Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CSRF protection for actions #8

Closed
JixunMoe opened this issue Jan 23, 2019 · 1 comment
Closed

Add CSRF protection for actions #8

JixunMoe opened this issue Jan 23, 2019 · 1 comment

Comments

@JixunMoe
Copy link

@JixunMoe JixunMoe commented Jan 23, 2019

e.g. ban feature did not use CSRF token to protect.

I can construct the url http://somewhere.com/ban.php?id=1 and embed it as an image. Once an admin is tricked to visit the page, it will cause the server to begin deleting someone's images.

Suggestion: any action to be performed other than read should be verified against a valid CSRF token.

More details:

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

@lfiore

This comment has been minimized.

Copy link
Owner

@lfiore lfiore commented Jan 25, 2019

added. thanks for the report

@lfiore lfiore closed this Jan 25, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.