Bug #7228: easyrule.php: Use of GET allows rule to be added without CSRF protection - pfSense - pfSense bugtracker

Actions

Copy link

Bug #7228

closed

easyrule.php: Use of GET allows rule to be added without CSRF protection

Added by Jim Pingle almost 8 years ago. Updated over 7 years ago.

Status:

Resolved

Priority:

High

Assignee:

Jim Pingle

Category:

Rules / NAT

Target version:

2.3.3

Start date:

02/07/2017

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

All

Affected Architecture:

All

Description

easyrule.php allows parameters passed by GET without a confirmation step, which makes it possible to add firewall rules via CSRF.

Part of a larger issue (See #4083) but worth considering on its own.

Anyone relying on the use of easyrule.php remotely already has to deal with the login procedure so it's just one extra step similar to how backup via curl/wget works.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #7228

easyrule.php: Use of GET allows rule to be added without CSRF protection

Updated by Jim Pingle almost 8 years ago

Updated by Jim Pingle almost 8 years ago

Updated by Jim Pingle almost 8 years ago

Updated by Jim Pingle over 7 years ago