gVectors Team

Professional WordPress Plugins and Services. wpDiscuz, WooDiscuz, Advanced Post Pagination

Search
Close
AI Search
Classic Search
 Search Phrase:
 Search Type:
Advanced search options
 Search in Forums:
 Search in date period:

 Sort Search Results by:

AI Assistant
Forums
Plugin Support
wpDiscuz
CSRF vulnerability?
 
Notifications
Clear all

CSRF vulnerability?

  Summarize Topic
wpDiscuz
Last Post by Elvina 6 years ago
4 Posts
2 Users
0 Reactions
1,946 Views
RSS
 weichieh
(@weichieh)
Active Member
Joined: 8 years ago
Posts: 7
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
04/10/2019 7:34 pm   [#4574]

Hi there, I received a report that there is a login CSRF issue and will need anti-CSRF token. Is this something to be fixed in the plugin?

URL: https://xxx/wp-admin/admin-ajax.php
CSRF Page:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://xxx/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="wpdVoteOnComment" />
<input type="hidden" name="commentId" value="281" />
<input type="hidden" name="voteType" value="1" />
<input type="hidden" name="postId" value="10002" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

 



   
Quote
Topic Tags
security
Elvina
 Elvina
(@elvina)
Support
Joined: 7 years ago
Posts: 1403
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
05/10/2019 1:18 pm  

Hi @weichieh,

Could you please let us know a little more about the issue?

And how exactly are you running into this error?



   
ReplyQuote
 weichieh
(@weichieh)
Active Member
Joined: 8 years ago
Posts: 7
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
05/10/2019 1:24 pm  

It's not an error. Someone submitted a vulnerability report to my site which is using wpdiscuz and says that it is vulnerable to a CSRF attack.

It is recommended that an anti-CSRF token is used in the web forms - "Generate a token saved in the user's session for each web form, and include the token within a hidden form variable for each request. When the user returns the form response back to the server, compare the value of the hidden variable to the token value stored within the user's session. This prevents a malicious webpage from submitting requests to the currently authenticated webpage because the token will not match the value within the session variable."



   
ReplyQuote
Elvina
 Elvina
(@elvina)
Support
Joined: 7 years ago
Posts: 1403
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
05/10/2019 4:21 pm  

@weichieh,

I have just asked our developers, and they said, that this is not something important.
It may just add a number of votes.
You can simply ignore it.

 



   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Topic Tags:  security (3) ,
Share:
Scroll to top