The URL for deleting an answer does not protect against a cross-site forgery attack in which someone triggers an authenticated user into deleting their answer to a meeting poll.

For example, the URL for deleting an answer looks like /makemeeting/delete-answer/17

If an attacker embeds an img with the src equal to that URL and gets that person to view it, their browser will make a request to the URL and their answer will be deleted. You can read more about CSRF at http://drupalscout.com/knowledge-base/introduction-cross-site-request-fo...

You should use tokens as query parameters to the callback to protect against this.

(This doesn't appear to be an issue in the 1.x branches of the module and since the 2.x release isn't stable yet this can be discussed publicly in the issue queue.)

Comments

SebCorbin’s picture

SebCorbin CreditAttribution: SebCorbin commented
Status: Active » Postponed (maintainer needs more info)

This should have been fixed with #1837220: Make edit and delete links rel="nofollow" and add a confirm message and http://drupalcode.org/project/makemeeting.git/blobdiff/cd6fddc55ed246e98...

DOes it still apply with the dev version?

btopro’s picture

btopro CreditAttribution: btopro commented

I think this won't be an issue because you have the form confirmation in there. Previously it would have so you'll probably have to issue a security notice, just catching up on the code here

coltrane’s picture

coltrane
he/him
CreditAttribution: coltrane commented

You are correct, this looks fixed in dev. Thanks!

SebCorbin’s picture

SebCorbin CreditAttribution: SebCorbin commented
Status: Postponed (maintainer needs more info) » Closed (fixed)

I agree with #2 next release will be a security one