credentials: Add missing CSRF checks

2026-03-11 08:14:52 +00:00 · 2026-03-02 20:11:56 -05:00
parent 1740599b61
commit 023cb4ff11
6 changed files with 34 additions and 14 deletions
--- a/agent/modals/credential/credential_add.php
+++ b/agent/modals/credential/credential_add.php
@@ -16,6 +16,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">

    <div class="modal-body">

--- a/agent/modals/credential/credential_edit.php
+++ b/agent/modals/credential/credential_edit.php
@@ -44,6 +44,7 @@ ob_start();
 </div>

 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="credential_id" value="<?php echo $credential_id; ?>">
    <input type="hidden" name="client_id" value="<?php echo $client_id; ?>">
    <div class="modal-body">
--- a/agent/modals/credential/credential_export.php
+++ b/agent/modals/credential/credential_export.php
@@ -15,6 +15,7 @@ ob_start();
    </button>
 </div>
 <form action="post.php" method="post" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
    <input type="hidden" name="client_id" value="<?= $client_id ?>">

    <div class="modal-body">
--- a/agent/modals/credential/credential_import.php
+++ b/agent/modals/credential/credential_import.php
@@ -15,6 +15,7 @@ ob_start();
 	</button>
 </div>
 <form action="post.php" method="post" enctype="multipart/form-data" autocomplete="off">
+    <input type="hidden" name="csrf_token" value="<?= $_SESSION['csrf_token'] ?>">
 	<input type="hidden" name="client_id" value="<?= $client_id ?>">
 	<div class="modal-body">
 		<p><strong>Format csv file with headings & data:</strong><br>Name, Description, Username, Password, TOTP, URI</p>