biggeeves
commented
2 years ago Is this fixed? I see 'redcap_csrf_token' => $this->getCSRFToken(), in the code Oct 28, 2021
Closed utiso closed 1 year ago
biggeeves
commented
2 years ago Is this fixed? I see 'redcap_csrf_token' => $this->getCSRFToken(), in the code Oct 28, 2021
uiowajs
commented
1 year ago Fixed
At present, Admin Dashboard does not protect itself against Cross-Site Request Forgeries. A Cross-Site Request Forgery (CSRF) vulnerability permits attackers to take advantage of a legitimate user’s session to perform unauthorized actions on behalf of that user. Effectively, anything the given user has permissions to do,can be done without their knowledge by the attacker. These attacks can be very difficult to trace, as the activity appears to come from the authorized user.
This vulnerability is usually exploited with a specially crafted link that the user is asked to visit but, in conjunction with a persistent XSS vulnerability, it is possible to eliminate the need for a user to take any action.This attack is made possible because Admin Dashboard does not verify the origin and authenticity of requests before processing them. All pages that process requests that update data are vulnerable.
Please make use of REDCap's built in CSRF protection token (_redcap_csrftoken).