0003246: No CSRF token - requests can be forged - SOGo

ID	Project	Category	View Status	Date Submitted	Last Update

0003246	SOGo	Web General	public	2015-06-10 11:09	2022-06-23 12:26

Reporter	stefancastille	Assigned To	ludovic
Priority	normal	Severity	feature	Reproducibility	always
Status	resolved	Resolution	fixed
Platform	browser
Product Version	2.3.0
Target Version	3.0.0	Fixed in Version	3.1.0

Summary	0003246: No CSRF token - requests can be forged
Description	No CSRF token is used when creating events in calendar, adding contacts, ... An attacker can therefore prepare a website that triggers POST requests for a victim to preform actions under his/her account. only the username of the victim needs to be known.
Steps To Reproduce	create a new contact intercept and save the request replace your username with the username of the victim in the request create a webpage that sends the POST request automatically lure the victim into visiting your webpage if the victim is still logged in the action will be performed (ie. send him/her an email with a link to your site)
Tags	No tags attached.

stefancastille 2015-06-10 14:36 reporter ~0008615	Almost all actions (except changing password) are possible, including setting an email forward address so that all incoming emails will be forwarded to the attacker.

ludovic 2016-04-26 15:24 administrator ~0010013	https://github.com/inverse-inc/sogo/commit/582baf2960969c73f98643e46cfb49432c30b711

Date Modified	Username	Field	Change
2015-06-10 11:09	stefancastille	New Issue
2015-06-10 14:36	stefancastille	Note Added: 0008615
2015-07-22 15:42	ludovic	Severity	major => feature
2015-07-22 15:42	ludovic	Target Version	=> 3.0.0
2016-04-26 15:24	ludovic	Note Added: 0010013
2016-04-26 15:24	ludovic	Status	new => resolved
2016-04-26 15:24	ludovic	Fixed in Version	=> 3.1.0
2016-04-26 15:24	ludovic	Resolution	open => fixed
2016-04-26 15:24	ludovic	Assigned To	=> ludovic