Patch #20203
The test email action should use POST only (CSRF protection)
| Status: | Closed | Start date: | ||
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: |  Jean-Philippe Lang | % Done: | 0% | |
| Category: | Security | |||
| Target version: | 2.6.6 |
Description
Right now, an attacker can craft cross-site requests to a Redmine instance under the active session of an administrator which would allow it to send a large amount of test emails to this user. This is possible with a simple img tag like this:
<img src="http://redmine.org/admin/test_email" />The attached patch fixes this vulnerability by changing the enforced HTTP request method from GET to POST. The patch was extracted from Planio. It applies cleanly on today's trunk.
History
#1
Updated by Jean-Philippe Lang over 6 years ago
- Category set to Security
- Assignee set to Jean-Philippe Lang
- Target version set to 2.6.6
#2
Updated by Jean-Philippe Lang over 6 years ago
- Status changed from New to Resolved
Patch committed with an additional change to the functional test, thanks.
#3
Updated by Jean-Philippe Lang over 6 years ago
- Subject changed from The test email action /admin/test_email should only be accessible with POST to protect it with the CSRF protection system to The test email action should use POST only (CSRF protection)
#4
Updated by Jean-Philippe Lang over 6 years ago
- Status changed from Resolved to Closed