Advisory source:
https://www.zeroscience.mk/en/vulnerabilities/ZSL-2018-5475.php
Description of vulnerability:
The web interface allows users to perform certain actions via HTTP requests without performing validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site.
Vulnerability mitigation:
This vulnerability was addressed in software release 10.7.5 In versions prior to 10.7.5 following these best practices mitigates the risk of CSRF vulnerabilities in all browser based applications:
- Logoff immediately after using a Web application
- Do not allow your browser to save username/passwords, and do not allow sites to “remember” your login
- Do not use the same browser to access sensitive applications and to surf the Internet freely (tabbed browsing).
- The use of plugins such as No-Script makes POST based CSRF vulnerabilities difficult to exploit. This is because JavaScript is used to automatically submit the form when the exploit is loaded. Without JavaScript the attacker would have to trick the user into submitting the form manually.
0 Comments