CSRF vulnerability?
 
Notifications
Clear all

CSRF vulnerability?

4 Posts
2 Users
0 Reactions
1,237 Views
(@weichieh)
Active Member
Joined: 7 years ago
Posts: 7
Topic starter  

Hi there, I received a report that there is a login CSRF issue and will need anti-CSRF token. Is this something to be fixed in the plugin?

URL: https://xxx/wp-admin/admin-ajax.php
CSRF Page:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://xxx/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="wpdVoteOnComment" />
<input type="hidden" name="commentId" value="281" />
<input type="hidden" name="voteType" value="1" />
<input type="hidden" name="postId" value="10002" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>

 


   
Quote
Topic Tags
Elvina
(@elvina)
Support
Joined: 5 years ago
Posts: 1403
 

Hi @weichieh,

Could you please let us know a little more about the issue?

And how exactly are you running into this error?


   
ReplyQuote
(@weichieh)
Active Member
Joined: 7 years ago
Posts: 7
Topic starter  

It's not an error. Someone submitted a vulnerability report to my site which is using wpdiscuz and says that it is vulnerable to a CSRF attack.

It is recommended that an anti-CSRF token is used in the web forms - "Generate a token saved in the user's session for each web form, and include the token within a hidden form variable for each request. When the user returns the form response back to the server, compare the value of the hidden variable to the token value stored within the user's session. This prevents a malicious webpage from submitting requests to the currently authenticated webpage because the token will not match the value within the session variable."


   
ReplyQuote
Elvina
(@elvina)
Support
Joined: 5 years ago
Posts: 1403
 

@weichieh,

I have just asked our developers, and they said, that this is not something important.
It may just add a number of votes.
You can simply ignore it.

 


   
ReplyQuote
Share:
Scroll to top