Patch #20203: The test email action should use POST only (CSRF protection) - Redmine

Actions

Copy link

Patch #20203

closed

The test email action should use POST only (CSRF protection)

Added by Holger Just over 9 years ago. Updated over 9 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jean-Philippe Lang

Category:

Security

Target version:

2.6.6

Start date:

Due date:

% Done:

Estimated time:

Description

Right now, an attacker can craft cross-site requests to a Redmine instance under the active session of an administrator which would allow it to send a large amount of test emails to this user. This is possible with a simple img tag like this:

&lt;img src="http://redmine.org/admin/test_email" /&gt;

The attached patch fixes this vulnerability by changing the enforced HTTP request method from GET to POST. The patch was extracted from Planio. It applies cleanly on today's trunk.

Files

0001-Send-test-email-to-admins-with-POST.patch (2.95 KB) 0001-Send-test-email-to-admins-with-POST.patch

Holger Just, 2015-06-29 16:40