Open arthurdejong opened 11 years ago
The view accepts vote updates as a GET request (actually any kind of request). As such it is trivial to use this to exploit the rating system from any third party site.
Example: site A uses django-ratings to rate some items. On site B add
<img src="http://A/rate-my-post/100/10" width="1" height="1" />
Any user visiting site B will rate the thing on site A.
The effects of this vulneraibility depend mostly on can_change_vote and allow_anonymous.
can_change_vote
allow_anonymous
The view accepts vote updates as a GET request (actually any kind of request). As such it is trivial to use this to exploit the rating system from any third party site.
Example: site A uses django-ratings to rate some items. On site B add
Any user visiting site B will rate the thing on site A.
The effects of this vulneraibility depend mostly on
can_change_voteandallow_anonymous.