Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo
The login.aspx process has a minimal xss vulnerability and the WikiEdit.aspx and MessagePost.aspx pages are vulnerable to Cross Site Request Forgeries (XSRF)
Deleted the original session id cookie when a successful login occurs, which causes a new cookie to be created.
Add configuration variables XsrfProtectionMessagePostTimeout and XsrfProtectionWikiEditTimeout to flexwiki.config, documented in flexwiki.config.template. Default timeout periods are 10 and 15 minutes respectively.
Added a nonce to the forms in WikiEdit and MessagePost and generate a unique cookie for each form instance. The cookie and the nonce values must match for the save to occur. This guarantees that the save action came from a browser that had previously communicated with the flexwiki hosted site and that it was not the result of activity from a malicious site, or input from a bot.