There is a CSRF vulnerability for ocPortal. The vulnerability bypasses our referrer checks for checking forms posted to the system. It allows malicious third party websites to trick administrators into submitting coded forms (i.e. coded actions) into the system.
The vulnerability only happens in very particular circumstances, which we are not currently disclosing.
The vulnerability only can occur when the administrator already has a confirmed active login session open (not just a cookie login), and only when they are tricked into going to the malicious third-party site somehow. It is never-the-less a serious issue if a knowledgable hacker desires to directly trick your staff to perform this attack.
We highly recommend installing this hot-fix:
0002074: Security fix for CSRF vulnerability - ocPortal feature tracker
If you have a firewall tool that strips out referer headers then you should disable that firewall option, as it will significantly weaken security (it prevents us checking form origins). You should also not block cookies on your own site, as our added protection relies on being able to save a cookie.
Credit for the vulnerability goes to Arjun Basnet from Cyber Security Works Pvt Ltd (Welcome to Cyber Security Works). We appreciate the time taken to find this issue and report it to us.
Security fix for CSRF vulnerability