Patch #20203: The test email action should use POST only (CSRF protection) - Redmine

Actions

Copy link

Patch #20203

closed

The test email action should use POST only (CSRF protection)

Added by Holger Just about 10 years ago. Updated almost 10 years ago.

Status:

Closed

Priority:

Normal

Assignee:

Jean-Philippe Lang

Category:

Security

Target version:

2.6.6

Start date:

Due date:

% Done:

Estimated time:

Description

Right now, an attacker can craft cross-site requests to a Redmine instance under the active session of an administrator which would allow it to send a large amount of test emails to this user. This is possible with a simple img tag like this:

&lt;img src="http://redmine.org/admin/test_email" /&gt;

The attached patch fixes this vulnerability by changing the enforced HTTP request method from GET to POST. The patch was extracted from Planio. It applies cleanly on today's trunk.

Files

0001-Send-test-email-to-admins-with-POST.patch (2.95 KB) 0001-Send-test-email-to-admins-with-POST.patch

Holger Just, 2015-06-29 16:40

Actions

Copy link

Updated by Jean-Philippe Lang about 10 years ago

Category set to Security
Assignee set to Jean-Philippe Lang
Target version set to 2.6.6

Actions

Copy link

Updated by Jean-Philippe Lang about 10 years ago

Status changed from New to Resolved

Patch committed with an additional change to the functional test, thanks.

Actions

Copy link

Updated by Jean-Philippe Lang about 10 years ago

Subject changed from The test email action /admin/test_email should only be accessible with POST to protect it with the CSRF protection system to The test email action should use POST only (CSRF protection)

Actions

Copy link