Project

General

Profile

Bug #7228

easyrule.php: Use of GET allows rule to be added without CSRF protection

Added by Jim Pingle about 4 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Rules / NAT
Target version:
Start date:
02/07/2017
Due date:
% Done:

100%

Estimated time:
Affected Version:
All
Affected Architecture:
All
Release Notes:
Default

Description

easyrule.php allows parameters passed by GET without a confirmation step, which makes it possible to add firewall rules via CSRF.

Part of a larger issue (See #4083) but worth considering on its own.

Anyone relying on the use of easyrule.php remotely already has to deal with the login procedure so it's just one extra step similar to how backup via curl/wget works.

Associated revisions

Revision 0f026089 (diff)
Added by Jim Pingle about 4 years ago

Convert easyrule.php to use a confirmation landing page so that the parameters can be submitted via POST. Also, remove the JavaScript confirmation box since it is now redundant. Fixes #7228
The confirmation page displays the submitted parameters for an extra user sanity check. Also fixed a bunch of page formatting issues that were not apparent because users rarely if ever saw output from the page.

Revision 4cef56bf (diff)
Added by Jim Pingle about 4 years ago

Convert easyrule.php to use a confirmation landing page so that the parameters can be submitted via POST. Also, remove the JavaScript confirmation box since it is now redundant. Fixes #7228
The confirmation page displays the submitted parameters for an extra user sanity check. Also fixed a bunch of page formatting issues that were not apparent because users rarely if ever saw output from the page.

Revision f0cf40f9 (diff)
Added by Jim Pingle about 4 years ago

Convert easyrule.php to use a confirmation landing page so that the parameters can be submitted via POST. Also, remove the JavaScript confirmation box since it is now redundant. Fixes #7228
The confirmation page displays the submitted parameters for an extra user sanity check. Also fixed a bunch of page formatting issues that were not apparent because users rarely if ever saw output from the page.

History

#1 Updated by Jim Pingle about 4 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100

#2 Updated by Jim Pingle about 4 years ago

  • Status changed from Feedback to Resolved

Fixed

#3 Updated by Jim Pingle about 4 years ago

  • Target version changed from 2.4.0 to 2.3.3

#4 Updated by Jim Pingle about 4 years ago

  • Private changed from Yes to No

Also available in: Atom PDF