Project

General

Profile

Actions

Bug #7228

closed

easyrule.php: Use of GET allows rule to be added without CSRF protection

Added by Jim Pingle almost 5 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Rules / NAT
Target version:
Start date:
02/07/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

easyrule.php allows parameters passed by GET without a confirmation step, which makes it possible to add firewall rules via CSRF.

Part of a larger issue (See #4083) but worth considering on its own.

Anyone relying on the use of easyrule.php remotely already has to deal with the login procedure so it's just one extra step similar to how backup via curl/wget works.

Actions #1

Updated by Jim Pingle almost 5 years ago

  • Status changed from Confirmed to Feedback
  • % Done changed from 0 to 100
Actions #2

Updated by Jim Pingle almost 5 years ago

  • Status changed from Feedback to Resolved

Fixed

Actions #3

Updated by Jim Pingle almost 5 years ago

  • Target version changed from 2.4.0 to 2.3.3
Actions #4

Updated by Jim Pingle over 4 years ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF