URL:
<http://savannah.gnu.org/support/?107055>
Summary: XSRF
Project: Savannah Administration
Submitted by: tajh
Submitted on: Fr 09 Okt 2009 08:12:04 GMT
Category: Trackers (bugs, support, tasks...)
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Assigned to: None
Originator Email:
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
There seems to be a XSRF bug in the software, which allows attackers to
inject spam flaggings into savannah when savannah users visit the attackers
webpage, for example with the following code:
<img
src="https://savannah.gnu.org/support/index.php?func=flagspam&item_id=107054&comment_internal_id=0";>
Could someone please verify this and place a token into the URL, like it's
done on Wikipedia?
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107055>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.gnu.org/
