Details
-
Bug
-
Resolution: Fixed
-
Minor
-
None
-
Professional Edition
-
None
-
Observium Professional 17.10.8879
Description
Attempting to delete a user does not work. The confirm page appears, but "Click to confirm" results in being redirected back to the edit user page with a pair of messages that both read:
WARNING. Possible CSRF attack with EMPTY request token.
The logs show this URL being requested:
clientIPremoved [06/Oct/2017:11:09:38 +0100] "GET /edituser/action=deleteuser/user_id=8/confirm=yes/ HTTP/1.1" 200 151653
Adding the /requesttoken=f08d0etcetcetc/ to the URL results in the user being deleted successfully.
Attachments
Activity
Status | Original: Resolved [ 5 ] | New: Closed [ 6 ] |
Resolution | New: Fixed [ 1 ] | |
Status | Original: Pending Response [ 10000 ] | New: Resolved [ 5 ] |
Status | Original: In Progress [ 3 ] | New: Pending Response [ 10000 ] |
Status | Original: Open [ 1 ] | New: In Progress [ 3 ] |
Workaround:
After click to "Delete User", do not click to confirm just paste "confirm=yes/" (without quotes) before requesttoken=........ and after user_id=N/ to browser address bar.
Result should be something like this, then Enter
OBSERVIUM_URI/edituser/action=deleteuser/user_id=USER_ID/confirm=yes/requesttoken=GENERATED_TOKEN/
This will successfully delete user as Click to confirm url should do.