Fix CSRF vulnerability in opt-out when setCookieInNewWindow=1 #14400

katebutler · 2019-05-02T04:35:49Z

Findus23 · 2019-05-02T08:02:46Z

Just FYI: As this only solves the CSRF-part of #12540 and not the unneeded-cookie-part I have created #14402 as a followup for that issue.

tsteur · 2019-05-02T21:04:04Z

just tested it and actually didn't work for me. Instead seeing above error in chrome.

In https://github.com/matomo-org/matomo/blob/3.10.0-b1/plugins/CoreAdminHome/javascripts/optOut.js#L6-L7 it actually does a GET request to the form action. You would think the form does a regular post but it opens the <form action=""> URL in a new window totally ignoring the hidden nonce input field etc.

That's why previously the nonce was before added in the redirect URL and caused the CSRF problem.

To fix it, we need to add the nonce to the form action url in https://github.com/matomo-org/matomo/blob/3.10.0-b1/plugins/CoreAdminHome/OptOutManager.php#L195-L200 . It should be totally fine to send the nonce through GET parameter.

tsteur · 2019-05-02T22:04:40Z

Tested using the URL: https://$DOMAIN/index.php?module=CoreAdminHome&action=optOut&idSite=1&period=day&date=yesterday

tsteur · 2019-05-03T05:08:45Z

Works 👍

Fix CSRF vulnerability in opt-out when setCookieInNewWindow=1

e0af617

katebutler added the Needs Review PRs that need a code review label May 2, 2019

katebutler added this to the 3.10.0 milestone May 2, 2019

Add nonce to URL for setCookieInNewWindow

9ca7553

tsteur merged commit 72df150 into 3.x-dev May 3, 2019

tsteur deleted the 12540 branch May 3, 2019 05:08

sgiehl mentioned this pull request Mar 3, 2020

Using Opt-Out iFrame twice doesn't work #15629

Closed

Provide feedback