Details
-
Bug
-
Resolution: Fixed
-
Blocker
-
1.8
-
Integration
-
Unknown
-
Description
XWiki REST API relies on the session cookie to authenticate and it currently does not perform any kind of check to prevent a CSRF attack.
So it's possible to create a POST request from another website that might change the data.
For example, I might create a fake poll that when submitted by an XWiki.org admin will grant me admin rights by performing a POST request.
Attachments
Issue Links
- causes
-
XWIKI-20876 FormTokenInjectionIT.simpleRESTPost is flickering
- Closed
- is caused by
-
XWIKI-3303 Allow application/www-form-urlencoded representation to be sent to REST resources
- Closed
- links to