CSRF vulnerabilities in remove and delete forms #3332

jekkos · 2021-10-04T20:03:18Z

Some of the forms have CSRF vulnerabilities due to the fact that we allow a GET in the method handling. POST should be enforced everywhere as that would block an attacker into tricking a user with a valid session into triggering form actions on these specific methods.

One case was overlooked and an extra condition is added.

daN4cat · 2021-10-05T12:08:51Z

Despite all the work we have done years ago in improving security, there are still issues. It's a constant learning story.

jekkos changed the title ~~CSRF vulnerabiliities in remove and delete forms~~ CSRF vulnerabilities in remove and delete forms Oct 4, 2021

jekkos self-assigned this Oct 4, 2021

jekkos added the bug label Oct 4, 2021

jekkos added this to the 3.3.6 milestone Oct 4, 2021

jekkos added a commit that referenced this issue Oct 4, 2021

Amend the fix to include delete_supplier (#3332)

329f177

jekkos added a commit that referenced this issue Oct 4, 2021

Amend the fix to include delete_supplier (#3332)

6b3aa87

jekkos closed this as completed Oct 5, 2021

objecttothis mentioned this issue Nov 17, 2022

CI4: Merge changes from the Master into #3271 #3585

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CSRF vulnerabilities in remove and delete forms #3332

CSRF vulnerabilities in remove and delete forms #3332

jekkos commented Oct 4, 2021

daN4cat commented Oct 5, 2021

CSRF vulnerabilities in remove and delete forms #3332

CSRF vulnerabilities in remove and delete forms #3332

Comments

jekkos commented Oct 4, 2021

daN4cat commented Oct 5, 2021