Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-9043

COPY/MOVE should be in the referer filter's default list of protected HTTP methods

    XMLWordPrintableJSON

    Details

      Description

      The COPY/MOVE method , by default, are not in the list of methods covered by the CSRF Referer filter. This might allow an attacker to copy files (abusing the privileges of a logged in victim) using CSRF.

      Note : With proper CORS configuration (such as the default) this issue is mitigated, CSRF is not a problem for COPY/MOVE unless the attacked site has been configured to be wide open for CORS access.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                rombert Robert Munteanu
                Reporter:
                sonagupt Sonal Gupta
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 1h
                  1h