0010627: Ensure all forms use CSRF protection - MantisBT - Signup temporarily disabled due to spam

ID	Project	Category	View Status	Date Submitted	Last Update

0010627	mantisbt	security	public	2009-06-26 05:32	2013-07-17 10:30

Reporter	dhx	Assigned To	dhx
Priority	immediate	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.0rc1
Target Version	1.2.0rc2	Fixed in Version	1.2.0rc2

Summary	0010627: Ensure all forms use CSRF protection
Description	More information on CSRF: http://en.wikipedia.org/wiki/Cross-site_request_forgery Basically there are quite a few forms in Mantis that still don't have CSRF protection. Without this protection, it is possible for a user logged into Mantis via a cookie to be tricked into submitting forms (such as that to account_delete.php) without any knowledge or confirmation from the Mantis user.
Tags	No tags attached.
Attached Files	10627-git-cherry.txt (5,460 bytes) git cherry -v master-1.2.x 10627-csrf - 58dad315491ea482c95e597203b6db1bb936f7d6 Add CSRF protection for account_delete - c2acc9df534bbbcad0115e6124b96a5773d7f1e8 Add CSRF protection for account_prefs_update - 1f82a21a2e915798481e347bde808086068f22a9 Add CSRF protection for account_prefs_reset - 473456c70d258f50709025e7b08b862f22ec4586 Add CSRF protection for account_sponsor_update - 2130f6d07a52d4045fc41cb3a2a85a07bc18f6f4 Add CSRF protection for adm_config_set - 3b6f50a6e8e160c8107a702b1b688a24caea51b3 CSRF protection not needed for billing_inc - f3555db05eb6ec3c76cf251f0f5f048278e93b75 Add CSRF protection for bug_file_add - fb995381bc1d068fee253b7bfa344a8cc92ffc9f Add CSRF protection for bug_monitor - cbd5a5659de51c5b8579c5bfe8dc9afcb209a5da Add CSRF protection for bugnote_add - 81e547e7065d68086c14cc4c76116617355ec616 Add CSRF protection for bugnote_update - 73948e457360978a8be4c9558529a6efb5decf02 CSRF protection not needed for bugnote_stats_inc - cf196081326061694ce6ddcbdedcbb337179c28f Add CSRF protection for bug_reminder - 97142a703d7b761236b151ee21c29df20e61c2cf CSRF protection not needed for bug_report form - 2b32b9e6f337f38b1e178b154c46e293aa2ddfd5 Add CSRF protection for bug_set_sponsorship - bde1bcf2a45b659a908019e85f03f2060ff8095f Add CSRF protection for bug_relationship_add - 91634c17750678a2f425a01e57a206335df516b1 CSRF protection not needed for jump_to_bug - d5c0f4a4daaa5658fe0735912b3de487464c0075 Add CSRF protection to html_button function - cffc81d8ed6688ec0c00b0c8d5106be001495533 Add CSRF protection for bug_stick - 7ed79855fed75ca22dd8884a19d5b42f8aeb4cd1 Add CSRF protection for bug_assign - d1cbd478cb455029b0e448394f8884e6c3472b90 Add CSRF protection for lost_pwd + c1aa51ae7b9b41a777464817785ff9a061a442bf Add CSRF protection for manage_config_columns_set - bc927e2e391dd82bb6187251cca71b04733be1a9 Add CSRF protection for manage_columns_copy - 852eec753d14a000220d548347b28903c02a495f Add CSRF protection for manage_config_columns_reset - ef323cc399e90c783fa3a6c632c6b1bfb6cf4ec0 Add CSRF protection for manage_config_workflow_set - 15a963fd41db11e394bcf3fee6ec68f0ef348d23 Add CSRF protection for manage_config_work_threshold_set - 2be8e88afcc53bade8a35ce0ea0cfb376a98a493 Fix #10691: missing CSRF token for version delete - 3b6cee589979bfa130749810b17b39b09caa5b24 CSRF protection not needed for manage_user_page - 50015e39dec835e636306ddffd71541a93d56c01 Add CSRF protection for plugin_format_config_edit - 9a2bcd725fd29aa0b9f6d8e7533fa548e1688d82 Missing closure to form element - 131654143cb0c08919e0198d7d6dacdee6e3cc5e Add CSRF protection for plugin_graph_config_edit - cee5ee1d3563c0496327c307712ddb0780354e10 Add CSRF protection for proj_doc_add - b0e5230540c90d231ff17b9df9e5d783d2364323 Add CSRF protection for proj_doc_update - 8a505699c7c3ae690d5f62d40b76fcb9eb9fbdf4 Add CSRF protection for proj_doc_delete - 0e152120d0d63746efc7d6bb427f951c1c326215 Add CSRF protection for query_delete - dc2233febba720be05ceb82a22e4f1c177f979ca Add CSRF protection for query_store - e9031fcbae4af8111244b8a1bd590e12be69a4dc CSRF protection not needed for tag_update_page - b218eb1527bd92d8538c27ec01eec2427c5de7b0 CSRF protection not needed for bug_actiongroup_page - 90f03fc196913ea2fdfc6a0d15c54fe380ab652f CSRF protection not needed for view_all_set - d2cd26e321857fbb21d41c0e2264b5ca8eeaae4e CSRF protection not needed for view_all_set - 18dd92c39ebf7669660d636a077389a4e14e6985 CSRF protection not needed for print_all_bug_page - a72770aa0b3a8acff6b2688d1c6ef746b3388f08 Add CSRF protection for print_all_bug_options_update - f6e3f0f5f06f320413983fd3698a143ef5e414ab Add CSRF protection for print_all_bug_options_reset - 5d0673f0535c1b2106f5bf3d68b7e9ed5380489f Add CSRF protection for plugin_xml_import_action - 6b4fd70e195f0a65d29725a6789d1fbab50938fd Cleanup form token usage on manage_proj_edit_page - 6d1f1a5bcc117e1f5eb58882d19b8844e17b703d CSRF protection not needed for set_project - 7d9420086d8eba404c643a25773d0605a3c62eac CSRF protection not needed for login/reauthentication - 1831dbfb59943ec816076cc858dda80fba3a1798 CSRF protection not needed for set_project - e36500f1e1da1ffc3439a1586f4e57077a9b69b0 CSRF protection not needed for bug_change_status_page - 7fa5bd1a719bcd5a7b0b322233bb99f70cbd8fd5 CSRF protection not needed for action confirmation step - 6951bcdcfd92e7d4439d7217bc2a1f400a5f6d2a CSRF protection not needed in filter_api - 164278a3a179e280316ae80c689f83ce0e49bd17 Add CSRF protection to print_button function - 108db3df79ec71419de550d35658ab5a41097791 Add CSRF protection for adm_config_delete - 55cc15f412a5f5314b3bbfeb7a3a243c4ddd9f5f Add CSRF protection for bug_assign_reporter + 8fae4fc478ad39851b26f4bf694849145c5be3e5 Add CSRF protection for bug_file_delete - d79af1672e7d057f0cb29b4fc0c3487768807f32 Add CSRF protection for bugnote_delete - 663a57892f281d03dec2762a52cd7fdd4c3db78c Add CSRF protection for bugnote_set_view_state - b368fc5a103966b826dddd46ee3b087f67d76192 Add CSRF protection for manage_plugin_install - cd251a435c49d3efa6e4ca33f723e0712ba2d332 Add CSRF protection for manage_plugin_uninstall - 4fadaf737d95d5f9ae8faea3b7f40a542f509686 Add CSRF protection for manage_plugin_upgrade - 3a4d1a12af376bbe364003e88560b205a12f83eb Add CSRF protection for manage_user_proj_delete - cba9a85acd9c00fb8993ebf856e90a8a839fe137 Add CSRF protection for manage_user_prune - bf7b39a5b29be2156bc90c39072073a77725dd45 Add CSRF protection for bug_relationship_delete 10627-git-cherry.txt (5,460 bytes)

parent of	0010202	closed	dhx	APPLICATION ERROR #2800 when using Create New Account button
parent of	0010162	closed	dhx	APPLICATION ERROR #2800: Invalid form security token. Did you submit the form twice by accident?
parent of	0009879	closed	dhx	ERROR 2800 - manage config revert
parent of	0010684	closed	dhx	APPLICATION ERROR #2800
related to	0010014	closed	jreese	Provide a way to disable form token validation for intranet installations
related to	0010691	closed	dhx	Missing form security token for delete button on manage_proj_ver_edit_page.php

dhx 2009-07-06 13:39 reporter ~0022421	Also backported to 1.2.x but there are so many commits, I can't be bothered attaching them all to this ticket (over 100). I've just attached the merge changeset to give you a starting place to see what changed.

dhx 2009-07-06 13:45 reporter ~0022422	I've attached a slightly edited output from git cherry comparing the differences between my 10627-csrf branch merged into master and the master-1.2.x branch. As you can see, there are two commits (denoted by the leading +) which differ due to changes being made in 1.2.x after my 10627-csrf branch was forked. I've used this output to ensure that all my commits from 10627-csrf applied correctly.

dhx 2009-07-06 13:47 reporter ~0022423	I also no longer have plans to backport this to 1.1.x because there are simply too many merge conflicts to deal with. The 1.1.x and 1.2.x branches are so different that automatic merging just isn't going to work out.