
Strict Standards: Non-static method Flyspray::absoluteURI() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 29

Strict Standards: Non-static method Flyspray::get_tmp_dir() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/constants.inc.php on line 78

Warning: session_start(): open(/data/web/tmp/sessions/sess_phaoi8q7ftkdf9rquorh2qukt1, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732

Warning: session_start(): open(/data/web/tmp/sessions/sess_820egib2bohlj8fk02doed26o1, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732

Warning: session_start(): open(/data/web/tmp/sessions/sess_k0on6sptodto310i5mp2b2app1, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732

Warning: session_start(): open(/data/web/tmp/sessions/sess_s7f8a2381c35nmceupnv79o205, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732

Warning: session_start(): open(/data/web/tmp/sessions/sess_2nkj8560kgaasom8clbe6rsn62, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732

Warning: session_start(): open(/data/web/tmp/sessions/sess_ucla1tajgohcsq6ndt0kach0o4, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732

Warning: session_start(): open(/data/web/tmp/sessions/sess_ar0bko654fqjjmi23910a3hko0, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732

Warning: session_start(): open(/data/web/tmp/sessions/sess_3o8q32qesop2cvhm93tp6qfvp5, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732

Warning: session_start(): open(/data/web/tmp/sessions/sess_ib7thnmss2vdi0uegos0c08221, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 732

Warning: session_start(): open(/data/web/tmp/sessions/sess_1sagvm8tnnro69f7mun8hgi215, O_RDWR) failed: Disk quota exceeded (122) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 750

Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29

Strict Standards: Non-static method Flyspray::base_version() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 29

Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 39

Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26

Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 40

Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32

Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26

Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32

Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/header.php on line 42

Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32

Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26

Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32

Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 677

Strict Standards: Non-static method Req::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 20

Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37

Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26

Strict Standards: Non-static method Filters::enum() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 37

Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26

Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 26

Strict Standards: Non-static method Cookie::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 33

Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 41

Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100

Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 82

Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 83

Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 84

Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 87

Warning: Cannot modify header information - headers already sent by (output started at /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php:26) in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 88

Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 100

Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100

Strict Standards: Non-static method Flyspray::requestDuplicated() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 109

Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/index.php on line 148

Strict Standards: Non-static method Req::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 15

Strict Standards: Non-static method Req::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32

Strict Standards: Non-static method Req::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 26

Strict Standards: Non-static method Filters::num() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 32

Strict Standards: Non-static method Flyspray::GetTaskDetails() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 17

Strict Standards: Non-static method Flyspray::GetAssignees() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.flyspray.php on line 358

Strict Standards: Non-static method Get::val() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34

Strict Standards: Non-static method Get::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.gpc.php on line 100

Strict Standards: Non-static method Post::has() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 34

Strict Standards: Non-static method TextFormatter::render() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/scripts/details.php on line 128
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" lang="en-AU" xml:lang="en-AU">
  <head>
    <title>FS#60 : Anwiki should protect against Cross-Site Request Forgery</title>

    <meta name="description" content="Flyspray, a Bug Tracking System written in PHP." />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <meta http-equiv="Content-Script-Type" content="text/javascript" />
    <meta http-equiv="Content-Style-Type" content="text/css" />

    <link rel="icon" type="image/png" href="http://bugs.anwiki.com/themes/Bluey/favicon.ico" />
    <link rel="index" id="indexlink" type="text/html" href="http://bugs.anwiki.com/" />
        <link rel="section" type="text/html" href="http://bugs.anwiki.com/?project=1" />
        <link rel="section" type="text/html" href="http://bugs.anwiki.com/?project=2" />
        <link media="screen" href="http://bugs.anwiki.com/themes/Bluey/theme.css" rel="stylesheet" type="text/css" />
    <link media="print"  href="http://bugs.anwiki.com/themes/Bluey/theme_print.css" rel="stylesheet" type="text/css" />
    <link rel="alternate" type="application/rss+xml" title="Flyspray RSS 1.0 Feed"
          href="http://bugs.anwiki.com/feed.php?feed_type=rss1&amp;project=1" />
    <link rel="alternate" type="application/rss+xml" title="Flyspray RSS 2.0 Feed"
          href="http://bugs.anwiki.com/feed.php?feed_type=rss2&amp;project=1" />
	<link rel="alternate" type="application/atom+xml" title="Flyspray Atom 0.3 Feed"
	      href="http://bugs.anwiki.com/feed.php?feed_type=atom&amp;project=1" />

    <script type="text/javascript" src="http://bugs.anwiki.com/javascript/prototype/prototype.js"></script>
    <script type="text/javascript" src="http://bugs.anwiki.com/javascript/script.aculo.us/scriptaculous.js"></script>
            <script type="text/javascript" src="http://bugs.anwiki.com/javascript/details.js"></script>
            <script type="text/javascript" src="http://bugs.anwiki.com/javascript/tabs.js"></script>
    <script type="text/javascript" src="http://bugs.anwiki.com/javascript/functions.js"></script>
    <script type="text/javascript" src="http://bugs.anwiki.com/javascript/jscalendar/calendar_stripped.js"></script>
    <script type="text/javascript" src="http://bugs.anwiki.com/javascript/jscalendar/calendar-setup_stripped.js"> </script>
    <script type="text/javascript" src="http://bugs.anwiki.com/javascript/jscalendar/lang/calendar-en.js"></script>
    <!--[if IE]>
    <link media="screen" href="http://bugs.anwiki.com/themes/Bluey/ie.css" rel="stylesheet" type="text/css" />
    <![endif]-->
      </head>
  <body onload="perms = new Perms('permissions');">

  <div id="container">
    <!-- Remove this to remove the logo -->
    <h1 id="title"><a href="http://bugs.anwiki.com/">Anwiki CMS</a></h1>

    <div id="menu">

<form id="login" action="http://bugs.anwiki.com/index.php?do=authenticate" method="post">
<div>
  <label for="lbl_user_name">Username</label>
  <input class="text" type="text" id="lbl_user_name" name="user_name" size="17" maxlength="30" />

  <label for="lbl_password">Password</label>
  <input class="password" type="password" id="lbl_password" name="password" size="17" maxlength="30" />

  <label for="lbl_remember">Remember me</label>
  <input type="checkbox" id="lbl_remember" name="remember_login" />
  
  <input type="hidden" name="return_to" value="/index.php?do=details&amp;task_id=60&amp;project=1&amp;order=priority&amp;sort=desc" />

  <button accesskey="l" type="submit">Login!</button>

  <span id="links">
            <a id="forgotlink" href="http://bugs.anwiki.com/index.php?do=lostpw">Lost password?</a>
      </span>
</div>
</form>
</div>

<div id="pm-menu">

<div id="projectselector">
    <form id="projectselectorform" action="http://bugs.anwiki.com/index.php" method="get">
       <div>
        <select name="project" onChange="document.getElementById('projectselectorform').submit()">
          <option value="0">All Projects</option><option value="1" selected="selected">Anwiki CMS</option><option value="2">Anwiki website</option>        </select>
        <button type="submit">Switch</button>
        <input type="hidden" name="do" value="details" />
        <input type="hidden" value="1" name="switch" />
              </div>
    </form>
</div>

<ul id="pm-menu-list">
    <li class="first">
      <a id="toplevellink" href="http://bugs.anwiki.com/index.php?do=toplevel&amp;project=1">Overview</a>
    </li>

    <li>
    <a id="homelink"
        href="http://bugs.anwiki.com/index.php?project=1&amp;do=index">Tasklist</a>
    </li>

    
    
        <li>
    <a id="roadmaplink"
        href="http://bugs.anwiki.com/index.php?do=roadmap&amp;project=1">Roadmap</a>
    </li>
    
    
    </ul>
</div>

    
    <div id="content">
      <div id="showtask">
        <form action="http://bugs.anwiki.com/index.php" method="get">
          <div>
            <button type="submit">Show Task #</button>
            <input id="taskid" name="show_task" class="text" type="text" size="10" accesskey="t" />
          </div>
        </form>
      </div>

      <div class="clear"></div>
            <div id="intromessage">Anwiki CMS : the first wiki/CMS dedicated to multilingual contents</div>
      <div id="taskdetails">
<span id="navigation">       <a href="http://bugs.anwiki.com/index.php?project=1&amp;do=index&amp;order=priority&amp;sort=desc">Tasklist</a>
    </span>

  <h2 class="summary severity4">
	 FS#60 - Anwiki should protect against Cross-Site Request Forgery  </h2>

  <div id="fineprint">
	 Attached to Project:
	 <a href="/index.php?project=1">Anwiki CMS</a>
	 <br />
	 Opened by 
Strict Standards: array_map() expects parameter 1 to be a valid callback, non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 281
<a href="http://bugs.anwiki.com/index.php?do=user&amp;area=users&amp;id=40">Wladimir Palant (trev)</a>     	 - 
Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613
Monday, 22 February 2010, 09:35 GMT 	   </div>

  <table><tr><td id="taskfieldscell">
  <div id="taskfields">
	 <table>
		<tr>
		  <th id="tasktype">Task Type</th>
		  <td headers="tasktype">Security issue</td>
		</tr>
		<tr>
		  <th id="category">Category</th>
		  <td headers="category">
			 			 Core		  </td>
		</tr>
		<tr>
		  <th id="status">Status</th>
		  <td headers="status">
			 			 Unconfirmed               			 		  </td>
		</tr>
		<tr>
		  <th id="assignedto">Assigned To</th>
		  <td headers="assignedto">
			 			 No-one			 		  </td>
		</tr>
		<tr>
		  <th id="os">Operating System</th>
		  <td headers="os">All</td>
		</tr>
		<tr>
		  <th id="severity">Severity</th>
		  <td headers="severity">High</td>
		</tr>
		<tr>
		  <th id="priority">Priority</th>
		  <td headers="priority">Normal</td>
		</tr>
		<tr>
		  <th id="reportedver">Reported Version</th>
		  <td headers="reportedver">Anwiki 0.2.1</td>
		</tr>
		<tr>
		  <th id="dueversion">Due in Version</th>
		  <td headers="dueversion">
			 			 Undecided			 		  </td>
		</tr>
		<tr>
		  <th id="duedate">Due Date</th>
		  <td headers="duedate">
			 Undecided		  </td>
		</tr>
		<tr>
		  <th id="percent">Percent Complete</th>
		  <td headers="percent">
			 <img src="http://bugs.anwiki.com/themes/Bluey/percent-0.png"
				title="0% complete"
				alt="0%" />
		  </td>
		</tr>
        <tr class="votes">
		  <th id="votes">Votes</th>
		  <td headers="votes">
                    0
                              </td>
        </tr>
        <tr>
		  <th id="private">Private</th>
		  <td headers="private">
                        No            
                      </td>
        </tr>
        	 </table>
  </div>

  </td><td>

  <div id="taskdetailsfull">
	 <h3 class="taskdesc">Details</h3>
     <div id="taskdetailstext">From the look of it, there is no protection against CSRF (http://en.wikipedia.org/wiki/Cross-site_request_forgery) in Anwiki. This allows the following attack scenario: an attacker (who knows where my Anwiki instance is located) posts a link to his site in my forum disguising it as a legitimate question. When I click it the attacker&#039;s page sends off an invisible form to my Anwiki instance. This request is sent with my cookies so that Anwiki accepts it and executes the requested action (like removing all contents or giving a particular user additional privileges).<br />
<br />
Most trivial protection against CSRF: send out user&#039;s session ID as a parameter with all POST forms. This could be done by adding a boolean postForm parameter to linkMe method - if true the session ID will be added automatically. All callers generating POST forms need to be adjusted of course. When POST parameters are evaluated (for example in AnwEnv:_POST) it should be checked whether the session ID parameter is identical to the session ID in the cookie - if they are not the POST parameters should be ignored. This will do assuming that all modifying actions use POST forms (which I think they do).</div>

       
  </div>

  </td></tr></table>

  <div id="taskinfo">
	 <div id="taskdeps">
		<b>This task depends upon</b>
		<br />
		
		<br class="DoNotPrint" />

		
			 </div>

	 <div id="taskblocks">
        			 </div>
  </div>

  
  <div id="actionbuttons">
	 
	 
	 
	 
	 
	 	   </div>
</div>
<ul id="submenu">
    <li id="commentstab">
  <a href="#comments">Comments (0)</a>
  </li>
  
  <li id="relatedtab">
  <a href="#related">Related Tasks (0/0)</a>
  </li>

  
  </ul>
<div id="comments" class="tab">
  
  </div>
<div id="related" class="tab">
  <table>    <tr><td>
    <form method="post" action="http://bugs.anwiki.com/index.php?do=details&amp;task_id=60#related" >
        <table id="tasks_related" class="userlist">
        <tr>
          <th>
            <a href="javascript:ToggleSelected('tasks_related')">
              <img title="Toggle Selected" alt="Toggle Selected" src="http://bugs.anwiki.com/themes/Bluey/kaboodleloop.png" width="16" height="16" />
            </a>
          </th>
          <th>Tasks related to this task (0)</th>
        </tr>
                <tr>
          <td colspan="2">
            <input type="hidden" name="action" value="remove_related" />
            <input type="hidden" name="task_id" value="60" />
            <button type="submit">Remove</button>
          </td>
        </tr>
        </table>
    </form>
    </td><td>
    
    <table id="duplicate_tasks" class="userlist">
        <tr>
          <th>Duplicate tasks of this task (0)</th>
        </tr>
            </table>
    </td></tr>
  </table>

  </div>
<div id="history" class="tab">
  <h3>Loading...</h3>
</div>
    </div>
    <p id="footer">
       <!-- Please don't remove this line - it helps promote Flyspray -->
       <a href="http://flyspray.org/" class="offsite">Powered by Flyspray</a>
    </p>
  </div>
  </body>
</html>

Warning: Unknown: open(/data/web/tmp/sessions/sess_1sagvm8tnnro69f7mun8hgi215, O_RDWR) failed: Disk quota exceeded (122) in Unknown on line 0

Warning: Unknown: Failed to write session data (files). Please verify that the current setting of session.save_path is correct (0;660;/data/web/tmp/sessions) in Unknown on line 0