SS-2014-008: Lack of CSRF tokens in Forum module
- Severity:
- Medium (?)
- Identifier:
- SS-2014-008
- Versions Affected:
- 0.4, 0.5, master
- Versions Fixed:
- 0.4.1, 0.5.1, master
- Release Date:
- 2014-03-17
The forum module was lacking CSRF tokens on all non form based actions, such as deletepost and markasspam, which would allow an attacker to execute these actions by getting an authenticated user to visit specifically crafted links.
A patch has been made which will add CSRF tokens to all front-end accessible actions, except for Unsubscribe.
Because unsubscribe is used in emails, it requires a different solution to prevent this kind of attack. For now, the usability lost by introducing CSRF tokens outweighs the potential for misuse by malicious forum users. A permanant solution is currently being investigated, but will not be counted as a security release once it is complete.
Thanks to Vincze Márton for reporting.