Permalink
Browse files

Use Administrate::ApplicationController.protect_from_forgery

`Administrate::ApplicationController` didn't call
`protect_from_forgery`, which means that non-GET methods don’t validate
CSRF tokens. Thus, it is possible for an attacker to hijack user
session's and act on administrate actions on their behalf.

Thanks to Jason Yeo (@jsyeo) of SRC:CLR for finding and reporting this
vulnerability.

CVE-2016-3098
1 parent 3bccdb3 commit be738a54b866191bf49664d8c6116587fb971759 @tute tute committed Apr 1, 2016
Showing with 2 additions and 0 deletions.
  1. +2 −0 app/controllers/administrate/application_controller.rb
@@ -1,5 +1,7 @@
module Administrate
class ApplicationController < ActionController::Base
+ protect_from_forgery with: :exception
+
def index
search_term = params[:search].to_s.strip
resources = Administrate::Search.new(resource_resolver, search_term).run

0 comments on commit be738a5

Please sign in to comment.