Logout link should be protected
|Reported by:||Owned by:||Jun Omae|
|Cc:||Steffen Hoffmann, Jun Omae, Ryan J Ollos||Branch:|
Logout requires POST request.
Logout link is not protected against CSRF. It is very easy to include link to a fake image, even in Trac itself:
It is a kind of security issue, because it is possible to block user from performing any action in private parts of any Trac system.
Used here for demonstration of the same problem: https://code.djangoproject.com/ticket/15619#comment:25
Change History (11)
comment:1 by , 8 years ago
|Component:||general → web frontend|