Protect attachment downloads against CSRF #4957

Closed
rcubetrac opened this Issue Jan 16, 2016 · 3 comments

Comments

Projects
None yet
2 participants
@rcubetrac

Reported by @thomascube on 16 Jan 2016 16:36 UTC as Trac ticket #1490642

Message attachments are downloaded via GET requests (with _download=1) and therefore can be triggered by a 3rd party site with guessed URLs and an active session in the victims browser. While this doesn't disclose any data to the attacker site, it triggers unwanted file downloads and puts load on the server as well as fills the victims disk if executed repeatedly.

We already have CSRF protection means with session-based request tokens. Requiring such tokens on download urls would add the necessary protection against these unwanted downloads.

Migrated-From: http://trac.roundcube.net/ticket/1490642

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Mar 6, 2016

Comment by @alecpl on 6 Mar 2016 15:20 UTC

Fixed in [Backported to 1.1 in 699af1e(4a40884].).

Comment by @alecpl on 6 Mar 2016 15:20 UTC

Fixed in [Backported to 1.1 in 699af1e(4a40884].).

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Mar 6, 2016

Status changed by @alecpl on 6 Mar 2016 15:20 UTC

new => closed

Status changed by @alecpl on 6 Mar 2016 15:20 UTC

new => closed

@alecpl

This comment has been minimized.

Show comment
Hide comment
@alecpl

alecpl Sep 13, 2016

Member

The vulnerability was discovered by Fortinet’sFortiGuard Labs.

Member

alecpl commented Sep 13, 2016

The vulnerability was discovered by Fortinet’sFortiGuard Labs.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment