CSRF tokens are not getting validated
Hello, sorry to bother you again. Security team has raised following concern, please guide me in fixing the same: =============== In Koha version 24.05, CSRF tokens are not getting validated during insert or update operations (e.g., creating a new patron). Even when the CSRF token is removed or invalid, Koha still processes the request and creates the new patron. Koha Version: 24.05 Steps to Reproduce: Navigate to the patron creation form in Koha. Remove the CSRF token from the input and meta tags. Submit the form to create a new patron. The new patron is created successfully, despite the missing or invalid CSRF token. Koha v24.05 does not validate CSRF tokens correctly, potentially exposing the system to CSRF attacks. ================= Regards, Vikram
Are you using Plack? Le mar. 28 janv. 2025 à 13:33, <koha@ourlib.in> a écrit :
Hello, sorry to bother you again. Security team has raised following concern, please guide me in fixing the same: =============== In Koha version 24.05, CSRF tokens are not getting validated during insert or update operations (e.g., creating a new patron). Even when the CSRF token is removed or invalid, Koha still processes the request and creates the new patron.
Koha Version: 24.05 Steps to Reproduce:
Navigate to the patron creation form in Koha. Remove the CSRF token from the input and meta tags. Submit the form to create a new patron. The new patron is created successfully, despite the missing or invalid CSRF token.
Koha v24.05 does not validate CSRF tokens correctly, potentially exposing the system to CSRF attacks. =================
Regards, Vikram
_______________________________________________
Koha mailing list http://koha-community.org Koha@lists.katipo.co.nz Unsubscribe: https://lists.katipo.co.nz/mailman/listinfo/koha
participants (2)
-
Jonathan Druart -
koha@ourlib.in