BuddyDev

Search

[Resolved] Cross Site Request Forgery (CSRF/XSRF) issues with BuddyPress

  • Participant
    Level: Enlightened
    Posts: 34
    Milan Latinovic on #27626

    Hi everyone,

    Recently, we made a security test against our web site which resulted in several items.
    Most of them, we were able to handle but remaining one was “Cross Site Request Forgery (CSRF/XSRF)” which is affecting this form:

    <form action=”” name=”activity-loop-form” id=”activity-loop-form” method=”post”><inputtype=”hidden” id=”_wpnonce_activity_filter” name=”_wpnonce_activity_filter”value=”d7473599b3″><input type=”hidden” name=”_wp_http_referer”value=”/members/matthewdew/”></form>

    When we look at the provided html, looks like there is wpnonce (Number Used Only Once) activity filter (so this should not be CSRF problems) but still this is reported by our security scan.

    On our web site we are using BuddyPress and premium MediaPress (if it might be related).

    Do you have any experiences with these issues?
    What would be a good way to handle it?
    Is there some setting where we can enable this validation?

    Kind regards,
    Milan

  • Keymaster
    (BuddyDev Team)
    Posts: 24706
    Brajesh Singh on #27629

    Hi Milan,
    This is a false positive. Please contact the scan software company and ask them for what is the potential threat here.

    Regards
    Brajesh

  • Participant
    Level: Enlightened
    Posts: 34
    Milan Latinovic on #27642

    Hi Brajesh,

    Agree, it is most likely false positive.
    We used Detectify for the security scan, I have sent them a question about could this be a false positive and if not what is the actual threat.

    I will mark this ticket as resolved (since no action is required from our side).
    If I get any meaningful response from Detectify I will update this post.

    Kind regards,
    Milan

  • Keymaster
    (BuddyDev Team)
    Posts: 24706
    Brajesh Singh on #27647

    Hi Milan,
    Thank you. I look forward to see if they provide any specific details.

    Regards
    Brajesh

You must be logged in to reply to this topic.

This topic is: resolved