SS-2014-008: Lack of CSRF tokens in Forum module

Severity:
Moderate (?)
Identifier:
 
SS-2014-008
Versions Affected:
 
0.4, 0.5, master
Versions Fixed:
 
0.4.1, 0.5.1, master
Release Date:
 
2014-03-17

The forum module was lacking CSRF tokens on all non form based actions, such as deletepost and markasspam, which would allow an attacker to execute these actions by getting an authenticated user to visit specifically crafted links.

A patch has been made which will add CSRF tokens to all front-end accessible actions, except for Unsubscribe.
Because unsubscribe is used in emails, it requires a different solution to prevent this kind of attack. For now, the usability lost by introducing CSRF tokens outweighs the potential for misuse by malicious forum users. A permanant solution is currently being investigated, but will not be counted as a security release once it is complete.

Thanks to Vincze Márton for reporting.

Want to know more about the company that brought you SilverStripe? Then check out SilverStripe.com

Comments on this website? Please give feedback.