AnsweredAssumed Answered

Sugar CRM 6.5 Community Edition CSRF Protection Mechanisms

Question asked by Daniel Gray on Nov 23, 2016
Latest reply on Nov 25, 2016 by Michael Joyner

We have run Nessus scans on our Sugar CRM 6.5 Community Edition instance and the report has found the following potential vulnerability that needs to be checked if it is a positive or not. This seems to be spesific to index.php not protected by a random token.

 

More details from the Nessus report include:

The spider found HTML forms on the remote web server. Some CGI scripts do not appear to be protected by random tokens, a common anti-cross-site request forgery (CSRF) protection. The following CGIs are not protected by a random token: /index.php The web application might be vulnerable to CSRF attacks. Please can someone indicate how Sugar provides protection against CSRF attacks. I need to qualify with certainty that this is in fact a false positive or not.

 

Much Appreciated!

Outcomes