Strict Standards: Non-static method Flyspray::absoluteURI() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 29 Strict Standards: Non-static method Flyspray::get_tmp_dir() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 78 Warning: session_start(): open(/data/web/tmp/sessions/sess_vbt4fu80od1q0htufjknhicve4, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_iobt4o44vnj0grhf1agtp620p3, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_t4gig0l7pfgtc26l4nkbcej7g3, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_905qe5r52ku8d07ce5td9rbko3, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_r5ooa588247cmme0ast38adm25, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_tm0p6uo2ntfma9pggo1mden653, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_kvu4jpvgkoljeevqa3jr49nka7, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_1pcok2sleqhh30otcn5bgbpb85, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_i3i3lt4mdc7a41cm9bv0qnpiu1, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732 Warning: session_start(): open(/data/web/tmp/sessions/sess_tobljtbokvkciqetmermu435j1, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 750 Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29 Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 39 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 40 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 42 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 677 Strict Standards: Non-static method Req::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 20 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26 Strict Standards: Non-static method Cookie::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 33 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 41 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 82 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 83 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 84 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 87 Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 88 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 100 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Strict Standards: Non-static method Flyspray::requestDuplicated() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 109 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 148 Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 15 Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26 Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32 Strict Standards: Non-static method Flyspray::GetTaskDetails() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 17 Strict Standards: Non-static method Flyspray::GetAssignees() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 358 Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34 Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100 Strict Standards: Non-static method Post::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34 Strict Standards: Non-static method TextFormatter::render() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 128 FS#60 : Anwiki should protect against Cross-Site Request Forgery

Anwiki CMS

Anwiki CMS : the first wiki/CMS dedicated to multilingual contents
Tasklist

FS#60 - Anwiki should protect against Cross-Site Request Forgery

Attached to Project: Anwiki CMS
Opened by Strict Standards: array_map() expects parameter 1 to be a valid callback, non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 281 Wladimir Palant (trev) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Monday, 22 February 2010, 09:35 GMT
Task Type Security issue
Category Core
Status Unconfirmed
Assigned To No-one
Operating System All
Severity High
Priority Normal
Reported Version Anwiki 0.2.1
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No

Details

From the look of it, there is no protection against CSRF (http://en.wikipedia.org/wiki/Cross-site_request_forgery) in Anwiki. This allows the following attack scenario: an attacker (who knows where my Anwiki instance is located) posts a link to his site in my forum disguising it as a legitimate question. When I click it the attacker's page sends off an invisible form to my Anwiki instance. This request is sent with my cookies so that Anwiki accepts it and executes the requested action (like removing all contents or giving a particular user additional privileges).

Most trivial protection against CSRF: send out user's session ID as a parameter with all POST forms. This could be done by adding a boolean postForm parameter to linkMe method - if true the session ID will be added automatically. All callers generating POST forms need to be adjusted of course. When POST parameters are evaluated (for example in AnwEnv:_POST) it should be checked whether the session ID parameter is identical to the session ID in the cookie - if they are not the POST parameters should be ignored. This will do assuming that all modifying actions use POST forms (which I think they do).
This task depends upon

Loading...

Warning: Unknown: open(/data/web/tmp/sessions/sess_tobljtbokvkciqetmermu435j1, O_RDWR) failed: Disk quota exceeded (122) in Unknown on line 0 Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (0;660;/data/web/tmp/sessions) in Unknown on line 0