Page MenuHomeMiraheze

DataDump is Vulnerable to CSRF Attacks
Closed, ResolvedPublic

Description

DataDump is vulnerable to CSRF attacks as it does not add and check for tokens. This means that requests to generate or delete dumps can easily be forged.

Event Timeline

Is anyone able to make an advisory and give me access so I can patch this?

In T7593#152526, @R4356th wrote:

Is anyone able to make an advisory and give me access so I can patch this?

https://github.com/miraheze/DataDump/security/advisories/GHSA-29mh-4vhv-x8mr

Please fill out the details too

Code pushed to fork but the indentation is messed up and I am on phone. Would appreciate help regarding that.

Adjusted indentation, will review shortly to verify.

Bump. It is very disappointing when security issues take so long to get fixed...

Fixed graylog so I could debug this on test3, need to migrate a few changes back to the advisory repo, but it should be good.

Void changed the visibility from "Custom Policy" to "Public (No Login Required)".Jul 8 2021, 01:48
Void changed the edit policy from "Custom Policy" to "All Users".

Security advisory has been published, and CVE-2021-32774 was issued.