fit remote code execution in history and template imports functionality

interface/billing/edi_history_main.php

@@ -70,6 +70,7 @@
 require_once("$srcdir/edihistory/ibr_ack_read.php");          //dirname(__FILE__) . "/edihist/ibr_ack_read.php");
 require_once("$srcdir/edihistory/ibr_uploads.php");           //dirname(__FILE__) . "/edihist/ibr_uploads.php");
 require_once("$srcdir/edihistory/ibr_io.php");                //dirname(__FILE__) . "/edihist/ibr_io.php");
+require_once("../../library/CsrfToken.php");
 //
 // php may output line endings if include files are utf-8
 ob_clean();
@@ -100,6 +101,14 @@
  */
 
 if (strtolower($_SERVER['REQUEST_METHOD']) == 'post') {
+    if (!empty($_POST)) {
+        if (!isset($_POST['token'])) {
+            error_log('WARNING: A POST request detected with no csrf token found');
+            die('Authentication failed.');
+        } else if (!(CsrfToken::verifyCsrfToken($_POST['token'])) {
+            die('Authentication failed.');
+        }
+    }
     //
     if ( isset($_POST['NewFiles']) ) {
         // process new files button clicked

interface/billing/edih_view.php

@@ -75,6 +75,7 @@
                 <legend><?php echo xlt("Select one or more files to upload"); ?></legend>
                 <input id="upload_file" type="file" name="fileUplMulti[]" class="cp-positive" multiple />
                 <input type="submit" name="uplsubmt" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                 </fieldset>
             </form>
          </td>
@@ -87,6 +88,7 @@
                 <input type="hidden" name="NewFiles" value="ProcessNew">
                 <label for="New-Files">Process New Files:</label>
                 <input id="processfiles"  name="Process" class="cp-output" type="button" value="<?php echo xla("Process"); ?>" />
+                <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                 </fieldset>
             </form>
          </td>
@@ -159,6 +161,7 @@
                         -->
                         <td align='center'>
                             <input type="hidden" name="csvshowtable" value="gettable">
+                            <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                             <input id="showtable" type="button" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
                         </td>
 
@@ -220,6 +223,7 @@
                 <label for="era_file"><?php echo xlt("Filename"); ?>:</label>
                 <input id="era_file" type="file" size=20 name="fileUplEra" class="cp-positive" />
                 <input type="submit" name="fileERA" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
             </fieldset>
             </form>
         </td>
@@ -236,6 +240,7 @@
             <label for="trace835"><?php echo xlt("Check No"); ?>:</label>
             <input type="text" size=10 name="trace835" value="" />
             <input type="submit" name="subtrace835" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+            <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
         </fieldset>
         </form>
         </td>
@@ -253,6 +258,7 @@
                         <label for="enctr"><?php echo xlt("Enter Encounter"); ?>:</label>
                         <input type="text" name="enctrbatch" size=10 value="" />
                         <input type="submit" name="Batch-enctr" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                        <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                     </fieldset>
                 </form>
               </td>
@@ -263,6 +269,7 @@
                     <label for="enctrERA"><?php echo xlt("Enter Encounter"); ?>:</label>
                     <input type="text" name="enctrEra" size=10 value="" />
                     <input type="submit" name="eraText" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                    <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                 </fieldset>
                 </form>
               </td>
@@ -275,6 +282,7 @@
                     <label for="x12file"><?php echo xlt("Choose File"); ?>:</label>
                     <input id="x12file" type="file" name="fileUplx12" class="cp-positive" />
                     <input type="submit" name="fileX12" class="cp-submit" value="<?php echo xla("Submit"); ?>" />
+                    <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                 </fieldset>
                 </form>
             </td>
@@ -309,6 +317,7 @@
                     <input id="savenotes" type="button" class="cp-submit" value="<?php echo xla("Save"); ?>" />
                     <label for="closenotes"><?php echo xlt("Close"); ?></label>
                     <input id="closenotes" type="button" class="cp-negative" value="<?php echo xla("Close"); ?>" />
+                    <input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
                     </fieldset>
                     </form>
                 </td>

interface/main/main_screen.php

@@ -24,6 +24,7 @@
 /* Include our required headers */
 require_once('../globals.php');
 require_once("$srcdir/formdata.inc.php");
+require_once("../../library/CsrfToken.php");
 
 // Creates a new session id when load this outer frame
 // (allows creations of separate LibreHealth EHR frames to view patients concurrently
@@ -41,6 +42,9 @@
   session_regenerate_id(false);
 }
 
+//generate csrf token
+$_SESSION['token'] = CsrfToken::generateCsrfToken();
+
 $_SESSION["encounter"] = '';
 
 // Fetch the password expiration date

interface/patient_file/letter.php

@@ -90,6 +90,14 @@
 
 $alertmsg = ''; // anything here pops up in an alert box
 
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+        error_log('WARNING: A POST request detected with no csrf token found');
+        die('Authentication failed.');
+    } else if (!hash_equals(hash_hmac('sha256', '/letter.php.theform', $_SESSION['token']), $_POST['token'])) {
+        die('Authentication failed.');
+    }
+}
 // If the Generate button was clicked...
 if ($_POST['formaction']=="generate") {
 
@@ -430,6 +438,7 @@ function insertAtCursor(myField, myValue) {
 <form method='post' action='letter.php' id="theform" name="theform">
 <input type="hidden" name="formaction" id="formaction" value="">
 <input type='hidden' name='form_pid' value='<?php echo $pid ?>' />
+<input type='hidden' name='token' value="<?php echo hash_hmac('sha256', '/letter.php.theform', $_SESSION['token']);?>" />
 
 <center>
 <p>

library/CsrfToken.php

@@ -0,0 +1,45 @@
+<?php
+
+class CsrfToken {
+
+    // Generate csrf token for authentication
+    function generateCsrfToken()
+    {
+        if (!extension_loaded('openssl')) {
+        error_log("ERROR: openssl extension not enabled, needed for proper functioning of LibreHealth");
+            die("Error: Systems needs openssl.");
+        }
+
+        $csrfToken = bin2hex(openssl_random_pseudo_bytes(32));
+
+        if (empty($csrfToken)) {
+            error_log("ERROR : Token generation failed");
+            die("Error : Unable to correctly generate token");
+        }
+
+        return $csrfToken;
+    }
+
+    // Function to verify a csrf token
+    function verifyCsrfToken($token)
+    {
+        if (hash_equals($_SESSION['token'], $token)) {
+            return true;
+        } else {
+            error_log("WARNING : Malicious attempt encountered");
+            return false;
+        }
+    }
+    // Function to verify a csrf token using with second token
+    function verifyCsrfTokenAndCompareHash($token, $secondToken)
+    {
+        if (hash_equals(hash_hmac('sha256', $secondToken, $_SESSION['token']), $token) {
+            return true;
+        } else {
+            error_log("WARNING : Malicious attempt encountered");
+            return false;
+        }
+    }
+}
+
+?>

library/sanitize.inc.php

@@ -55,5 +55,4 @@ function image_has_right_size($size) {
   return $size < 20971520;
 }
 
-
 ?>

patient_portal/import_template.php

@@ -19,7 +19,16 @@
 $sanitize_all_escapes=true;
 $fake_register_globals=false;
 require_once("../interface/globals.php"); 
+require_once("../library/CsrfToken.php");
 
+if (!empty($_POST)) {
+    if (!isset($_POST['token'])) {
+        error_log('WARNING: A POST request detected with no csrf token found');
+        die('Authentication failed.');
+    } else if (!(CsrfToken::verifyCsrfToken($_POST['token'])) {
+        die('Authentication failed.');
+    }
+}
 if($_POST['mode'] == 'get'){
     echo file_get_contents($_POST['docid']);
     exit;

patient_portal/import_template_ui.php

@@ -120,7 +120,7 @@ function getDocument(docname, mode, content){
             $.ajax({
                 type: "POST",
                 url: liburl,
-                data: {docid: docname, mode: mode,content: content},
+                data: {docid: docname, mode: mode,content: content, token: <?php echo $_SESSION['token'];?>},
                 beforeSend: function(xhr){
                     console.log("Please wait..."+content);
                 },
@@ -192,6 +192,7 @@ function getDocument(docname, mode, content){
 <button class="btn btn-primary" type="button" onclick="location.href='./patient/provider'"><?php echo xlt('Home'); ?></button>
 <input type='hidden' name="up_dir" value='<?php global $getdir;
 echo $getdir;?>' />
+<input type='hidden' name='token' value="<?php echo $_SESSION['token'];?>" />
 <button class="btn btn-success" type="submit" name="upload_submit" id="upload_submit"><?php echo xlt('Upload Template for'); ?> <span style="font-size:14px;" class="label label-default" id='ptstatus'></span></button>
 
 </form>