dolibarr 19.0.4
test_csrf.php
1<?php
2//define("NOLOGIN",1); // This means this output page does not require to be logged.
3//if (!defined('NOREQUIREUSER')) define('NOREQUIREUSER', '1');
4//if (!defined('NOREQUIREDB')) define('NOREQUIREDB', '1');
5if (!defined('NOREQUIRESOC')) {
6 define('NOREQUIRESOC', '1');
7}
8//if (!defined('NOREQUIRETRAN')) define('NOREQUIRETRAN', '1');
9if (!defined('NOSTYLECHECK')) {
10 define('NOSTYLECHECK', '1'); // Do not check style html tag into posted data
11}
12//if (!defined('NOREQUIREMENU')) define('NOREQUIREMENU', '1'); // If there is no need to load and show top and left menu
13//if (!defined('NOREQUIREHTML')) define('NOREQUIREHTML', '1'); // If we don't need to load the html.form.class.php
14//if (!defined('NOREQUIREAJAX')) define('NOREQUIREAJAX', '1'); // Do not load ajax.lib.php library
15if (!defined("NOLOGIN")) {
16 define("NOLOGIN", '1'); // If this page is public (can be called outside logged session)
17}
18
19// Load Dolibarr environment
20require '../../main.inc.php';
21
22// Security
23if ($dolibarr_main_prod) {
24 accessforbidden();
25}
26
27
28/*
29 * View
30 */
31
32header("Content-type: text/html; charset=UTF8");
33
34// Security options
35header("X-Content-Type-Options: nosniff"); // With the nosniff option, if the server says the content is text/html, the browser will render it as text/html (note that most browsers now force this option to on)
36header("X-Frame-Options: SAMEORIGIN"); // Frames allowed only if on same domain (stop some XSS attacks)
37?>
38
39This is a form to test if a CSRF exists into a Dolibarr page.<br>
40<br>
41- Change url to send request to into this file (URL to a hard coded page on a server B)<br>
42- Open this form into a virtual server A.<br>
43- Send the request to the virtual server B by clicking submit.<br>
44- Check that Anticsrf protection is triggered.<br>
45
46<br>
47<?php
48 $urltosendrequest = "http://127.0.0.1/dolibarr/htdocs/user/group/card.php";
49 print 'urltosendrequest = '.$urltosendrequest.'<br><br>';
50?>
51
52Test post
53<form method="POST" action="<?php echo $urltosendrequest; ?>" target="_blank">
54<!-- <input type="hidden" name="token" value="123456789"> -->
55<input type="text" name="action" value="add">
56<input type="text" name="nom" value="New group test">
57<input type="submit" name="submit" value="Submit">
58</form>
59
60
61Test logout
62<html>
63 <body>
64 <script>history.pushState('', '', '/')</script>
65 <form action="http://localhostgit/dolibarr_dev/htdocs/user/logout.php">
66 <input type="submit" value="Submit request" />
67 </form>
68 <script>
69 document.forms[0].submit();
70 </script>
71 </body>
72</html>
type
if(preg_match('/crypted:/i', $dolibarr_main_db_pass)||!empty($dolibarr_main_db_encrypted_pass)) $conf db type
Definition repair.php:121
name
$conf db name
Only used if Module[ID]Name translation string is not found.
Definition repair.php:124
accessforbidden
accessforbidden($message='', $printheader=1, $printfooter=1, $showonlymessage=0, $params=null)
Show a message to say access is forbidden and stop program.
Definition security.lib.php:1192
Generated on Sat Oct 4 2025 01:00:26 for dolibarr by Doxygen 1.11.0