5 if (!defined(
'NOREQUIRESOC')) {
6 define(
'NOREQUIRESOC',
'1');
9 if (!defined(
'NOSTYLECHECK')) {
10 define(
'NOSTYLECHECK',
'1');
12 if (!defined(
'NOCSRFCHECK')) {
13 define(
'NOCSRFCHECK',
'1');
15 if (!defined(
'NOTOKENRENEWAL')) {
16 define(
'NOTOKENRENEWAL',
'1');
21 if (!defined(
"NOLOGIN")) {
22 define(
"NOLOGIN",
'1');
25 require
'../../main.inc.php';
28 if ($dolibarr_main_prod) {
37 header(
"Content-type: text/html; charset=UTF8");
40 header(
"X-Content-Type-Options: nosniff");
41 header(
"X-Frame-Options: SAMEORIGIN");
44 This is a form to test
if a CSRF exists into a Dolibarr page.<br>
46 - Change url to send request to into
this file (URL to a hard coded page on a server B)<br>
47 - Open
this form into a
virtual server A.<br>
48 - Send the request to the
virtual server B by clicking submit.<br>
49 - Check that Anticsrf protection is triggered.<br>
53 $urltosendrequest =
"http://127.0.0.1/dolibarr/htdocs/user/group/card.php";
54 print
'urltosendrequest = '.$urltosendrequest.
'<br><br>';
58 <form method=
"POST" action=
"<?php echo $urltosendrequest; ?>" target=
"_blank">
59 <!-- <input
type=
"hidden" name=
"token" value=
"123456789"> -->
60 <input
type=
"text" name=
"action" value=
"add">
61 <input
type=
"text" name=
"nom" value=
"New group test">
62 <input
type=
"submit" name=
"submit" value=
"Submit">
69 <script>history.pushState(
'',
'',
'/')</script>
70 <form action=
"http://localhostgit/dolibarr_dev/htdocs/user/logout.php">
71 <input
type=
"submit" value=
"Submit request" />
74 document.forms[0].submit();