CSRF on VPN configuration endpoint

YunoHost-Apps / hotspot_ynh

Wifi Hotspot app for YunoHost

GNU Affero General Public License v3.0

39 stars 19 forks source link

CSRF on VPN configuration endpoint #28

Closed randomstuff closed 2 years ago

randomstuff commented 5 years ago

The reconfiguration endpoint of the HotSpot application is vulnerable to CSRF. A malicious website could use the browser of a connected user to reconfigure the HotSpot application.

randomstuff commented 5 years ago

See https://github.com/sofadesign/limonade/issues/54

randomstuff commented 3 years ago

This is probably blocked by recent browsers (which implement SameSite=Lax). This setting is now set by SSOWat.

alexAubin commented 2 years ago

Closing because the app got reworked, probably not relevant anymore