Actions
Patch #20203
closedThe test email action should use POST only (CSRF protection)
Start date:
Due date:
% Done:
0%
Estimated time:
Description
Right now, an attacker can craft cross-site requests to a Redmine instance under the active session of an administrator which would allow it to send a large amount of test emails to this user. This is possible with a simple img
tag like this:
<img src="http://redmine.org/admin/test_email" />
The attached patch fixes this vulnerability by changing the enforced HTTP request method from GET to POST. The patch was extracted from Planio. It applies cleanly on today's trunk.
Files
Updated by Jean-Philippe Lang over 9 years ago
- Category set to Security
- Assignee set to Jean-Philippe Lang
- Target version set to 2.6.6
Updated by Jean-Philippe Lang over 9 years ago
- Status changed from New to Resolved
Patch committed with an additional change to the functional test, thanks.
Updated by Jean-Philippe Lang over 9 years ago
- Subject changed from The test email action /admin/test_email should only be accessible with POST to protect it with the CSRF protection system to The test email action should use POST only (CSRF protection)
Updated by Jean-Philippe Lang over 9 years ago
- Status changed from Resolved to Closed
Actions