Project

General

Profile

Actions

Patch #20203

closed

The test email action should use POST only (CSRF protection)

Added by Holger Just over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Category:
Security
Target version:
Start date:
Due date:
% Done:

0%

Estimated time:

Description

Right now, an attacker can craft cross-site requests to a Redmine instance under the active session of an administrator which would allow it to send a large amount of test emails to this user. This is possible with a simple img tag like this:

<img src="http://redmine.org/admin/test_email" />

The attached patch fixes this vulnerability by changing the enforced HTTP request method from GET to POST. The patch was extracted from Planio. It applies cleanly on today's trunk.


Files

Actions #1

Updated by Jean-Philippe Lang over 8 years ago

  • Category set to Security
  • Assignee set to Jean-Philippe Lang
  • Target version set to 2.6.6
Actions #2

Updated by Jean-Philippe Lang over 8 years ago

  • Status changed from New to Resolved

Patch committed with an additional change to the functional test, thanks.

Actions #3

Updated by Jean-Philippe Lang over 8 years ago

  • Subject changed from The test email action /admin/test_email should only be accessible with POST to protect it with the CSRF protection system to The test email action should use POST only (CSRF protection)
Actions #4

Updated by Jean-Philippe Lang over 8 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF