Opened 7 years ago

Closed 7 years ago

#1484587 closed Bugs (invalid)

CSRF is possible

Reported by: jm-security Owned by:
Priority: 5 Milestone:
Component: Security Version: 0.1-rc1
Severity: normal Keywords:


I just made a quick test and I've seen that you RoundCube is sensitive to CSRF attacks.
A really harmless example :

When client will open the mail thanks to roundcube, he'll be disconnected.
I really think that you can delete user's mail.

Change History (1)

comment:1 Changed 7 years ago by thomasb

  • Resolution set to invalid
  • Status changed from new to closed

No, you can't. All requests that change data are required to be sent using POST.

Note: See TracTickets for help on using tickets.