Ticket #383 (closed defect: fixed)

Opened 4 months ago

Last modified 4 months ago

CSRF for commentwall

Reported by: tsewen Assigned to: nobody
Priority: high Milestone: 0.9.2
Component: core Version: 0.9.1
Severity: major Keywords: csrf
Cc: Patch Included: 1
Review Stage: reviewed

Description (Last modified by misja)

There is a Cross Site Request Forgery vulnerability against the CommentWall. While this may seem trivial, an attacker may take advantage of the CommentWall to figure out when another CSRF has taken place. An attacker can create an account on an Elgg social network. Then, when he is taking advantage of another CSRF vulnerability, he can also post on the CommentWall of his account as the victim. Then he can quietly delete the victim's post, leaving no trace.

The patch is included. I found this on Elgg 0.9.2, but this version is not in the drop-down.

Attachments

commentwall.diff (1.5 kB) - added by tsewen on 07/25/08 00:37:26.
Patch for CSRF vulnerability on CommentWall?

Change History

07/25/08 00:37:26 changed by tsewen

  • attachment commentwall.diff added.

Patch for CSRF vulnerability on CommentWall?

08/06/08 07:47:31 changed by misja

  • status changed from new to closed.
  • resolution set to fixed.
  • description changed.
  • review_stage changed from unreviewed to reviewed.

Fixed in r1613