CSRF Protection for Sensitive Routes #556
Description
Describe the issue
Currently in WemX, important actions are executed directly via a GET request. This leads to two issues.
-
Attackers can use it to make you inadvertently delete something important if you are logged in or log in yourself without realizing the redirect link.
-
Anything that isn't handled properly, like the Giftcards module, when executing actions, it takes you to a 500 page. I'm not sure the internals there, but I assume using a different method of confirming actions wouldn't have to go to a new page, thus not going to a nonexistent one.
Product Version
2.2.1
Pterodactyl Panel Version (if applicable)
No response
To Reproduce
General fix. Mainly related to actions like deleting orders.
Expected Behaviour
Click button, confirmation pops up (optionally), action is done, no redirect, maybe a refresh or redirect to a further in page if the action also deletes the instance of the page you're viewing. The action should be done via a POST request, which won't be easily executed and would require a XSRF token
Screenshots
No response
Additional Information
No response