Issues » CSRF Add User

Issue: SI-31
Date: Nov 30, 2015, 5:15:00 PM
Severity: Critical
Requires Admin Access: No
Fix Version: 3.3
Credit: Gjoko Krstic -

It is possible to use a well formed POST to the DWR USer endpoint and add a new blank user to the dotCMS system.  This user will not be provisioned or permissioned in any way, though will be a valid user in the system.

Using this method combined with other attacks, it might be possible access Administrative Endpoints which would otherwise be protected.


Upgrade to dotCMS 3.3 or backport the fix found in the commits below which will prevent access to DWR endpoints without a valid authenticated user.