheader(_("My CAcert.org Account!"));
 		$delcount = 0;
-		if(is_array($_REQUEST['delid']))
+		if(array_key_exists('delid',$_REQUEST) && is_array($_REQUEST['delid']))
 		{
 			foreach($_REQUEST['delid'] as $id)
 			{
@@ -1026,6 +1028,7 @@
 
 	if($oldid == 13 && $process != "")
 	{
+		csrf_check("perschange");
 		$_SESSION['_config']['user'] = $_SESSION['profile'];
 
 		$_SESSION['_config']['user']['Q1'] = trim(mysql_real_escape_string(stripslashes(strip_tags($_REQUEST['Q1']))));
@@ -1177,6 +1180,8 @@
 		$_SESSION['_config']['user']['pword2'] = trim(mysql_real_escape_string(stripslashes($_REQUEST['pword2'])));
 
 		$id = 14;
+		csrf_check("pwchange");
+
 		showheader(_("My CAcert.org Account!"));
 		if($_SESSION['_config']['user']['pword1'] == "" || $_SESSION['_config']['user']['pword1'] != $_SESSION['_config']['user']['pword2'])
 		{
@@ -2136,6 +2141,7 @@
 
 	if($oldid == 41 && $_REQUEST['action'] == 'default')
 	{
+		csrf_check("mainlang");
 		$lang = mysql_real_escape_string($_REQUEST['lang']);
 		foreach($_SESSION['_config']['translations'] as $key => $val)
 		{
@@ -2158,8 +2164,10 @@
 
 	if($oldid == 41 && $_REQUEST['action'] == 'addsec')
 	{
+		csrf_check("seclang");
 		$addlang = mysql_real_escape_string($_REQUEST['addlang']);
-		mysql_query("insert into `addlang` set `userid`='".$_SESSION['profile']['id']."', `lang`='$addlang'");
+		// Does the language exist?
+		mysql_query("insert into `addlang` set `userid`='".intval($_SESSION['profile']['id'])."', `lang`='$addlang'");
 		showheader(_("My CAcert.org Account!"));
 		echo _("Your language setting has been updated.");
 		showfooter();
@@ -2168,8 +2176,9 @@
 
 	if($oldid == 41 && $_REQUEST['action'] == 'dellang')
 	{
+		csrf_check("seclang");
 		$remove = mysql_real_escape_string($_REQUEST['remove']);
-		mysql_query("delete from `addlang` where `userid`='".$_SESSION['profile']['id']."' and `lang`='$remove'");
+		mysql_query("delete from `addlang` where `userid`='".intval($_SESSION['profile']['id'])."' and `lang`='$remove'");
 		showheader(_("My CAcert.org Account!"));
 		echo _("Your language setting has been updated.");
 		showfooter();
@@ -2734,6 +2743,4 @@
 		$_SESSION['_config']['memid'] = intval($memid);
 	if(intval($domid) > 0)
 		$_SESSION['_config']['domid'] = intval($domid);
-
-	$_SESSION['_config']['agent'] = $_SERVER['HTTP_USER_AGENT'];
 ?>

includes/general.php

@@ -739,5 +739,53 @@
 		return htmlentities(strip_tags(utf8_decode($input)), ENT_QUOTES);
 		//return htmlspecialchars(strip_tags($input));
 	}
+	function make_hash()
+	{
+		if(function_exists("dio_open"))
+		{
+			$rnd = dio_open("/dev/urandom",O_RDONLY);
+			$hash = md5(dio_read($rnd,64));
+			dio_close($rnd);
+		} else {
+			$rnd = fopen("/dev/urandom", "r");
+			$hash = md5(fgets($rnd, 64));
+			fclose($rnd);
+		}
+		return($hash);
+	}
+
+	function csrf_check($nam, $show=1)
+        {
+                if(!array_key_exists('csrf',$_REQUEST) || !array_key_exists('csrf_'.$nam,$_SESSION))
+                {
+                        $_SESSION['csrf_'.$nam]="";
+			if($show) showheader(_("My CAcert.org Account!"));
+                        echo _("CSRF Hash is missing. Please try again.")."\n";
+			if($show) showfooter();
+                        exit();
+                }
+                if(strlen($_REQUEST['csrf'])!=32 || $_SESSION['csrf_'.$nam] != $_REQUEST['csrf'])
+                {
+                        $_SESSION['csrf_'.$nam]="";
+			if($show) showheader(_("My CAcert.org Account!"));
+                        echo _("CSRF Hash is wrong. Please try again.")."\n";
+			if($show) showfooter();
+                        exit();
+                }
+		// CSRF Hash is ok.
+                $_SESSION['csrf_'.$nam]="";
+
+        }
+        function make_csrf($nam)
+        {
+                $_SESSION['csrf_'.$nam]=make_hash();
+                return($_SESSION['csrf_'.$nam]);
+        }
+
+	function clean_csr($CSR)
+	{
+		return(preg_replace("/[^A-Za-z0-9\n\r\-\:\=\+\/ ]/","",$CSR));
+	}
+
 
 ?>