Add token to the end of voting URLs

Greg Hines - August 21, 2008 - 00:09

Project:	UpDown
Component:	Code
Category:	bug report
Priority:	critical
Assigned:	Greg Hines
Status:	closed

Jump to:

Most recent comment

This module doesn't check to see whether the user intended to load the URL when a vote is cast, leaving the module open to a CSRF attack, the scope of which is limited to unwittingly casting votes. Adding a token to the end of the URL should suffice.

» Login or register to post comments

#1

greggles - August 21, 2008 - 13:18

subscribe

Login or register to post comments

#2

joshk - August 22, 2008 - 22:43

Status:

active

» closed

handled by dmitrig

Login or register to post comments

Drupal is a registered trademark of Dries Buytaert.