- Posts: 2
- Thank you received: 0
Welcome to the LimeSurvey Community Forum
Ask the community, share ideas, and connect with other LimeSurvey users!
CGI Generic Cross-Site Request Forgery Detection
- geodask
- Topic Author
- Offline
- New Member
Less
More
4 years 10 months ago #185105
by geodask
CGI Generic Cross-Site Request Forgery Detection was created by geodask
Hi Guys,
On our recent Nessus scan the following vulnerability popped up:
The following CGIs are not protected by a random token :
/limesurvey/
Anyone has any idea how to mitigate this ?
We are using version 3.17.4 (build 190529)
Thank you.
On our recent Nessus scan the following vulnerability popped up:
The following CGIs are not protected by a random token :
/limesurvey/
Anyone has any idea how to mitigate this ?
We are using version 3.17.4 (build 190529)
Thank you.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13624
- Thank you received: 2490
4 years 10 months ago #185114
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic CGI Generic Cross-Site Request Forgery Detection
There are no ($_POST) form in limesurvey home page, then no need to protect it against CRSF.
All forms inside limesurvey are protected against CRSF, if not it's an issue. But not here.
All forms inside limesurvey are protected against CRSF, if not it's an issue. But not here.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The topic has been locked.
- geodask
- Topic Author
- Offline
- New Member
Less
More
- Posts: 2
- Thank you received: 0
4 years 10 months ago #185150
by geodask
Replied by geodask on topic CGI Generic Cross-Site Request Forgery Detection
So i consider this as a false positive.
Thank you Denis.
Thank you Denis.
The topic has been locked.
- DenisChenu
- Offline
- LimeSurvey Community Team
Less
More
- Posts: 13624
- Thank you received: 2490
4 years 10 months ago #185159
by DenisChenu
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
Replied by DenisChenu on topic CGI Generic Cross-Site Request Forgery Detection
Yep,
I check again : the language switch are on GET request only.
And it does only language switching : no data are really send.
I check again : the language switch are on GET request only.
And it does only language switching : no data are really send.
Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
I don't answer to private message.
The following user(s) said Thank You: tpartner
The topic has been locked.