Bug #3460: CSRF Protection - Package manager - pfSense - pfSense bugtracker

Actions

Copy link

Bug #3460

closed

CSRF Protection - Package manager

Added by Fernando Munoz almost 11 years ago. Updated over 10 years ago.

Status:

Resolved

Priority:

High

Assignee:

Category:

Package System

Target version:

2.1.1

Start date:

02/17/2014

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

Description

The CSRF protection doesn't work on the package manager as it takes the parameters to install/uninstall/reinstall packages directly from GET parameters in the request uri.

Example: Visiting https://ip/pkg_mgr_install.php?id=arping will automatically install the arping package, without user confirmation required.
Visiting https://ip/pkg_mgr_install.php?mode=delete&pkg=snort will remove the snort package.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #3460

CSRF Protection - Package manager

Updated by Ermal Luçi almost 11 years ago

Updated by Ermal Luçi almost 11 years ago

Updated by Ermal Luçi almost 11 years ago

Updated by Renato Botelho over 10 years ago