Opened 6 years ago
Closed 6 years ago
#1484587 closed Bugs (invalid)
CSRF is possible
| Reported by: | jm-security | Owned by: | |
|---|---|---|---|
| Priority: | 5 | Milestone: | |
| Component: | Security | Version: | 0.1-rc1 |
| Severity: | normal | Keywords: | |
| Cc: |
Description
I just made a quick test and I've seen that you RoundCube is sensitive to CSRF attacks.
A really harmless example :
- Send a mail with an HTML link : http://webmail_address/?_task=logout
When client will open the mail thanks to roundcube, he'll be disconnected.
I really think that you can delete user's mail.
Change History (1)
comment:1 Changed 6 years ago by thomasb
- Resolution set to invalid
- Status changed from new to closed
Note: See
TracTickets for help on using
tickets.
No, you can't. All requests that change data are required to be sent using POST.