CGI Generic Cross-Site Request Forgery Detection (potential)

This script is Copyright (C) 2011-2017 Tenable Network Security, Inc.


Synopsis :

The remote web server might be prone to cross-site request forgery
attacks.

Description :

Nessus has found HTML forms on the remote web server. Some CGI scripts
do not appear to be protected by random tokens, a common
anti-cross-site request forgery (XSRF) protection. The web application
might be vulnerable to XSRF attacks. Note that :

- Nessus did not exploit the flaw.
- Nessus cannot identify sensitive actions; for example, on an
online bank, consulting an account is less sensitive than
transferring money.

You will need to audit the source of the CGI scripts and check if they
are actually affected.

See also :

https://en.wikipedia.org/wiki/Cross-site_request_forgery

Solution :

Restrict access to the vulnerable application. Contact the vendor for
a patch or upgrade.

Risk factor :

Medium / CVSS Base Score : 6.4
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N)

Family: CGI abuses

Nessus Plugin ID: 56818 ()

Bugtraq ID:

CVE ID:

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now