CGI Generic Cross-Site Request Forgery Detection

More
1 year 5 days ago #185105 by geodask
Hi Guys,

On our recent Nessus scan the following vulnerability popped up:

The following CGIs are not protected by a random token :
/limesurvey/

Anyone has any idea how to mitigate this ?

We are using version 3.17.4 (build 190529)

Thank you.

Please Log in to join the conversation.

LimeSurvey Partners
More
1 year 5 days ago #185114 by DenisChenu
There are no ($_POST) form in limesurvey home page, then no need to protect it against CRSF.

All forms inside limesurvey are protected against CRSF, if not it's an issue. But not here.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .

Please Log in to join the conversation.

More
1 year 4 days ago #185150 by geodask
So i consider this as a false positive.

Thank you Denis.

Please Log in to join the conversation.

More
1 year 2 days ago #185159 by DenisChenu
Yep,

I check again : the language switch are on GET request only.
And it does only language switching : no data are really send.

Assistance on LimeSurvey forum and LimeSurvey core development are on my free time.
I'm not a LimeSurvey GmbH member, professional service on demand , plugin development .
An error happen ? Before make a new topic : remind the Debug mode .
The following user(s) said Thank You: tpartner

Please Log in to join the conversation.

Start now!

Just create your account and start using Limesurvey today.

Register now