|
|
|
|
|
|
by mike-cardwell
5537 days ago
|
|
|
Learn what CSRF is. Your form for resetting passwords is trivially exploitable to change other peoples account passwords. Anyone can just create a form in a hidden iframe on their own site which auto-submits a POST to http://www.co.vu/account/account_password with password_new_password and password_retype_new_password params set. Not only should you fix the CSRF via normal CSRF protection methods, but you should also add a second layer of protection for resetting passwords in that you require their existing password to be submitted as well. |
|
|