20200722 CSRF Bypass On Endpoints With No Body Parameters
Arjen van Bochoven edited this page Jul 22, 2020
·
1 revision
Pages 100
Introduction
Setup
Server Configuration
Client Configuration
Upgrade
- General Upgrade Procedures
- How to Upgrade Versions
- Troubleshooting Upgrades
- Migrating sqlite to MySQL
Modules
Securing MunkiReport
Customization
Misc
Developers
Clone this wiki locally
CSRF CSRF Bypass On Endpoints With No Body Parameters - CVE-2020-15882
Description
A Cross-site request forgery (CRSF) attack is a type of malicious exploit of a website where unauthorized commands are transmitted from a user that the web application trusts. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. The application does not correctly check the CSRF token when requests are made via any HTTP Method other than POST or DELETE.
Vulnerable: Versions of MunkiReport from 2.5.3 to 5.6.2 are vulnerable
Mitigation
Update MunkiReport to the latest version
- Version specific upgrade notes - https://github.com/munkireport/munkireport-php/wiki/How-to-Upgrade-Versions
- General upgrade documentation - https://github.com/munkireport/munkireport-php/wiki/General-Upgrade-Procedures
An Opensource project