Notifications
Clear all
Topic starter
04/10/2019 7:34 pm
Hi there, I received a report that there is a login CSRF issue and will need anti-CSRF token. Is this something to be fixed in the plugin?
URL: https://xxx/wp-admin/admin-ajax.php
CSRF Page:
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="https://xxx/wp-admin/admin-ajax.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="action" value="wpdVoteOnComment" />
<input type="hidden" name="commentId" value="281" />
<input type="hidden" name="voteType" value="1" />
<input type="hidden" name="postId" value="10002" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Β
05/10/2019 1:18 pm
Hi @weichieh,
Could you please let us know a little more about the issue?
And how exactly are you running into this error?
Topic starter
05/10/2019 1:24 pm
It's not an error. Someone submitted a vulnerability report to my site which is using wpdiscuz and says that it is vulnerable to a CSRF attack.
It is recommended that an anti-CSRF token is used in the web forms - "Generate a token saved in the user's session for each web form, and include the token within a hidden form variable for each request. When the user returns the form response back to the server, compare the value of the hidden variable to the token value stored within the user's session. This prevents a malicious webpage from submitting requests to the currently authenticated webpage because the token will not match the value within the session variable."
05/10/2019 4:21 pm
I have just asked our developers, and they said, that this is not something important.
It may just add a number of votes.
You can simply ignore it.
Β