"Potential CSRF attack" when trying to manage users #491
Labels
Comments
|
Fix is in v3.2.0 beta 2 |
GaneshKandu
added a commit
to GaneshKandu/PodcastGenerator
that referenced
this issue
Apr 21, 2022
Hi, I am getting similar error mentioned here PodcastGenerator#491 unsername is in post request but its checking it in get request, i think we should check usercreate in get its working for me https://github.com/PodcastGenerator/PodcastGenerator/blob/4b590615a1a51654a6c90137f03470c405534ed1/PodcastGenerator/admin/pg_users.php#L14-L16
2 tasks
coldacid
pushed a commit
that referenced
this issue
Apr 22, 2022
For each operation case (change password, delete, create), call `checkToken()` individually rather than having the one call at the top. This avoids the issue where we have different GET params that may or may not need to be protected against CSRF attacks. Credit to @GaneshKandu for discovering my original fix in 44379be didn't fully fix the problem in #491. Refs #491, supersedes #588
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
System Information
Podcast Generator Version: 3.2.0-beta
Webserver: docker - mitlabs/apache-php7.3
PHP Version: docker - mitlabs/apache-php7.3
Expected behavior
Expected a page to manage users
Actual behavior
Returns blank webpage with only the following:
Potential CSRF attackon both Brave and Firefox browsers.Docker logs
How to reproduce
Try to click a user link ( https://podcast.domain.tld/admin/pg_users.php?username=user ) on page https://podcast.domain.tld/admin/pg_users.php
Question
Is this a PodcastGenerator problem or an Apache/PHP config problem??
The text was updated successfully, but these errors were encountered: