This repository has been archived by the owner on Jan 15, 2019. It is now read-only.
[dev.icinga.com #5346] fix vulnerability against CSRF attacks CVE-2013-7107 #1409
Labels
Milestone
This issue has been migrated from Redmine: https://dev.icinga.com/issues/5346
Created by ricardo on 2013-12-16 20:06:13 +00:00
Assignee: ricardo
Status: Resolved (closed on 2013-12-30 16:53:50 +00:00)
Target Version: 1.11
Last Update: 2014-12-08 09:21:45 +00:00 (in Redmine)
this is a follow up to #5250
Answer from "cve-assign at mitre.org"
Because one report mentions CSRF,
our expectation is that some type of CSRF impact would
remain even after the buffer overflows were fixed.
We will fix the problem with these prevention suggestions. (https://www.owasp.org/index.php/Cross-Site\_Request\_Forgery\_(CSRF)\_Prevention\_Cheat\_Sheet#CSRF\_Prevention\_without\_a\_Synchronizer\_Token)
As Classic-UI is stateless, we will add a check for submitted commands and the HTTP Referrer header and/or Origin header if present.
Attachments
Changesets
2013-12-19 16:56:58 +00:00 by ricardo bdf8b99
2013-12-23 17:13:45 +00:00 by ricardo acb6271
2013-12-23 17:17:26 +00:00 by ricardo 6df4f60
2014-01-03 21:48:24 +00:00 by ricardo 4673556
The text was updated successfully, but these errors were encountered: