/login route should not be GET (CSRF)

[f446843]

I have a security bug found!
check out http://try.nodebb.org/topic/95/csrf-attack

[julianlam]

Neat... the logout url was passed into the standard markdown image tag, causing the viewer to become logged out.

[f446843]

for the attack I have used the following code:
it sends a request to the specified url http://try.nodebb.org/logout.

[f446843]

the requested image should not be loaded directly via the browser. instead, should be the nodebb-server in the middle.

[f446843]

alternatively, the file extension or MIME type could be examined.

[f446843]

It is also interesting that you are still logged in via the socket connection, even though you are logged out via normal http.

[julianlam]

Changing logout route to POST with CSRF should be enough to prevent this exploit. Any other GET routes should be examined to ensure that nothing is done, as the GET verb should only return and never modify resources.