Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Security Issue: Implement CSRF tokens on profile updates #119

Open
V35HR4J opened this issue Feb 15, 2024 · 3 comments
Open

Security Issue: Implement CSRF tokens on profile updates #119

V35HR4J opened this issue Feb 15, 2024 · 3 comments

Comments

@V35HR4J
Copy link

V35HR4J commented Feb 15, 2024

There's a security problem on gapps related to CSRF (Cross-Site Request Forgery) tokens, particularly when updating user profiles. Currently, if a user is logged in, their password can be changed without their permission with just one click. This happens because of not using CSRF tokens, which are special codes meant to make sure that the person making changes on the website is the actual user and not someone else trying to interfere. Without these tokens, there's a risk that an outsider could trick a user into clicking a link or a button that would unknowingly change their password or make other unwanted changes to their profile. It's important to fix this to keep users' accounts safe.

@manuel-sommer
Copy link

@V35HR4J, there are a lot more security issues within gapps, I have reported 11 of them, but there hasn't been any notice or update since June 2023.

@bmarsh9
Copy link
Owner

bmarsh9 commented Mar 13, 2024

@manuel-sommer XSS issues have likely been resolved with other updates. Open a PR in the future.

@V35HR4J Please open a pull request.

As a notice, this is a open-source project and I'm the only maintainer. It provides little value to highlight issues and never open PR's. I encourage you both to open a PR to fix the issue. In the README, it explains the project is still in Beta and should not be used in production.

Eventually I will get around to it, but there's no guarantee. That's why you both should open a PR to fix the issue.

@manuel-sommer
Copy link

@bmarsh9, I tried to resolve these issues, but I am not familiar enough with flask. However, if you give me a guide in this regards, I can help with PRs. Furthermore, I can retest my findings.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants