Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-10778

User/admin forms are prone to CSRF attacks

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2020-04-27
    • Component/s: Accounts, Admin
    • Labels:
      None

      Description

      External websites can construct POST requests that submit data to user/admin forms on musicbrainz.org. If the user is logged in on MusicBrainz, these requests will be processed if the fields validate.

      This would theoretically be mitigated by browsers moving to a non-permissive SameSite=Lax by default, but this also breaks release editor seeding (MBS-10717).

      We should add CSRF tokens to any forms that can modify user data or administrate the site.

        Attachments

          Activity

            People

            • Assignee:
              bitmap Michael Wiencek
              Reporter:
              bitmap Michael Wiencek
            • Votes:
              1 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Packages

                Version Package
                2020-04-27