Patch #20203

The test email action should use POST only (CSRF protection)

Added by Holger Just over 2 years ago. Updated over 2 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Security
Target version:2.6.6

Description

Right now, an attacker can craft cross-site requests to a Redmine instance under the active session of an administrator which would allow it to send a large amount of test emails to this user. This is possible with a simple img tag like this:

<img src="http://redmine.org/admin/test_email" />

The attached patch fixes this vulnerability by changing the enforced HTTP request method from GET to POST. The patch was extracted from Planio. It applies cleanly on today's trunk.

0001-Send-test-email-to-admins-with-POST.patch Magnifier (2.95 KB) Holger Just, 2015-06-29 16:40

Associated revisions

Revision 14389
Added by Jean-Philippe Lang over 2 years ago

The test email action should only be accessible with POST (#20203).

History

#1 Updated by Jean-Philippe Lang over 2 years ago

  • Category set to Security
  • Assignee set to Jean-Philippe Lang
  • Target version set to 2.6.6

#2 Updated by Jean-Philippe Lang over 2 years ago

  • Status changed from New to Resolved

Patch committed with an additional change to the functional test, thanks.

#3 Updated by Jean-Philippe Lang over 2 years ago

  • Subject changed from The test email action /admin/test_email should only be accessible with POST to protect it with the CSRF protection system to The test email action should use POST only (CSRF protection)

#4 Updated by Jean-Philippe Lang over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF