Quote:
That's true, but you forget that you also have to make your victim open the malicious website and this website has to be opened in the same browser as the Contao installation and the victim has to be logged in to the back end at this time and the victim has to have sufficient permission to delete the item! These are a lot of requirements for the exploitation.
We rarely get an exploit that works in 100% of cases. Always there are multiple conditions that have to be met for a successful exploitation. Cross-site scripting attacks by default are not reliable, and have substantial difficulties you mentioned above. That is the reason they are usually rated as "less critical" and have medium complexity by CVSS2 score. But the potential impact ranges from simple annoyance to complete compromise, thus they are not to be disregarded.
Quote:
And even if you manage to meet all those requirements, you can only attack one single website.
That is usually the aim. Vandalising millions of sites via a cross-site scripting vulnerability is a very hard task indeed. :D But one... That is certainly possible.
Quote:
Please understand that I am not saying that this is not an issue! It is just not that critical an issue as said in the security report.
I'd really like to point out once more that these vulnerabilities are rated "less critical" everywhere -- it is the common practice. Some, though, rate them higher.
The bottom line of this discussion is -- please, do not disregard ANY reported vulnerability just because you cannot come up with a good plan for total mayhem using this one. Keep your software safe and your users protected.
Quote:
Please download Contao 3 and run your tests again. You will see that the request token system prevents the attack.
I certainly will! Thanks for the suggestion.
With kind regards,
dmy