https://redmine.pfsense.org/https://redmine.pfsense.org/favicon.ico?16780521162018-01-24T21:21:30ZpfSense bugtrackerpfSense - Bug #8296: status_services.php: AJAX requests via GET can control services without CSRF validationhttps://redmine.pfsense.org/issues/8296?journal_id=356452018-01-24T21:21:30ZAnonymous
<ul><li><strong>Status</strong> changed from <i>New</i> to <i>Feedback</i></li><li><strong>Assignee</strong> changed from <i>Anonymous</i> to <i>Jim Pingle</i></li></ul> pfSense - Bug #8296: status_services.php: AJAX requests via GET can control services without CSRF validationhttps://redmine.pfsense.org/issues/8296?journal_id=356462018-01-24T21:30:07ZAnonymous
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>100</i></li></ul><p>Applied in changeset <a class="changeset" title="Fixed #8296" href="https://redmine.pfsense.org/projects/pfsense/repository/2/revisions/c7027903d4ba68cf33d7d601c9a9d2efd476f79f">c7027903d4ba68cf33d7d601c9a9d2efd476f79f</a>.</p> pfSense - Bug #8296: status_services.php: AJAX requests via GET can control services without CSRF validationhttps://redmine.pfsense.org/issues/8296?journal_id=356552018-01-25T10:31:29ZJim Pingle
<ul><li><strong>Status</strong> changed from <i>Feedback</i> to <i>Resolved</i></li></ul><p>This looks OK now. It only works via POST and trying to POST without CSRF results in a failure.</p> pfSense - Bug #8296: status_services.php: AJAX requests via GET can control services without CSRF validationhttps://redmine.pfsense.org/issues/8296?journal_id=361382018-03-29T12:46:31ZJim Pingle
<ul><li><strong>Private</strong> changed from <i>Yes</i> to <i>No</i></li></ul>