fix(admin): verify CSRF token in server-settings admin Mods [#139] (#268)

2026-06-29 00:54:31 +00:00 · 2026-06-23 15:12:54 +02:00
parent c98bcf266b
commit 886f421f50
20 changed files with 73 additions and 0 deletions
@@ -11,6 +11,12 @@

 if(!isset($_SESSION)) session_start();
 if($_SESSION['access'] < 9) die(ACCESS_DENIED_ADMIN);
+
+// Issue #139: this Mod is POSTed to directly, so it must verify the CSRF token
+// itself (it does not go through admin.php's central csrf_verify()).
+require_once(__DIR__ . '/../csrf.php');
+csrf_verify();
+
 include_once("../../Database.php");
 include_once("../../config.php");
 $id = (int) $_POST['id'];