How is it exploited?
«Suppose John is authenticated as an administrator on the PureShoppingHeaven site. PureShoppingHeaven has a URL that’s restricted to admin access and allows information to be passed on the URL to execute an action, such as creating a new user.»
So if you have a View in your Orchard site with Javascript code that, for example, call an Action you will have an Anti Forgegy Exception.
You have two way to avoid this issue:
1 – Disable the antiforgery in the Module.txt file. It’s a bad way2 – Make your request with the AntiForgery code, in this way:
$.post("team/getteammember", { id: id, __RequestVerificationToken: "@Html.AntiForgeryTokenValueOrchard()" }, function (data) { // work with data });
It’s a good way
if you want more information about security take a look here: http://msdn.microsoft.com/en-us/magazine/hh708755.aspx
Enjoy with Orchard
No comments:
Post a Comment