Patch #20203
The test email action should use POST only (CSRF protection)
Status: | Closed | Start date: | ||
---|---|---|---|---|
Priority: | Normal | Due date: | ||
Assignee: | % Done: | 0% | ||
Category: | Security | |||
Target version: | 2.6.6 |
Description
Right now, an attacker can craft cross-site requests to a Redmine instance under the active session of an administrator which would allow it to send a large amount of test emails to this user. This is possible with a simple img
tag like this:
<img src="http://redmine.org/admin/test_email" />
The attached patch fixes this vulnerability by changing the enforced HTTP request method from GET to POST. The patch was extracted from Planio. It applies cleanly on today's trunk.
History
#1
Updated by Jean-Philippe Lang almost 7 years ago
- Category set to Security
- Assignee set to Jean-Philippe Lang
- Target version set to 2.6.6
#2
Updated by Jean-Philippe Lang almost 7 years ago
- Status changed from New to Resolved
Patch committed with an additional change to the functional test, thanks.
#3
Updated by Jean-Philippe Lang almost 7 years ago
- Subject changed from The test email action /admin/test_email should only be accessible with POST to protect it with the CSRF protection system to The test email action should use POST only (CSRF protection)
#4
Updated by Jean-Philippe Lang almost 7 years ago
- Status changed from Resolved to Closed