CGI Generic Cross-Site Request Forgery Detection

More
1 year 3 months ago #185105 by geodask
Hi Guys,

On our recent Nessus scan the following vulnerability popped up:

The following CGIs are not protected by a random token :
/limesurvey/

Anyone has any idea how to mitigate this ?

We are using version 3.17.4 (build 190529)

Thank you.
The topic has been locked.
More
1 year 3 months ago #185114 by DenisChenu
There are no ($_POST) form in limesurvey home page, then no need to protect it against CRSF.

All forms inside limesurvey are protected against CRSF, if not it's an issue. But not here.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.
The topic has been locked.
More
1 year 3 months ago #185150 by geodask
So i consider this as a false positive.

Thank you Denis.
The topic has been locked.
More
1 year 3 months ago #185159 by DenisChenu
Yep,

I check again : the language switch are on GET request only.
And it does only language switching : no data are really send.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development . I don't answer to private message.
The following user(s) said Thank You: tpartner
The topic has been locked.

Start now!

Just create your account and start using Limesurvey today.

Register now