View Issue Details

IDProjectCategoryView StatusLast Update
0003246SOGoWeb Generalpublic2022-06-23 12:26
Reporterstefancastille Assigned Toludovic  
PrioritynormalSeverityfeatureReproducibilityalways
Status resolvedResolutionfixed 
Platformbrowser 
Product Version2.3.0 
Target Version3.0.0Fixed in Version3.1.0 
Summary0003246: No CSRF token - requests can be forged
Description

No CSRF token is used when creating events in calendar, adding contacts, ...
An attacker can therefore prepare a website that triggers POST requests for a victim to preform actions under his/her account.

only the username of the victim needs to be known.

Steps To Reproduce
  • create a new contact
  • intercept and save the request
  • replace your username with the username of the victim in the request
  • create a webpage that sends the POST request automatically
  • lure the victim into visiting your webpage
  • if the victim is still logged in the action will be performed (ie. send him/her an email with a link to your site)
TagsNo tags attached.

Activities

stefancastille

stefancastille

2015-06-10 14:36

reporter   ~0008615

Almost all actions (except changing password) are possible, including setting an email forward address so that all incoming emails will be forwarded to the attacker.

ludovic

ludovic

2016-04-26 15:24

administrator   ~0010013

https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711

Issue History

Date Modified Username Field Change
2015-06-10 11:09 stefancastille New Issue
2015-06-10 14:36 stefancastille Note Added: 0008615
2015-07-22 15:42 ludovic Severity major => feature
2015-07-22 15:42 ludovic Target Version => 3.0.0
2016-04-26 15:24 ludovic Note Added: 0010013
2016-04-26 15:24 ludovic Status new => resolved
2016-04-26 15:24 ludovic Fixed in Version => 3.1.0
2016-04-26 15:24 ludovic Resolution open => fixed
2016-04-26 15:24 ludovic Assigned To => ludovic