Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CSRF prevention #54

Closed
berdario opened this issue Jul 1, 2016 · 2 comments
Closed

CSRF prevention #54

berdario opened this issue Jul 1, 2016 · 2 comments

Comments

@berdario
Copy link

berdario commented Jul 1, 2016

Same issue as #24 which was unfortunately not recognized for the severe bug that it is.

Yesterday I explained privately the issue to @sheehan and supplied him a POC. Will add the same information here once a fix is released (or otherwise to expedite its release), but for now this issue should merely serve to keep track of it publicly

@berdario
Copy link
Author

berdario commented Aug 3, 2016

Thank you, but I noticed that the vulnerability is still exploitable

Btw, this vuln has been assigned id CVE-2016-6521

@berdario
Copy link
Author

berdario commented Aug 8, 2016

Thank you, I confirm that now this functionality appears secure.

Here's the POC people can use to check if they're vulnerable (just check if your browser network inspector if you're receiving back a 403 when visiting the poc page)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant