Posted by habralex on January 24, 2008 at 11:38am
5 followers
Jump to:
| Project: | Vote Up/Down |
| Version: | 5.x-1.x-dev |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | closed (won't fix) |
Issue Summary
Somebody can post a content with a "img" tag and use "src" like "http://www.domain.com/vote_up_down/node//1/1"/>
So each user who has voting permissions and who will look this content will vote up for the node automatically.
seems it's a urgent security problem.
Comments
#1
Somebody can post a content with a "img" tag and use "src" like "http://www.domain.com/vote_up_down/node/"node id"/1/1"/>
So each user who has voting permissions and who will look this content will vote up for the node ("node id") automatically.
seems it's a urgent security problem.
#2
Does anyone have any ideas how to fix this? Seems like each vote needs to carry a token or some kind of unique hash that is generated and will work only once. I am not a developer so I don't really know how to solve the problem but it does seem like an important one to fix.
#3
Another point of view to the problem: Smb. can add img with src eq to /site/user/logout/
Checking of %ENV['HTTP_REFERRER'] provides the solution.
#4
Additional comment using mention of XSS-blocking specialist:
For logout and captcha forms GET method is devil.
#5
So is this still active?
Maybe the Security-Team ought to look at this for help.
#6
Please take a look to the update on the project page, now
5.xis not-really-maintained.If you think your report is still applicably to the last recommended version(
6.x-2.x) please move the version accordingly and reopen it, but there we use tokens on links, so it's solved there.