Ola Lundqvist <[email protected]> writes: > I think this type of vulnerability can fall in the category of "minor > issue" as it actually need an administrator to visit a forged link. Also it > should be fairly obvious that the state have changed when the link is > clicked by the administrator and it should be easy to change it back.
I think the danger is that an administrator could click "submit" on a mallacious HTML form and not realize the form is submitting to monit instance localhost. There is no need to forge links. This is potentially bad. Although from what you are saying, it sounds like the damage that can be done is limited. You also have to also consider that adding CSRF is a fundemental change to the HTTP API, which could break stuff. If there is anything that even connects to monit, aside from an end user with a web browser. I think I will leave this to somebody more familiar with monit and how it is used. -- Brian May <[email protected]>
