Hi Brian Just to clarify myself. With a forged link I ment a forged link of any type, including a malicious form.
I think you have good thinking. There is a security vulnerability but the correction is definitely a change that can cause backwards compatibility issue, just as you write, for any interaction not relying on a human with a web broswer. Best regards // Ola On 27 November 2016 at 08:56, Brian May <b...@debian.org> wrote: > Ola Lundqvist <o...@inguza.com> writes: > > > I think this type of vulnerability can fall in the category of "minor > > issue" as it actually need an administrator to visit a forged link. Also > it > > should be fairly obvious that the state have changed when the link is > > clicked by the administrator and it should be easy to change it back. > > I think the danger is that an administrator could click "submit" on a > mallacious HTML form and not realize the form is submitting to monit > instance localhost. There is no need to forge links. This is potentially > bad. Although from what you are saying, it sounds like the damage that > can be done is limited. > > You also have to also consider that adding CSRF is a fundemental change > to the HTTP API, which could break stuff. If there is anything that even > connects to monit, aside from an end user with a web browser. > > I think I will leave this to somebody more familiar with monit and how > it is used. > -- > Brian May <b...@debian.org> > > -- --- Inguza Technology AB --- MSc in Information Technology ---- / o...@inguza.com Folkebogatan 26 \ | o...@debian.org 654 68 KARLSTAD | | http://inguza.com/ Mobile: +46 (0)70-332 1551 | \ gpg/f.p.: 7090 A92B 18FE 7994 0C36 4FE4 18A1 B1CF 0FE5 3DD9 / ---------------------------------------------------------------