Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Weak Cross-site Resource Forgery(CSRF) Protection #2469

Closed
Loginsoft-Research opened this issue Jan 24, 2019 · 0 comments
Closed

Weak Cross-site Resource Forgery(CSRF) Protection #2469

Loginsoft-Research opened this issue Jan 24, 2019 · 0 comments

Comments

@Loginsoft-Research
Copy link

Describe Your Environment

  • ZoneMinder v1.33.1
  • Installed from - ppa:iconnor/zoneminder-master

Describe the bug
Try again button in callback function - Whenever a CSRF check fails,a callback function is called displaying a fail message. Unfortunately there also exists an "Try again" button on the page, which allows to resend the failed request, making the attack successful.

To Reproduce

csrf

Expected behavior
This allows an attacker to easily carry out the CSRF attack.
Normally users are not too technical to understand what CSRF failure message is & would generally click on "Try Again", themselves making the attack successful.

Debug Logs


None

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants