|
From: | David Woolley |
Subject: | Re: [Lynx-dev] For your protection, access to this resource is secured against CSRF. |
Date: | Mon, 2 Jan 2023 14:56:26 +0000 |
User-agent: | Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.13.0 |
On 02/01/2023 13:19, jindam.vani--- via Lynx-dev wrote:
i receive error clicking logout on webmail.disroot.org error: "For your protection, access to this resource is secured against CSRF. If you see this, you probably didn't log out before leaving the web application." disroot use roundcube for email
I assume this is a fix for CVE-2020-12626 <https://nvd.nist.gov/vuln/detail/CVE-2020-12626> or maybe a fix for the vulnerability that wasn't properly fixed before.
I haven't explored deep into the code, but my guess is that they use scripting to calculate a return value that isn't in a cookie. I'm not sure why they can't include that in the submit URL, or a hidden parameter, as I think it is only cookies that get returned with injected requests.
Do you know the version number (ideally before and after)? The CVE was "fixed" in 1.4.4.
[Prev in Thread] | Current Thread | [Next in Thread] |