[MDL-24561] Forum subscribe.php does not check sesskey() - Moodle Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 1.9.9, 2.0
Fix Version/s: 1.9.11, 2.0.2
Component/s: Forum
Labels:
None

Affected Branches:
MOODLE_19_STABLE, MOODLE_20_STABLE
Fixed Branches:
MOODLE_19_STABLE, MOODLE_20_STABLE

Description

/mod/forum/subscribe.php does not seem to check sesskey(). Therefore, nasty users could use it for CSRF attack and let easily other user to subscribe to many other forums, for example (spam risk).

Attachments

Issue Links

caused a regression

MDL-33194 Can't subscribe other user to forum

Closed

Activity

People

Assignee:: David Mudrák (@mudrd8mz)

Reporter:: David Mudrák (@mudrd8mz)

Participants:: David Mudrák (@mudrd8mz), Martin Dougiamas, Petr Skoda, Tim Hunt

Component watchers:: Andrew Lyons, Huong Nguyen, Jun Pataleta, Michael Hawkins, Shamim Rezaie, Simey Lameze

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 07/Oct/10 11:55 PM

Updated:: 23/May/12 10:34 AM

Resolved:: 06/Jan/11 8:04 AM

Fix Release Date:: 21/Feb/11