Uploaded image for project: 'MusicBrainz Server'
  1. MusicBrainz Server
  2. MBS-10778

User/admin forms are prone to CSRF attacks

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 2020-04-27
    • Component/s: Accounts, Admin
    • Labels:
      None

      Description

      External websites can construct POST requests that submit data to user/admin forms on musicbrainz.org. If the user is logged in on MusicBrainz, these requests will be processed if the fields validate.

      This would theoretically be mitigated by browsers moving to a non-permissive SameSite=Lax by default, but this also breaks release editor seeding (MBS-10717).

      We should add CSRF tokens to any forms that can modify user data or administrate the site.

        Attachments

          Activity

            People

            Assignee:
            bitmap Michael Wiencek
            Reporter:
            bitmap Michael Wiencek
            Votes:
            1 Vote for this issue
            Watchers:
            3 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Packages

                Version Package
                2020-04-27