Bug #8296: status_services.php: AJAX requests via GET can control services without CSRF validation - pfSense - pfSense bugtracker

Actions

Copy link

Bug #8296

closed

status_services.php: AJAX requests via GET can control services without CSRF validation

Added by Jim Pingle almost 7 years ago. Updated over 6 years ago.

Status:

Resolved

Priority:

Normal

Assignee:

Jim Pingle

Category:

Web Interface

Target version:

2.4.3

Start date:

01/24/2018

Due date:

% Done:

100%

Estimated time:

Plus Target Version:

Release Notes:

Affected Version:

2.4.x

Affected Architecture:

Description

Using a GET request to status_services.php with a sepcially-crafted URL, services can be controlled by visiting a URL without confirmation. For example:

https://x.x.x.x/status_services.php?ajax=true&service=ntpd&mode=stopservice

Only matters against 2.4.3, since the GET/POST conversion work was only on the 2.4.x line.

History
Notes
Property changes
Associated revisions

Actions

Copy link

Also available in: Atom PDF

Project

General

Profile

pfSense

Custom queries

Bug #8296

status_services.php: AJAX requests via GET can control services without CSRF validation

Updated by Anonymous almost 7 years ago

Updated by Anonymous almost 7 years ago

Updated by Jim Pingle almost 7 years ago

Updated by Jim Pingle over 6 years ago