dolibarr  x.y.z
test_csrf.php
1 <?php
2 //define("NOLOGIN",1); // This means this output page does not require to be logged.
3 //if (!defined('NOREQUIREUSER')) define('NOREQUIREUSER', '1');
4 //if (!defined('NOREQUIREDB')) define('NOREQUIREDB', '1');
5 if (!defined('NOREQUIRESOC')) {
6  define('NOREQUIRESOC', '1');
7 }
8 //if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1');
9 if (!defined('NOSTYLECHECK')) {
10  define('NOSTYLECHECK', '1'); // Do not check style html tag into posted data
11 }
12 //if (!defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1'); // If there is no need to load and show top and left menu
13 //if (!defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
14 //if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); // Do not load ajax.lib.php library
15 if (!defined("NOLOGIN")) {
16  define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
17 }
18 
19 // Load Dolibarr environment
20 require '../../main.inc.php';
21 
22 // Security
23 if ($dolibarr_main_prod) {
24  accessforbidden();
25 }
26 
27 
28 /*
29  * View
30  */
31 
32 header("Content-type: text/html; charset=UTF8");
33 
34 // Security options
35 header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
36 header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
37 ?>
38 
39 This is a form to test if a CSRF exists into a Dolibarr page.<br>
40 <br>
41 - Change url to send request to into this file (URL to a hard coded page on a server B)<br>
42 - Open this form into a virtual server A.<br>
43 - Send the request to the virtual server B by clicking submit.<br>
44 - Check that Anticsrf protection is triggered.<br>
45 
46 <br>
47 <?php
48  $urltosendrequest = "http://127.0.0.1/dolibarr/htdocs/user/group/card.php";
49  print 'urltosendrequest = '.$urltosendrequest.'<br><br>';
50 ?>
51 
52 Test post
53 <form method="POST" action="<?php echo $urltosendrequest; ?>" target="_blank">
54 <!-- <input type="hidden" name="token" value="123456789"> -->
55 <input type="text" name="action" value="add">
56 <input type="text" name="nom" value="New group test">
57 <input type="submit" name="submit" value="Submit">
58 </form>
59 
60 
61 Test logout
62 <html>
63  <body>
64  <script>history.pushState('', '', '/')</script>
65  <form action="http://localhostgit/dolibarr_dev/htdocs/user/logout.php">
66  <input type="submit" value="Submit request" />
67  </form>
68  <script>
69  document.forms[0].submit();
70  </script>
71  </body>
72 </html>
type
if(preg_match('/crypted:/i', $dolibarr_main_db_pass)||!empty($dolibarr_main_db_encrypted_pass)) $conf db type
Definition: repair.php:119
name
$conf db name
Only used if Module[ID]Name translation string is not found.
Definition: repair.php:122
accessforbidden
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.
Definition: security.lib.php:1084
Generated on Wed Jan 4 2023 18:05:32 for dolibarr by Doxygen 1.9.1