From bd72e201441c7d0ca28a68f218fa927291f58df3 Mon Sep 17 00:00:00 2001
From: Awilum <awilum@msn.com>
Date: Wed, 3 Oct 2012 14:40:16 +0300
Subject: [PATCH] System Plugin: csrf vulnerability resolved

---
 plugins/box/users/users.admin.php | 27 ++++++++++++++++++++-------
 1 file changed, 20 insertions(+), 7 deletions(-)
 mode change 100644 => 100755 plugins/box/users/users.admin.php

diff --git a/plugins/box/users/users.admin.php b/plugins/box/users/users.admin.php
old mode 100644
new mode 100755
index 964b54a..6525b7a
--- a/plugins/box/users/users.admin.php
+++ b/plugins/box/users/users.admin.php
@@ -48,9 +48,14 @@
             }
 
             if (Request::post('users_frontend_submit')) {
-                if (Request::post('users_frontend_registration')) $users_frontend_registration = 'true'; else $users_frontend_registration = 'false';
-                Option::update('users_frontend_registration', $users_frontend_registration);
-                Request::redirect('index.php?id=users');
+
+                if (Security::check(Request::post('csrf'))) {
+
+                    if (Request::post('users_frontend_registration')) $users_frontend_registration = 'true'; else $users_frontend_registration = 'false';
+                    Option::update('users_frontend_registration', $users_frontend_registration);                    
+                    Request::redirect('index.php?id=users');
+
+                } else { die('csrf detected!'); }
             }
 
             // Check for get actions
@@ -189,12 +194,20 @@
                     case "delete":
 
                         if (Session::exists('user_role') && in_array(Session::get('user_role'), array('admin'))) {
-                            $user = $users->select('[id="'.Request::get('user_id').'"]', null);
-                            $users->delete(Request::get('user_id'));
-                            Notification::set('success', __('User <i>:user</i> have been deleted.', 'users', array(':user' => $user['login']))); 
-                            Request::redirect('index.php?id=users');
+
+                            if (Security::check(Request::get('token'))) {
+
+                                $user = $users->select('[id="'.Request::get('user_id').'"]', null);
+                                $users->delete(Request::get('user_id'));
+                                Notification::set('success', __('User <i>:user</i> have been deleted.', 'users', array(':user' => $user['login']))); 
+                                Request::redirect('index.php?id=users');
+
+                            } else { die('csrf detected!'); }
+
                         }
 
+                        
+
                     break;
                 }
             } else {