QloApps is a Free and Open-source hotel management and reservation system to take a hotel business online. QloApps offers a Property Management System (PMS), a Booking Engine, and an attractive Hotel Website. Elevate hotel operations with QloApps to streamline processes and provide an enhanced experience for both hoteliers and guests.
unpredictable with high entropy, similar to session tokens.
Tied to the user's session
Validated before the relevant action is executed
How should CSRF tokens be transmitted?
Hidden Field of an HTML form that is submitted using a POST method
Customer request header
Token submitted in the URL query string are less secure
Tokens generally should not be transmitted within cookies
How should CSRF tokens be validated?
Generated token should be stored server-side within the user's session data
When performing a request, a validation should be performed that verifies that the submitted token matches the value that is stored in the user's session
Validation should be performed regardless of HTTP method or content type of the request
If a token is not submitted, the request should be rejected
There is a CSRF in HotelCommerce 1.5.1. It can allow anyone to change the admin email while they are logged in.
Here is some POC code:
Defense/How to prevent it - CSRF Tokens