Fork me on GitHub

Changes for #1049

Description changed by Studio384 (2015-09-28 16:10:17)

 1:  1:
 Earlier today, [url=https://github.com/Sfideremo]Sfideremo[/url] reported that my fork of FluxBB is vulnerable for a CSRF attack, after investigation, we've both concluded that FluxBB, too, is vulnerable for this issue. Earlier today, [url=https://github.com/Sfideremo]Sfideremo[/url] reported that my fork of FluxBB is vulnerable for a CSRF attack, after investigation, we've both concluded that FluxBB, too, is vulnerable for this issue.
  
 In short, by simply adding this code in a post: In short, by simply adding this code in a post:
  
 [code]  [code]
 [img]http://fluxbb.org/forum/moderate.php?fid=1&stick=8282[/img]  [img]http://fluxbb.org/forum/moderate.php?fid=1&stick=8282[/img]
 [img]http://fluxbb.org/forum/moderate.php?fid=1&close=8282[/img]  [img]http://fluxbb.org/forum/moderate.php?fid=1&close=8282[/img]
 [/code] [/code]
  
-The code above will make [url=http://fluxbb.org/forums/viewtopic.php?id=8282]this topic[/url] a sticky topic and close it.+...[url=http://fluxbb.org/forums/viewtopic.php?id=8282]this topic[/url] a sticky topic and close it. No matter which rights the user has.
  
-It is possible to lock or reopen a topic, or to stick and unstick a topic. It seems like most - if not all - possible links that perform direct actions are vulnerable. Including other things like "Mark as read" and subscriptions. As this is very easy to perform, I consider this a "highest" priority issue.+It is possible to lock or reopen a topic, or to stick and unstick it. It seems like most - if not all - possible links that perform direct actions are vulnerable. Including other things like "Mark as read" and subscriptions. As this is very easy to perform, I consider this a "highest" priority issue.