SOGo | BTS

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0003246SOGoWeb Generalpublic2015-06-10 07:092016-04-26 11:24
Reporterstefancastille 
Assigned Toludovic 
PrioritynormalSeverityfeatureReproducibilityalways
StatusresolvedResolutionfixed 
PlatformbrowserOSOS Version
Product Version2.3.0 
Target Version3.0.0Fixed in Version3.1.0 
Summary0003246: No CSRF token - requests can be forged
DescriptionNo CSRF token is used when creating events in calendar, adding contacts, ...
An attacker can therefore prepare a website that triggers POST requests for a victim to preform actions under his/her account.

only the username of the victim needs to be known.
Steps To Reproduce- create a new contact
- intercept and save the request
- replace your username with the username of the victim in the request
- create a webpage that sends the POST request automatically
- lure the victim into visiting your webpage
- if the victim is still logged in the action will be performed (ie. send him/her an email with a link to your site)
TagsNo tags attached.
Attached Files

- Relationships Relation Graph ] Dependency Graph ]

-  Notes
(0008615)
stefancastille (reporter)
2015-06-10 10:36

Almost all actions (except changing password) are possible, including setting an email forward address so that all incoming emails will be forwarded to the attacker.
User avatar (0010013)
ludovic (administrator)
2016-04-26 11:24

https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711 [^]

- Issue History
Date Modified Username Field Change
2015-06-10 07:09 stefancastille New Issue
2015-06-10 10:36 stefancastille Note Added: 0008615
2015-07-22 11:42 ludovic Severity major => feature
2015-07-22 11:42 ludovic Target Version => 3.0.0
2016-04-26 11:24 ludovic Note Added: 0010013
2016-04-26 11:24 ludovic Status new => resolved
2016-04-26 11:24 ludovic Fixed in Version => 3.1.0
2016-04-26 11:24 ludovic Resolution open => fixed
2016-04-26 11:24 ludovic Assigned To => ludovic


Copyright © 2000 - 2018 MantisBT Team
Powered by Mantis Bugtracker