Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF prevention #54

Closed
berdario opened this issue Jul 1, 2016 · 2 comments

Comments

Projects
None yet
1 participant
@berdario
Copy link

commented Jul 1, 2016

Same issue as #24 which was unfortunately not recognized for the severe bug that it is.

Yesterday I explained privately the issue to @sheehan and supplied him a POC. Will add the same information here once a fix is released (or otherwise to expedite its release), but for now this issue should merely serve to keep track of it publicly

@sheehan sheehan closed this in 155e0f5 Jul 31, 2016

@berdario

This comment has been minimized.

Copy link
Author

commented Aug 3, 2016

Thank you, but I noticed that the vulnerability is still exploitable

Btw, this vuln has been assigned id CVE-2016-6521

@berdario

This comment has been minimized.

Copy link
Author

commented Aug 8, 2016

Thank you, I confirm that now this functionality appears secure.

Here's the POC people can use to check if they're vulnerable (just check if your browser network inspector if you're receiving back a 403 when visiting the poc page)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.