Potential CSRF vulnerability on some of the paths

Open on Drupal.org →

Created on 21 January 2025, 3 months ago

Problem/Motivation

The following paths require either the "administer monitoring"- or "monitoring force run"-permissions, but do not have a CSRF-token or form, so a malicious user can trick a user with one of those permissions into visiting one of the url's and performing a rebuild or force run.

* /monitoring/sensors/force
* /admin/config/system/monitoring/sensors/rebuild
* /monitoring/sensors/force/{monitoring_sensor_config}

Background information

(This was discussed privately with the Drupal security team and it was decided it could be handled publicly.)

security.drupal.org private issue: https://security.drupal.org/node/180446
(included for reference. Please do not report access denied as an error.)

🐛 Bug report

Status

Active

Version

1.0

Component

Code

Created by

🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)

Live updates comments and jobs are added and updated live.

Security improvements
It makes Drupal less vulnerable to abuse or misuse. Note, this is the preferred tag, though the Security tag has a large body of issues tagged to it. Do NOT publicly disclose security vulnerabilities; contact the security team instead. Anyone (whether security team or not) can apply this tag to security improvements that do not directly present a vulnerability e.g. hardening an API to add filtering to reduce a common mistake in contributed modules.

Security
It is used for security vulnerabilities which do not need a security advisory. For example, security issues in projects which do not have security advisory coverage, or forward-porting a change already disclosed in a security advisory. See Drupal’s security advisory policy for details. Be careful publicly disclosing security vulnerabilities! Use the “Report a security vulnerability” link in the project page’s sidebar. See how to report a security issue for details.

Sign in to follow issues

Merge Requests

!27Potential CSRF vulnerability on some of the paths
Merged
🇧🇪Belgium mr.baileys
updated 2 months ago

Comments & Activities

Issue created by @mr.baileys
Comment 3 months ago →
🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)
Added _csrf_token to the affected routes, and fixed a test. Still expecting a test failure on "monitoring/sensors/force/test_sensor" (I don't think there is a button or link to force a single sensor I can trigger in the interface for easy testing)
Merge request !27Added csrf-tokens to vulnerable paths. → (Merged) created by mr.baileys
Pipeline finished with Failed
3 months ago
Total: 218s
#401602
Comment 3 months ago →
🇧🇪Belgium mr.baileys 🇧🇪 (Ghent)
Pipeline finished with Success
3 months ago
Total: 1104s
#401721
Pipeline finished with Success
3 months ago
Total: 324s
#402407
Pipeline finished with Skipped
2 months ago
#428614
First commit to issue fork.
Comment 2 months ago →
System Message

berdir → committed 101be20d on 8.x-1.x authored by mr.baileys →
Issue #3501100 by mr.baileys: Potential CSRF vulnerability on some of...
Comment 2 months ago →
🇨🇭Switzerland berdir Switzerland
Thanks for following up on this!
Comment about 2 months ago →
System Message
Automatically closed - issue fixed for 2 weeks with no activity.

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024