search

scragg0x / realms-wiki

Git based wiki inspired by Gollum
http://realms.io
GNU General Public License v2.0
833 stars 91 forks source link

Security Vulnerability: CSRF in Realms Wiki (from March 2015) #196

Closed dereks closed 6 years ago

dereks commented 7 years ago

I just found this by accident:

http://seclists.org/fulldisclosure/2015/Mar/152

Realms Wiki is vulnerable to Cross-Site Request Forgery on all posts. Especially of concern are New, Edit, and Revert.

Has this security issue been fixed yet?

If not, I'm willing to fix this by implementing a "Cookie-to-Header Token" check for all pages:

https://en.wikipedia.org/wiki/Cross-site_request_forgery#Prevention

Thanks!

scragg0x commented 7 years ago

This is still an issue, a PR is welcome.