Patch for CVE-2015-2259 - CSRF security issue


Datum: 15.03.2015 09:18

UliCMS is vulnerable to CSRF attacks, since it doesn't use CSRF Tokens on form post requests.
All versions of UliCMS are affected.
This security issue was found by Ankit Bharathan from provensec llc.

This patch for UliCMS fixes the issue by adding CSRF tokens and a token validation to the forms.
The token check was not added to module forms like the module settings,
since this will cause compatibility problems.
Token checks for modules will be added in release 8.0.2 of UliCMS.

The following API-Calls were added:
get_csrf_token() - to generate a token

get_csrf_token_html() - get the html code for a hidden input field containing the csrf_token

csrf_token_html() - echo html code for a hidden input field containing the csrf_token

check_csrf_token() - Validate csrf_token

To apply the patch simply upload the content of the "patch" folder
to the UliCMS root folder at your FTP server and replace existing files.

Download Patch for UliCMS 7.2.1

Download Patch for UliCMS 8.0.0

Download Patch for UliCMS 8.0.1

Comments

Name: *  
Homepage:  
Email: *  

 Ich habe die Datenschutzerklärung zur Kenntnis genommen. Ich stimme zu, dass meine Angaben und Daten zur Beantwortung meiner Anfrage elektronisch erhoben und gespeichert werden. Hinweis: Sie können Ihre Einwilligung jederzeit für die Zukunft per E-Mail an daten-entfernen@ulicms.de widerrufen.

No Comments existing yet.