fixed mobile templates, have not tested as they use same methods as main template

fixed change pw templates; added csrf token
added csrf protection for password reset
fixed reset and change pass templates; were missing csrf token (form only tpl)

public/include/pages/password.inc.php

@@ -4,6 +4,12 @@
 if (!defined('SECURITY'))
     die('Hacking attempt');
 
+// csrf token
+if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+  // we have to use editaccount token because this can be called from 2 places
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
+  $smarty->assign('CTOKEN', $token);
+}
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
 ?>

public/include/pages/password/change.inc.php

@@ -4,13 +4,32 @@
 if (!defined('SECURITY'))
   die('Hacking attempt');
 
-if (isset($_POST['do']) && $_POST['do'] == 'resetPassword') {
-  if ($user->resetPassword($_POST['token'], $_POST['newPassword'], $_POST['newPassword2'])) {
-     $_SESSION['POPUP'][] = array('CONTENT' => 'Password reset complete! Please login.', 'TYPE' => 'success');
-  } else {
-    $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
-  }
+// csrf stuff
+$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+if ($csrfenabled) {
+  // we have to use editaccount token because this can be called from 2 separate places
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
 }
+
+if (!$csrfenabled || $csrfenabled && $nocsrf) {
+  if (isset($_POST['do']) && $_POST['do'] == 'resetPassword') {
+    if ($user->resetPassword($_POST['token'], $_POST['newPassword'], $_POST['newPassword2'])) {
+      $_SESSION['POPUP'][] = array('CONTENT' => 'Password reset complete! Please login.', 'TYPE' => 'success');
+    } else {
+      $_SESSION['POPUP'][] = array('CONTENT' => $user->getError(), 'TYPE' => 'errormsg');
+    }
+  }
+} else {
+  $img = $csrftoken->getDescriptionImageHTML();
+  $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
+}
+
+// csrf token
+if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
+  $smarty->assign('CTOKEN', $token);
+}
+
 // Tempalte specifics
 $smarty->assign("CONTENT", "default.tpl");
 

public/include/pages/password/reset.inc.php

@@ -3,13 +3,30 @@
 // Make sure we are called from index.php
 if (!defined('SECURITY')) die('Hacking attempt');
 
-// Process password reset request
-if ($user->initResetPassword($_POST['username'], $smarty)) {
-  $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mail account to finish your password reset', 'TYPE' => 'success');
-} else {
-  $_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg');
+// csrf stuff
+$csrfenabled = ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) ? 1 : 0;
+if ($csrfenabled) {
+  // we have to use editaccount token because this can be called from 2 separate places
+  $nocsrf = ($csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH') == @$_POST['ctoken']) ? 1 : 0;
 }
 
+// Process password reset request
+if (!$csrfenabled || $csrfenabled && $nocsrf) {
+  if ($user->initResetPassword($_POST['username'], $smarty)) {
+    $_SESSION['POPUP'][] = array('CONTENT' => 'Please check your mail account to finish your password reset', 'TYPE' => 'success');
+  } else {
+    $_SESSION['POPUP'][] = array('CONTENT' => htmlentities($user->getError(), ENT_QUOTES), 'TYPE' => 'errormsg');
+  }
+} else {
+  $img = $csrftoken->getDescriptionImageHTML();
+  $_SESSION['POPUP'][] = array('CONTENT' => "Page token expired, please try again $img", 'TYPE' => 'info');
+}
+
+// csrf token
+if ($config['csrf']['enabled'] && $config['csrf']['options']['sitewide']) {
+  $token = $csrftoken->getBasic($user->getCurrentIP(), 'editaccount', 'mdyH');
+  $smarty->assign('CTOKEN', $token);
+}
 // Tempalte specifics, user default template by parent page
 $smarty->assign("CONTENT", "../default.tpl");
 ?>

public/templates/mobile/password/change/default.tpl

@@ -2,6 +2,7 @@
       <input type="hidden" name="token" value="{$smarty.request.token|escape}">
       <input type="hidden" name="page" value="{$smarty.request.page|escape}">
       <input type="hidden" name="action" value="{$smarty.request.action|escape}">
+      {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
       <input type="hidden" name="do" value="useToken">
       <table>
         <tr><td>New Password: </td><td><input type="password" name="newPassword"></td></tr>

public/templates/mobile/password/default.tpl

@@ -1,6 +1,7 @@
 <form action="" method="POST">
 <input type="hidden" name="page" value="password">
 <input type="hidden" name="action" value="reset">
+{if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
   <p>If you have an email set for your account, enter your username to get your password reset</p>
   <p><input type="text" value="{$smarty.post.username|escape|default:""}" name="username" required><input class="submit small" type="submit" value="Reset"></p>
 </form>

public/templates/mpos/account/edit/default.tpl

@@ -147,7 +147,7 @@
         {nocache}<input type="password" name="newPassword" {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw && !$CHANGEPASSUNLOCKED}disabled{/if}/>{/nocache}
       </fieldset>
       <fieldset>
-        <label>New Password Repeat</label>
+        <label>Repeat New Password</label>
         {nocache}<input type="password" name="newPassword2" {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw && !$CHANGEPASSUNLOCKED}disabled{/if}/>{/nocache}
       </fieldset>
       <fieldset>

public/templates/mpos/password/change/default.tpl

@@ -3,6 +3,8 @@
     <input type="hidden" name="token" value="{$smarty.request.token|escape}">
     <input type="hidden" name="page" value="{$smarty.request.page|escape}">
     <input type="hidden" name="action" value="{$smarty.request.action|escape}">
+    {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+    
     <input type="hidden" name="do" value="resetPassword">
     <header><h3>Password reset</h3></header>
     <div class="module_content">
@@ -17,9 +19,22 @@
       <div class="clear"></div>
     </div>
     <footer>
-      <div class="submit_link">
-        <input type="submit" value="Change Password" class="alt_btn">
-      </div>
+      {nocache}
+        <input type="hidden" name="cp_token" value="{$smarty.request.cp_token|escape|default:""}">
+        {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
+        <input type="hidden" name="utype" value="change_pw">
+        {if $GLOBAL.twofactor.enabled && $GLOBAL.twofactor.options.changepw}
+          {if $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 1}
+          	<input type="submit" value="Change Password" class="alt_btn">
+          {elseif $CHANGEPASSSENT == 0 && $CHANGEPASSUNLOCKED == 1 || $CHANGEPASSSENT == 1 && $CHANGEPASSUNLOCKED == 0}
+            <input type="submit" value="Change Password" class="alt_btn" disabled>
+          {elseif $CHANGEPASSSENT == 0 && $CHANGEPASSUNLOCKED == 0}
+            <input type="submit" value="Unlock" class="alt_btn" name="unlock">
+          {/if}
+        {else}
+          <input type="submit" value="Change Password" class="alt_btn">
+        {/if}
+      {/nocache}
     </footer>
   </form>
 </article>

public/templates/mpos/password/default.tpl

@@ -2,6 +2,7 @@
   <form action="" method="POST">
     <input type="hidden" name="page" value="password">
     <input type="hidden" name="action" value="reset">
+    {if $GLOBAL.csrf.enabled && $GLOBAL.csrf.options.sitewide}<input type="hidden" name="ctoken" value="{$CTOKEN|escape}" />{/if}
     <header><h3>Password reset</h3></header>
     <div class="module_content">
       <p>If you have an email set for your account, enter your username to get your password reset</p>