Ticket #382 (closed defect: fixed)

Opened 4 months ago

Last modified 4 months ago

CSRF on Site Admin Page

Reported by: tsewen Assigned to: nobody
Priority: highest Milestone: 0.9.2
Component: core Version: 0.9.1
Severity: critical Keywords: csrf
Cc: Patch Included: 1
Review Stage: reviewed

Description (Last modified by misja)

Currently the site admin page has CSRF vulnerabilities. While pages_html_form is called to insert a hidden field form_key into the form and store the form_key inside the user session, elggform_key_check is not called to check the form_key submitted. An attacker can become an admin, deface the website, or steal logins / passwords of users, among other nasty stuff.

I found this on Elgg 0.9.2. Patch is included.

Attachments

elggadmin.diff (1.1 kB) - added by tsewen on 07/25/08 00:06:26.
Patch for the CSRF vulnerability

Change History

07/25/08 00:06:26 changed by tsewen

  • attachment elggadmin.diff added.

Patch for the CSRF vulnerability

07/25/08 00:08:07 changed by tsewen

Also note that I corrected the spelling of $sucess to $success. The misspelling may have caused a change of the value $success to be dropped, although I saw no effect in correcting the misspelling.

08/06/08 07:43:15 changed by misja

  • status changed from new to closed.
  • resolution set to fixed.
  • description changed.
  • review_stage changed from unreviewed to reviewed.

Fixed in r1612