Skip to main content

This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

SS-2014-008: Lack of CSRF tokens in Forum module

The forum module was lacking CSRF tokens on all non form based actions, such as deletepost and markasspam, which would allow an attacker to execute these actions by getting an authenticated user to visit specifically crafted links.

A patch has been made which will add CSRF tokens to all front-end accessible actions, except for Unsubscribe.
Because unsubscribe is used in emails, it requires a different solution to prevent this kind of attack. For now, the usability lost by introducing CSRF tokens outweighs the potential for misuse by malicious forum users. A permanant solution is currently being investigated, but will not be counted as a security release once it is complete.

Thanks to Vincze Márton for reporting.

Severity:
Moderate (?)
Identifier:
SS-2014-008
Versions Affected:
0.4, 0.5, master
Versions Fixed:
0.4.1, 0.5.1, master
Release Date:
2014-03-17

The forum module was lacking CSRF tokens on all non form based actions, such as deletepost and markasspam, which would allow an attacker to execute these actions by getting an authenticated user to visit specifically crafted links.

A patch has been made which will add CSRF tokens to all front-end accessible actions, except for Unsubscribe.
Because unsubscribe is used in emails, it requires a different solution to prevent this kind of attack. For now, the usability lost by introducing CSRF tokens outweighs the potential for misuse by malicious forum users. A permanant solution is currently being investigated, but will not be counted as a security release once it is complete.

Thanks to Vincze Márton for reporting.