#2074 - Security fix for CSRF vulnerability

By Chris Graham
Added 12th Nov 2015, 12:58 PM
6 views

Identifier	#2074
Issue type	Minor issue (breaks specific functionality)
Title	Security fix for CSRF vulnerability
Status	Completed
Handling member	Chris Graham
Version	9.0.21
Addon	General / Uncategorised
Description	There is a CSRF vulnerability for Composr. The vulnerability bypasses our referrer checks for checking forms posted to the system. It allows malicious third party websites to trick administrators into submitting coded forms (i.e. coded actions) into the system. The vulnerability only happens in very particular circumstances, which we are not currently disclosing. The vulnerability only can occur when the administrator already has a confirmed active login session open (not just a cookie login), and only when they are tricked into going to the malicious third-party site somehow. It is never-the-less a serious issue if a knowledgable hacker desires to directly trick your staff to perform this attack.
Steps to reproduce
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 12th Nov 2015, 12:58 PM

A hotfix (a TAR of files to upload) have been uploaded to this issue. These files are made to the latest intra-version state (i.e. may roll in earlier fixes too if made to the same files) - so only upload files newer than what you have already. Always take backups of files you are replacing or keep a copy of the manual installer for your version, and only apply fixes you need. These hotfixes are not necessarily reliable or well supported. Not sure how to extract TAR files to your Windows computer? Try 7-zip (http://www.7-zip.org/).

By Guest posted 15th Nov 2015, 11:22 AM

The hotfix has just been updated due to a bug.

By Guest, By Guest, posted 20th Dec 2015, 12:56 PM

Could you create new release with fix to this vulnerability? I could request users of Composr to upgrade to that version.

By Guest posted 22nd Dec 2015, 3:32 PM

Yes, we should / now have.
9.0.22 and 8.1.20 are now released.