Issues » AJAX requests without a session ID or other form of authentication

Issue: SI-15
Date: Jun 18, 2013, 10:00:00 AM
Severity: Critical
Requires Admin Access: No
Fix Version: 2.3.2
Credit: Internal Security Team
Description:

It is possible to create a user account (without privileges) using a properly formated remote AJAX call.

Mitigation:
  • Upgrade to dotCMS v. 2.3.2+
  • Restrict access to the /dwr url pattern to trusted IP addresses.

References
  • https://github.com/dotCMS/dotCMS/issues/3031