Back to limesurvey.org

Welcome to the LimeSurvey Community Forum

Ask the community, share ideas, and connect with other LimeSurvey users!

CGI Generic Cross-Site Request Forgery Detection

  • geodask
  • geodask's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 8 months ago #185105 by geodask
CGI Generic Cross-Site Request Forgery Detection was created by geodask
Hi Guys,

On our recent Nessus scan the following vulnerability popped up:

The following CGIs are not protected by a random token :
/limesurvey/

Anyone has any idea how to mitigate this ?

We are using version 3.17.4 (build 190529)

Thank you.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team & Official Partner
  • LimeSurvey Community Team & Official Partner
More
5 years 8 months ago #185114 by DenisChenu
Replied by DenisChenu on topic CGI Generic Cross-Site Request Forgery Detection
There are no ($_POST) form in limesurvey home page, then no need to protect it against CRSF.

All forms inside limesurvey are protected against CRSF, if not it's an issue. But not here.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
The topic has been locked.
  • geodask
  • geodask's Avatar Topic Author
  • Offline
  • New Member
  • New Member
More
5 years 8 months ago #185150 by geodask
Replied by geodask on topic CGI Generic Cross-Site Request Forgery Detection
So i consider this as a false positive.

Thank you Denis.
The topic has been locked.
  • DenisChenu
  • DenisChenu's Avatar
  • Offline
  • LimeSurvey Community Team & Official Partner
  • LimeSurvey Community Team & Official Partner
More
5 years 8 months ago #185159 by DenisChenu
Replied by DenisChenu on topic CGI Generic Cross-Site Request Forgery Detection
Yep,

I check again : the language switch are on GET request only.
And it does only language switching : no data are really send.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member. - Professional support - Plugins, theme and development .
I don't answer to private message.
The following user(s) said Thank You: tpartner
The topic has been locked.
Moderators: holchtpartner

Lime-years ahead

Online-surveys for every purse and purpose

Pricing & Plans
Get started

Legal

About Us

Open Source