Fork me on GitHub

Changes for #1049

Description changed by Franz (2015-11-12 06:31:59)

 1:  1:
 Earlier today, [url=https://github.com/Sfideremo]Sfideremo[/url] reported that my fork of FluxBB is vulnerable for a CSRF attack, after investigation, we've both concluded that FluxBB, too, is vulnerable for this issue. Earlier today, [url=https://github.com/Sfideremo]Sfideremo[/url] reported that my fork of FluxBB is vulnerable for a CSRF attack, after investigation, we've both concluded that FluxBB, too, is vulnerable for this issue.
  
-In short, by simply adding this code in a post+In short, by simply adding a bit of code in a post, which will e.g. close or sticky a topic once moderator visits the post. As long as the post exists, authorized users (mods and admins) can not change the state of the topics that are affected by that post.
- +
-[code]  +
-[img]http://fluxbb.org/forum/moderate.php?fid=1&stick=8282[/img]  +
-[img]http://fluxbb.org/forum/moderate.php?fid=1&close=8282[/img]  +
-[/code] +
- +
-...[url=http://fluxbb.org/forums/viewtopic.php?id=8282]this topic[/url] will become sticky topic and close it. No matter which rights the user has. As long as the post exists, authorized users (mods and admins) can not change the state of the topics that are affected by that post.+
  
 It is possible to lock or reopen a topic, or to stick and unstick it. It seems like most - if not all - possible links that perform direct actions are vulnerable. Including other things like "Mark as read" and subscriptions. As this is very easy to perform, I consider this a "highest" priority issue. It is possible to lock or reopen a topic, or to stick and unstick it. It seems like most - if not all - possible links that perform direct actions are vulnerable. Including other things like "Mark as read" and subscriptions. As this is very easy to perform, I consider this a "highest" priority issue.