Permalink
Show file tree
Hide file tree
5 comments
on commit
sign in to comment.
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Implement CSRF token by default
Implement CSRF protection on CMS for postback handling
- Loading branch information
Showing
2 changed files
with
30 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
4a6e0e1There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can confirm that it has mitigated the CSRF vulnerability for postback handling.
4a6e0e1There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@daftspunk and @ZainSabahat
Is it safe to assume that the CSRF vulnerability was present in most versions prior to build 426 as well?
Just seeking clarification that version 419 and earlier ,that cannot be upgraded due to PHP versions, need to be manually patched?
4a6e0e1There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ARH-Digital That would be correct, although you should really update your environments to use more modern versions of PHP to stay up to date with all of the security fixes, performance improvements, general bug fixes, and features to come. A host that provides >= PHP7 is not expensive, there is rarely a good reason to stick with <7, especially when factoring in the performance improvements in 7
4a6e0e1There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you for the confirmation. I totally agree with the hosting. However, I work for an agency and we do offer hosting, but alas, we cannot control the environments of all our clients, and are restricted in some instances.
4a6e0e1There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let your clients know what they risk by not upgrading versions and perhaps provide them options for better hosts that will upgrade if their current one refuses to.