CGI Generic Cross-Site Request Forgery Detection (potential)

This script is Copyright (C) 2011-2014 Tenable Network Security, Inc.


Synopsis :

The remote web server might be prone to cross-site request forgery
attacks.

Description :

The spider found HTML forms on the remote web server. Some CGI
scripts do not appear to be protected by random tokens, a common
anti-cross-site request forgery (CSRF) protection. The web
application might be vulnerable to CSRF attacks.

Note that :

- Nessus did not exploit the flaw,
- Nessus cannot identify sensitive actions -- for example, on an
online bank, consulting an account is less sensitive than
transferring money.

You will have to audit the source of the CGI scripts and check if they
are actually affected.

See also :

http://en.wikipedia.org/wiki/Cross-site_request_forgery

Solution :

Restrict access to the vulnerable application. Contact the vendor
for a patch or upgrade.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Family: CGI abuses

Nessus Plugin ID: 56818 ()

Bugtraq ID:

CVE ID: