Project

General

Profile

Bug #3460

CSRF Protection - Package manager

Added by Fernando Munoz about 7 years ago. Updated about 7 years ago.

Status:
Resolved
Priority:
High
Assignee:
-
Category:
Package System
Target version:
Start date:
02/17/2014
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:

Description

The CSRF protection doesn't work on the package manager as it takes the parameters to install/uninstall/reinstall packages directly from GET parameters in the request uri.

Example: Visiting https://ip/pkg_mgr_install.php?id=arping will automatically install the arping package, without user confirmation required.
Visiting https://ip/pkg_mgr_install.php?mode=delete&pkg=snort will remove the snort package.

Associated revisions

Revision 133f8b33 (diff)
Added by Ermal Luçi about 7 years ago

Fixes #3460. Ask for validation when real operation will be done and ask for the operation with POST to get protection from CRSF.

Revision 69a0c735 (diff)
Added by Ermal Luçi about 7 years ago

Fixes #3460. Ask for validation when real operation will be done and ask for the operation with POST to get protection from CRSF.

History

#1 Updated by Ermal Luçi about 7 years ago

  • Status changed from New to Feedback
  • Target version set to 2.1.1
  • Affected Version set to All

#2 Updated by Ermal Luçi about 7 years ago

  • % Done changed from 0 to 100

#3 Updated by Ermal Luçi about 7 years ago

#4 Updated by Renato Botelho about 7 years ago

  • Status changed from Feedback to Resolved

Also available in: Atom PDF