- Issue created by @mohithasmukh
- Status changed to Closed: duplicate
almost 2 years ago 11:30am 22 March 2023 - π¬π§United Kingdom catch
Duplicate of π User logout is vulnerable to CSRF Fixed
Hi there,
Recently we just did a penetration testing on a Drupal Site (Version 9.5.5) PHP (Version 8.1.14) , One of the vulnerabilities that the team had found is The Logout is done via GET-Request. From the report they suggested the implications/recommendations that could be done.
Recommendation:
Logout-Calls should always be done via POST-Requests.
Description
During the analysis it could be determined that the logout request to the web server is performed using a GET request. This means that an attacker can place a link to the logout URL anywhere on the Internet, and the user is automatically logged out when visiting this third-party website.
Was wondering if this could be solved or is there anything that has already been done or being missed.
Thank you for your help.
Closed: duplicate
9.5
Last updated
Duplicate of π User logout is vulnerable to CSRF Fixed