package org.t246osslab.easybuggy.vulnerabilities; import java.io.IOException; import java.util.Locale; import javax.servlet.ServletException; import javax.servlet.annotation.WebServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import javax.servlet.http.HttpSession; import org.apache.commons.lang.StringUtils; import org.apache.directory.shared.ldap.entry.ModificationOperation; import org.apache.directory.shared.ldap.entry.client.ClientModification; import org.apache.directory.shared.ldap.entry.client.DefaultClientAttribute; import org.apache.directory.shared.ldap.message.ModifyRequestImpl; import org.apache.directory.shared.ldap.name.LdapDN; import org.t246osslab.easybuggy.core.dao.EmbeddedADS; import org.t246osslab.easybuggy.core.servlets.AbstractServlet; @SuppressWarnings("serial") @WebServlet(urlPatterns = { "/admins/csrf" }) public class CSRFServlet extends AbstractServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { Locale locale = req.getLocale(); StringBuilder bodyHtml = new StringBuilder(); bodyHtml.append("<form action=\"/admins/csrf\" method=\"post\">"); bodyHtml.append(getMsg("msg.enter.passwd", locale)); bodyHtml.append("<br><br>"); bodyHtml.append(getMsg("label.password", locale) + ": "); bodyHtml.append("<input type=\"password\" name=\"password\" size=\"30\" maxlength=\"30\" autocomplete=\"off\">"); bodyHtml.append("<br><br>"); bodyHtml.append("<input type=\"submit\" value=\"" + getMsg("label.submit", locale) + "\">"); bodyHtml.append("<br><br>"); String errorMessage = (String) req.getAttribute("errorMessage"); if (errorMessage != null) { bodyHtml.append(errorMessage); } bodyHtml.append(getInfoMsg("msg.note.csrf", locale)); bodyHtml.append("</form>"); responseToClient(req, res, getMsg("title.csrf.page", locale), bodyHtml.toString()); } @Override protected void doPost(HttpServletRequest req, HttpServletResponse res) throws ServletException, IOException { Locale locale = req.getLocale(); HttpSession session = req.getSession(); if (session == null) { res.sendRedirect("/"); return; } String userid = (String) session.getAttribute("userid"); String password = StringUtils.trim(req.getParameter("password")); if (!StringUtils.isBlank(userid) && !StringUtils.isBlank(password) && password.length() >= 8) { try { DefaultClientAttribute entryAttribute = new DefaultClientAttribute("userPassword", encodeForLDAP(password.trim())); ClientModification clientModification = new ClientModification(); clientModification.setAttribute(entryAttribute); clientModification.setOperation(ModificationOperation.REPLACE_ATTRIBUTE); ModifyRequestImpl modifyRequest = new ModifyRequestImpl(1); modifyRequest.setName(new LdapDN("uid=" + encodeForLDAP(userid.trim()) + ",ou=people,dc=t246osslab,dc=org")); modifyRequest.addModification(clientModification); EmbeddedADS.getAdminSession().modify(modifyRequest); StringBuilder bodyHtml = new StringBuilder(); bodyHtml.append("<form>"); bodyHtml.append(getMsg("msg.passwd.changed", locale)); bodyHtml.append("<br><br>"); bodyHtml.append("<a href=\"/admins/main\">" + getMsg("label.goto.admin.page", locale) + "</a>"); bodyHtml.append("</form>"); responseToClient(req, res, getMsg("title.csrf.page", locale), bodyHtml.toString()); } catch (Exception e) { log.error("Exception occurs: ", e); req.setAttribute("errorMessage", getErrMsg("msg.passwd.change.failed", locale)); doGet(req, res); } } else { if (StringUtils.isBlank(password) || password.length() < 8) { req.setAttribute("errorMessage", getErrMsg("msg.passwd.is.too.short", locale)); } else { req.setAttribute("errorMessage", getErrMsg("msg.unknown.exception.occur", new String[] { "userid: " + userid }, locale)); } doGet(req, res); } } }