Open laeti-tia opened 7 years ago
This is certainly not a bad idea, but since the forms are all auth-protected, the risk is minimal here.
I can't see the actual report, but I believe this request requires reviewing ALL portions of the admin interface and updating each form/webservice -- as well as figuring out what sort of anti-XSFR mechanism to use.
Our current forms, i.e. configuration changes forms, are not well protected against XSFR attacks. We should use one-time tokens or other functionalities to make sure POST request are originating from real users.
From GN4-SA2T1 report 2.2.21.