security: CSRF protection for state-changing requests (high risk)

.htaccess

@@ -2,3 +2,8 @@
 IndexIgnore *
 
 Options -Indexes
+
+# Security headers (requires mod_headers; AllowOverride FileInfo or All).
+<IfModule mod_headers.c>
+    Header always set Referrer-Policy "strict-origin-when-cross-origin"
+</IfModule>

ajax/deleteActivity.php

@@ -32,6 +32,12 @@
 
 $interface = new SecureAJAXInterface();
 
+if ($_SERVER['REQUEST_METHOD'] !== 'POST')
+{
+    $interface->outputXMLErrorPage(-1, 'Invalid request.');
+    die();
+}
+
 if (!$interface->isRequiredIDValid('activityID'))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid activity ID.');
@@ -40,7 +46,7 @@
 
 $siteID = $interface->getSiteID();
 
-$activityID = $_REQUEST['activityID'];
+$activityID = $_POST['activityID'];
 
 /* Delete the activity entry. */
 $activityEntries = new ActivityEntries($siteID);

ajax/editActivity.php

@@ -35,6 +35,12 @@
 
 $interface = new SecureAJAXInterface();
 
+if ($_SERVER['REQUEST_METHOD'] !== 'POST')
+{
+    $interface->outputXMLErrorPage(-1, 'Invalid request.');
+    die();
+}
+
 if (!$interface->isRequiredIDValid('activityID'))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid activity ID.');
@@ -53,24 +59,24 @@
     die();
 }
 
-if (!isset($_REQUEST['notes']))
+if (!isset($_POST['notes']))
 {
     $interface->outputXMLErrorPage(-1, 'Invalid notes.');
     die();
 }
 
 $siteID = $interface->getSiteID();
 
-$activityID = $_REQUEST['activityID'];
-$type       = $_REQUEST['type'];
-$jobOrderID = $_REQUEST['jobOrderID'];
+$activityID = $_POST['activityID'];
+$type       = $_POST['type'];
+$jobOrderID = $_POST['jobOrderID'];
 
 /* Decode and trim the activity notes from the company. */
-$activityNote = trim(urldecode($_REQUEST['notes']));
-$activityDate = trim(urldecode($_REQUEST['date']));
-$activityHour = trim(urldecode($_REQUEST['hour']));
-$activityMinute = trim(urldecode($_REQUEST['minute']));
-$activityAMPM = trim(urldecode($_REQUEST['ampm']));
+$activityNote = trim(urldecode($_POST['notes']));
+$activityDate = trim(urldecode($_POST['date']));
+$activityHour = trim(urldecode($_POST['hour']));
+$activityMinute = trim(urldecode($_POST['minute']));
+$activityAMPM = trim(urldecode($_POST['ampm']));
 
 if (!DateUtility::validate('-', $activityDate, DATE_FORMAT_MMDDYY))
 {

ajax/getPipelineJobOrder.php

@@ -305,11 +305,14 @@ function printSortLink($field, $delimiter = "'", $changeDirection = true)
                             <img src="images/actions/edit.gif" width="16" height="16" class="absmiddle" alt="" style="border: none;"  title="Log an Activity / Change Status" />
                         </a>
                     <?php endif; ?>
-                    <?php if ($_SESSION['CATS']->getAccessLevel('pipelines.removeFromPipeline') >= ACCESS_LEVEL_DELETE): ?>
-                        <a href="<?php echo($indexFile); ?>?m=joborders&amp;a=removeFromPipeline&amp;jobOrderID=<?php echo($jobOrderID); ?>&amp;candidateID=<?php echo($pipelinesData['candidateID']); ?>" onclick="javascript:return confirm('Remove <?php echo(str_replace('\'', '\\\'', htmlspecialchars($pipelinesData['firstName']))); ?> <?php echo(str_replace('\'', '\\\'', htmlspecialchars($pipelinesData['lastName']))); ?> from the pipeline?')">
-                            <img src="images/actions/delete.gif" width="16" height="16" class="absmiddle" alt="remove" style="border: none;" title="Remove from Job Order"  />
-                        </a>
-                    <?php endif; ?>
+                    <?php if ($_SESSION['CATS']->getAccessLevel('pipelines.removeFromPipeline') >= ACCESS_LEVEL_DELETE): ?>
+                        <form method="post" action="<?php echo($indexFile); ?>?m=joborders&amp;a=removeFromPipeline" style="display:inline;" onsubmit="return confirm('Remove <?php echo(str_replace('\'', '\\\'', htmlspecialchars($pipelinesData['firstName']))); ?> <?php echo(str_replace('\'', '\\\'', htmlspecialchars($pipelinesData['lastName']))); ?> from the pipeline?')">
+                            <input type="hidden" name="postback" value="postback" />
+                            <input type="hidden" name="jobOrderID" value="<?php echo($jobOrderID); ?>" />
+                            <input type="hidden" name="candidateID" value="<?php echo($pipelinesData['candidateID']); ?>" />
+                            <input type="image" src="images/actions/delete.gif" width="16" height="16" class="absmiddle" alt="remove" style="border: none;" title="Remove from Job Order" />
+                        </form>
+                    <?php endif; ?>
                 <?php endif; ?>
             </td>
 <?php endif; ?>

ajax/setCandidateJobOrderRating.php

@@ -32,6 +32,12 @@
 
 $interface = new SecureAJAXInterface();
 
+if ($_SERVER['REQUEST_METHOD'] !== 'POST')
+{
+    $interface->outputXMLErrorPage(-1, 'Invalid request.');
+    die();
+}
+
 if ($_SESSION['CATS']->getAccessLevel('pipelines.editRating') < ACCESS_LEVEL_EDIT)
 {
     $interface->outputXMLErrorPage(-1, ERROR_NO_PERMISSION);
@@ -45,16 +51,16 @@
 }
 
 if (!$interface->isRequiredIDValid('rating', true, true) ||
-    $_REQUEST['rating'] < -6 || $_REQUEST['rating'] > 5)
+    $_POST['rating'] < -6 || $_POST['rating'] > 5)
 {
     $interface->outputXMLErrorPage(-1, 'Invalid rating.');
     die();
 }
 
 $siteID = $interface->getSiteID();
 
-$candidateJobOrderID = $_REQUEST['candidateJobOrderID'];
-$rating              = $_REQUEST['rating'];
+$candidateJobOrderID = $_POST['candidateJobOrderID'];
+$rating              = $_POST['rating'];
 
 $pipelines = new Pipelines($siteID);
 $pipelines->updateRatingValue($candidateJobOrderID, $rating);

ajax/setColumnWidth.php

@@ -29,9 +29,21 @@
 
 $interface = new SecureAJAXInterface();
 
-$instance = $_REQUEST['instance'];
-$columnName = $_REQUEST['columnName'];
-$columnWidth = $_REQUEST['columnWidth'];
+if ($_SERVER['REQUEST_METHOD'] !== 'POST')
+{
+    $interface->outputXMLErrorPage(-1, 'Invalid request.');
+    die();
+}
+
+if (!isset($_POST['instance']) || !isset($_POST['columnName']) || !isset($_POST['columnWidth']))
+{
+    $interface->outputXMLErrorPage(-1, 'Invalid request.');
+    die();
+}
+
+$instance = $_POST['instance'];
+$columnName = $_POST['columnName'];
+$columnWidth = $_POST['columnWidth'];
 
 $columnPreferences = $_SESSION['CATS']->getColumnPreferences($instance);
 

ajax/testEmailSettings.php

@@ -32,10 +32,16 @@
 
 $interface = new SecureAJAXInterface();
 
+if ($_SERVER['REQUEST_METHOD'] !== 'POST')
+{
+    $interface->outputXMLErrorPage(-1, 'Invalid request.');
+    die();
+}
+
 $siteID = $interface->getSiteID();
 
-if (!isset($_REQUEST['testEmailAddress']) ||
-    empty($_REQUEST['testEmailAddress']))
+if (!isset($_POST['testEmailAddress']) ||
+    empty($_POST['testEmailAddress']))
 {
     $interface->outputXMLErrorPage(
         -1, 'Invalid test e-mail address.'
@@ -44,8 +50,8 @@
     die();
 }
 
-if (!isset($_REQUEST['fromAddress']) ||
-    empty($_REQUEST['fromAddress']))
+if (!isset($_POST['fromAddress']) ||
+    empty($_POST['fromAddress']))
 {
     $interface->outputXMLErrorPage(
         -1, 'Invalid from e-mail address.'
@@ -54,8 +60,8 @@
     die();
 }
 
-$testEmailAddress = $_REQUEST['testEmailAddress'];
-$fromAddress      = $_REQUEST['fromAddress'];
+$testEmailAddress = $_POST['testEmailAddress'];
+$fromAddress      = $_POST['fromAddress'];
 
 /* Is the test e-mail address specified valid? */
 // FIXME: Validate properly.

index.php

@@ -172,6 +172,32 @@ function stripslashes_deep($value)
     }
 }
 
+if (isset($_SERVER['REQUEST_METHOD']) && $_SERVER['REQUEST_METHOD'] === 'POST' &&
+    $_SESSION['CATS']->isLoggedIn() &&
+    (!isset($careerPage) || !$careerPage) &&
+    (!isset($_GET['showCareerPortal']) || $_GET['showCareerPortal'] != '1') &&
+    (!isset($rssPage) || !$rssPage) &&
+    (!isset($xmlPage) || !$xmlPage))
+{
+    $module = isset($_GET['m']) ? $_GET['m'] : '';
+
+    if ($module == '' || $module == 'logout' ||
+        ModuleUtility::moduleRequiresAuthentication($module))
+    {
+        $token = null;
+
+        if (isset($_POST['csrfToken']))
+        {
+            $token = $_POST['csrfToken'];
+        }
+
+        if (!$_SESSION['CATS']->isCSRFTokenValid($token))
+        {
+            CommonErrors::fatal(COMMONERROR_BADFIELDS, null, 'Invalid request.');
+        }
+    }
+}
+
 /* Check to see if we are supposed to display the career page. */
 if (((isset($careerPage) && $careerPage) ||
     (isset($_GET['showCareerPortal']) && $_GET['showCareerPortal'] == '1')))
@@ -219,6 +245,11 @@ function stripslashes_deep($value)
 {
     if ($_GET['m'] == 'logout')
     {
+        if ($_SERVER['REQUEST_METHOD'] !== 'POST')
+        {
+            CommonErrors::fatal(COMMONERROR_BADFIELDS, null, 'Invalid request.');
+        }
+
         /* There isn't really a logout module. It's just a few lines. */
         $unixName = $_SESSION['CATS']->getUnixName();
 
@@ -233,12 +264,20 @@ function stripslashes_deep($value)
             $URI .= '&s=' . $unixName;
         }
 
-        if (isset($_GET['message']))
+        if (isset($_POST['message']))
+        {
+            $URI .= '&message=' . urlencode($_POST['message']);
+        }
+        else if (isset($_GET['message']))
         {
             $URI .= '&message=' . urlencode($_GET['message']);
         }
 
-        if (isset($_GET['messageSuccess']))
+        if (isset($_POST['messageSuccess']))
+        {
+            $URI .= '&messageSuccess=' . urlencode($_POST['messageSuccess']);
+        }
+        else if (isset($_GET['messageSuccess']))
         {
             $URI .= '&messageSuccess=' . urlencode($_GET['messageSuccess']);
         }

js/lib.js

@@ -342,6 +342,20 @@ function AJAX_getPOSTSessionID(sessionCookie)
 function AJAX_POST(http, url, POSTData, callBack, timeout, sessionCookie,
     silentTimeout)
 {
+    if (POSTData == null)
+    {
+        POSTData = '';
+    }
+
+    if (typeof CATSCsrfToken != 'undefined' && CATSCsrfToken !== null &&
+        CATSCsrfToken !== '')
+    {
+        if (POSTData.indexOf('csrfToken=') == -1)
+        {
+            POSTData += '&csrfToken=' + encodeURIComponent(CATSCsrfToken);
+        }
+    }
+
     /* Add a random hash to the POST data to keep IE from caching it. */
     POSTData += AJAX_getRandomPOSTHash();
 

js/lists.js

@@ -205,7 +205,34 @@ function deleteListFromListView(savedListID, numberEntries)
          return;
     }
 
-    document.location.href = CATSIndexName + '?m=lists&a=deleteStaticList&savedListID=' + savedListID;
+    var form = document.createElement('form');
+    form.method = 'post';
+    form.action = CATSIndexName + '?m=lists&a=deleteStaticList';
+
+    var postback = document.createElement('input');
+    postback.type = 'hidden';
+    postback.name = 'postback';
+    postback.value = 'postback';
+    form.appendChild(postback);
+
+    var savedListInput = document.createElement('input');
+    savedListInput.type = 'hidden';
+    savedListInput.name = 'savedListID';
+    savedListInput.value = savedListID;
+    form.appendChild(savedListInput);
+
+    if (typeof CATSCsrfToken != 'undefined' && CATSCsrfToken !== null &&
+        CATSCsrfToken !== '')
+    {
+        var csrfToken = document.createElement('input');
+        csrfToken.type = 'hidden';
+        csrfToken.name = 'csrfToken';
+        csrfToken.value = CATSCsrfToken;
+        form.appendChild(csrfToken);
+    }
+
+    document.body.appendChild(form);
+    form.submit();
 }
 
 function deleteListRow(savedListID, sessionCookie, numberEntries)
@@ -350,4 +377,3 @@ function addItemsToList(sessionCookie, dataItemType)
         false
     );
 }
-

js/quickAction.js

@@ -121,3 +121,72 @@
     /* Create a popup window for adding this candidate to the job order / pipeline */
     showPopWin(CATSIndexName + '?m=candidates&a=considerForJobSearch&candidateID=' + menuDataItemId, 750, 390, null);
 };
+
+function quickActionPostFromUrl(url, confirmMessage)
+{
+    if (confirmMessage && !confirm(confirmMessage))
+    {
+        return false;
+    }
+
+    var parts = url.split('?');
+    var action = parts[0];
+    var query = (parts.length > 1) ? parts[1] : '';
+    var params = {};
+    var actionParams = [];
+
+    if (query.length > 0)
+    {
+        var pairs = query.split('&');
+        for (var i = 0; i < pairs.length; i++)
+        {
+            if (pairs[i] === '')
+            {
+                continue;
+            }
+
+            var keyValue = pairs[i].split('=');
+            var key = decodeURIComponent(keyValue[0].replace(/\+/g, ' '));
+            var value = keyValue.length > 1 ? decodeURIComponent(keyValue[1].replace(/\+/g, ' ')) : '';
+
+            if (key === 'm' || key === 'a')
+            {
+                actionParams.push(encodeURIComponent(key) + '=' + encodeURIComponent(value));
+            }
+            else
+            {
+                params[key] = value;
+            }
+        }
+    }
+
+    params.postback = 'postback';
+
+    if (typeof CATSCsrfToken != 'undefined' && CATSCsrfToken !== null &&
+        CATSCsrfToken !== '' && typeof params.csrfToken == 'undefined')
+    {
+        params.csrfToken = CATSCsrfToken;
+    }
+
+    var form = document.createElement('form');
+    form.method = 'post';
+    form.action = action + (actionParams.length ? ('?' + actionParams.join('&')) : '');
+
+    for (var name in params)
+    {
+        if (!params.hasOwnProperty(name))
+        {
+            continue;
+        }
+
+        var input = document.createElement('input');
+        input.type = 'hidden';
+        input.name = name;
+        input.value = params[name];
+        form.appendChild(input);
+    }
+
+    document.body.appendChild(form);
+    form.submit();
+    return false;
+}