Actions
Bug #3460
closedCSRF Protection - Package manager
Start date:
02/17/2014
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
Description
The CSRF protection doesn't work on the package manager as it takes the parameters to install/uninstall/reinstall packages directly from GET parameters in the request uri.
Example: Visiting https://ip/pkg_mgr_install.php?id=arping will automatically install the arping package, without user confirmation required.
Visiting https://ip/pkg_mgr_install.php?mode=delete&pkg=snort will remove the snort package.
Updated by Ermal Luçi almost 11 years ago
- Status changed from New to Feedback
- Target version set to 2.1.1
- Affected Version set to All
Updated by Ermal Luçi almost 11 years ago
- % Done changed from 0 to 100
Applied in changeset 133f8b33472b9bca9e8f788820233cafbd674fcb.
Updated by Ermal Luçi almost 11 years ago
Applied in changeset 69a0c7351bed26b4fb0259ce893442bd99d9d89d.
Updated by Renato Botelho almost 11 years ago
- Status changed from Feedback to Resolved
Actions