Closed (fixed)
Project:
UpDown
Component:
Code
Priority:
Critical
Category:
Bug report
Assigned:
Reporter:
Created:
21 Aug 2008 at 00:09 UTC
Updated:
22 Aug 2008 at 22:43 UTC
This module doesn't check to see whether the user intended to load the URL when a vote is cast, leaving the module open to a CSRF attack, the scope of which is limited to unwittingly casting votes. Adding a token to the end of the URL should suffice.
Comments
Comment #1
gregglessubscribe
Comment #2
joshk commentedhandled by dmitrig