Admin Bundle: Major CSRF vulnerability

Thanks to an external security audit from one sonata user, a major CSRF vulnerability has been fixed: it was possible via an external form to delete any entities using the admin.

You should update to 2.2.5. The fix introduces a small BC break for list, delete and batch actions. If you have overwritten those actions from the CRUDController, please read these lines to update your code.

A new twig template csrf_token variable has been added :

The same applied to template files:

Comments

  • Flu (Oct 2, 2013)
    Thanks for the heads up! Just updated my code.
  • COil (Oct 2, 2013)
    For the entities that disappear, I had the same problem, take a look at: http://stackoverflow.com/questions/17364370/doctrine2-reinitializes-a-related-entity-one-to-one-when-saving-a-main-entity
  • Sonata user (Sep 30, 2013)
    Can you explain the exploit please with a use case ? I have experienced on my website entities that disappears mysteriously, and i want to know if this could explain it.
The comment form is closed for this current news.