Issues » AJAX requests without a session ID or other form of authentication

Issue: SI-15
Date: Jun 18, 2013, 10:00:00 AM
Severity: Critical
Requires Admin Access: No
Fix Version: 2.3.2
Credit: Internal Security Team

It is possible to create a user account (without privileges) using a properly formated remote AJAX call.

  • Upgrade to dotCMS v. 2.3.2+
  • Restrict access to the /dwr url pattern to trusted IP addresses.