Project

General

Profile

Actions

Bug #7228

closed

easyrule.php: Use of GET allows rule to be added without CSRF protection

Added by Jim Pingle about 7 years ago. Updated almost 7 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Rules / NAT
Target version:
Start date:
02/07/2017
Due date:
% Done:

100%

Estimated time:
Plus Target Version:
Release Notes:
Affected Version:
All
Affected Architecture:
All

Description

easyrule.php allows parameters passed by GET without a confirmation step, which makes it possible to add firewall rules via CSRF.

Part of a larger issue (See #4083) but worth considering on its own.

Anyone relying on the use of easyrule.php remotely already has to deal with the login procedure so it's just one extra step similar to how backup via curl/wget works.

Actions

Also available in: Atom PDF