Issues » Cross Site Request Forgery (XSRF or CSRF)

Issue: SI-13
Date: Jun 10, 2013, 7:30:00 AM
Severity: Low
Requires Admin Access: Yes
Fix Version: n/a
Credit: ENG

Cross-Site Request Forgery (XSRF or CSRF) has been detected when using the dotCMS admin tools once a user has been authenticated. Because browsers can run code sent by multiple sites, an XSRF attack can occur if one site sends a request (never seen by the user) to another site on which the user has authenticated that will mistakenly be received as if the user authorized the request. If a user visits a vulnerable site, the attacker can make the user's browser send a request to a different target site that performs an action on behalf of the user.

The target site only sees a normal authenticated request coming from the user and performs whatever sensitive action was requested. Whatever functionality exists on the target site can be manipulated in this fashion. Recommendations include utilizing CAPTCHA's or anti-Cross-Site Request Forgery tokens to prevent Cross-Site Request Forgery attacks.


This is a minor issue in the dotCMS code base as all actions are authenticated at processed based on the roles of the user (there is no privilege escalation). If this is a concern, you should restrict access to your login page and admin paths by ip in your proxy, firewalls and or load balancers.