Project

General

Profile

Actions

Bug #3460

closed

CSRF Protection - Package manager

Added by Fernando Munoz almost 11 years ago. Updated almost 11 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Package System
Target version:
Start date:
02/17/2014
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:

Description

The CSRF protection doesn't work on the package manager as it takes the parameters to install/uninstall/reinstall packages directly from GET parameters in the request uri.

Example: Visiting https://ip/pkg_mgr_install.php?id=arping will automatically install the arping package, without user confirmation required.
Visiting https://ip/pkg_mgr_install.php?mode=delete&pkg=snort will remove the snort package.

Actions #1

Updated by Ermal Luçi almost 11 years ago

  • Status changed from New to Feedback
  • Target version set to 2.1.1
  • Affected Version set to All
Actions #2

Updated by Ermal Luçi almost 11 years ago

  • % Done changed from 0 to 100
Actions #3

Updated by Ermal Luçi almost 11 years ago

Actions #4

Updated by Renato Botelho almost 11 years ago

  • Status changed from Feedback to Resolved
Actions

Also available in: Atom PDF