Topic: CSRF for markread, markforumread, etc.?

Perhaps these actions should get CSRF tokens, as with logout and some of the moderator tools? Currently someone could trick other users into performing such actions by embedding them in [img] tags, for instance. It's not exactly a security vulnerability, but it would certainly be a nuisance, and there are unfortunately a great deal of people who go out of their way to be nuisances on forums.

Re: CSRF for markread, markforumread, etc.?

Mmm, fair enough.

Re: CSRF for markread, markforumread, etc.?

Done. I added it to the two you mentioned and to the delete avatar link. Any other places you can think of?

Re: CSRF for markread, markforumread, etc.?

I just added it to the subscribe/unsubscribe links as well smile

5 (edited by Adam Atlas 2008-03-17 23:59)

Re: CSRF for markread, markforumread, etc.?

Cool, thanks.

I think admin/reindex.php might also be vulnerable to this. An attacker could try to direct an admin to admin/reindex.php?i_per_page=1&i_start_at=1&i_empty_index=1 -- this would empty the search_matches and search_words tables, and wouldn't repopulate them with more than one post (assuming the attacker uses an [img] or somesuch, in which case the browser obviously wouldn't follow the window.location=... thing). But maybe I'm missing something about how reindex.php works (I hope I am tongue).

Re: CSRF for markread, markforumread, etc.?

No, you're probably right. I'll check it out and add it if necessary.

Re: CSRF for markread, markforumread, etc.?

Added