-
Improvement
-
Resolution: Fixed
-
Critical
-
3.9.19, 3.11.12, 4.0.6, 4.1
If by any chance some developer used an externallib method that does not wrap
$USER->ignoresesskey=true with if (WS_SERVER) in normal code then it could be carried over to normal user session completely disabling CSRF protection.
I guess it would be better to at least limit it only to current request by removing it in session manger at the beginning of next page request.
Disaster scenarios:
- There is a web service that allows both ajax and WS server access - developer forgets to use if (WS_SERVER) around the $USER->ignoresesskey=true. Then every ajax request for this method disables CSRF for the rest of user session.
- There is a web service that is allowed in mobile and WS only, it does not have "if (WS_SERVER)" around $USER->ignoresesskey=true. Another developer calls the external method directly in normal code. Then CSRF is disabled for the rest of user session.