RemoteCP Panel

Link can modify site

Bug #795565 reported by Lars Vierbergen
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
RemoteCP Panel
Status tracked in Trunk
1.x
Won't Fix
Critical
Lars Vierbergen
RemoteCP Panel 1.4 "Bee"
Trunk
Fix Released
Critical
Lars Vierbergen

Bug Description

Because most AJAX requests are GET, a malicious website can link to a remotecp url with e.g. the command to delete a section
with just a link to http://account.loop.remotecp.co.cc/remote_panel.php/f9fcf549ab1e708de39a51c0fcd3aee3/?control=addons&site=CA770036-C5D1-4DED-ADD1-4BBD8C563EF2&aref=cms&function=delete&type=section&id=1
This should absolutely be prevented

Tags: core security
Revision history for this message
Lars Vierbergen (vierbergenlars) wrote :

It is to difficult to fix in 1.x

Changed in remotecp-panel:
importance: Undecided → Critical
assignee: nobody → Lars Vierbergen (vierbergenlars)
status: New → Confirmed
Revision history for this message
Lars Vierbergen (vierbergenlars) wrote :

It is a mayor security issue, we'll try to fix it.

Revision history for this message
Lars Vierbergen (vierbergenlars) wrote :

No, we won't fix in 1.x.
It's no use to work on something that will soon be discarded.

Lars Vierbergen (vierbergenlars)
visibility: private → public
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.