Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
By sahithi on
Open http://site/user using either Internet explorer 7 or Mozilla
Firefox browser.
2. Login with valid credentials and browse through the authenticated pages inside
the module.
3. Create a malicious page with the logout link of the application as shown.
html
body
img src="http://sitename/user/logout"/
body
html
Open a new tab and invoke the malicious page. It is observed that the logout link has been submitted on the application server
and thus the user gets logout forcefully.
how to get rid of it????????
please help me
Comments
Don't understand
Isn't the answer not to create a page like that?
It's not exactly a cross-site request forgery - it's all within your own site.
You could use URL Redirects (as a module, or in .htaccess) to make http://sitename/anything-you-want redirect to the logout page, and that would have the same effect.
What precisely is the problem?
This signature is currently blank
This qualifies as a CSRF
This qualifies as a CSRF issue.
http://drupal.org/node/144538 has the discussion on how / if to fix it in core.
There is no correct solution for this
Please provide a correct solution for this please...........
There's no ready made one as
There's no ready made one as far as I know, but you could use the ideas in the above issue to create it yourself (eg a module doing a menu_alter on the logout link to provide a confirm form).
You could try out
You could try out http://drupal.org/sandbox/davereid/1332490
--
Morris Animal Foundation
i hv been searching it
I hv been searching solutions for CSRF in drupal particularly the logout CSRF.
Kindly provide