Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20135

No CSRF protection on REST API

    XMLWordPrintable

Details

    • Integration
    • Unknown

    Description

      XWiki REST API relies on the session cookie to authenticate and it currently does not perform any kind of check to prevent a CSRF attack.
      So it's possible to create a POST request from another website that might change the data.

      For example, I might create a fake poll that when submitted by an XWiki.org admin will grant me admin rights by performing a POST request.

      Attachments

        Issue Links

          Activity

            People

              MichaelHamann Michael Hamann
              surli Simon Urli
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: