HTML Logo by World Wide Web Consortium ( Click to learn more about our commitment to accessibility and standards.

Moving forward with Composr

ocPortal has been relaunched as Composr CMS, which is now in beta. ocPortal 9 will be superseded by Composr 10.

Head over to for our new site, and to our migration roadmap. Existing ocPortal member accounts have been mirrored.

Security fix for CSRF vulnerability

Security fix for CSRF vulnerability There is a CSRF vulnerability for ocPortal. The vulnerability bypasses our referrer checks for checking forms posted to the system. It allows malicious third party websites to trick administrators into submitting coded forms (i.e. coded actions) into the system.

The vulnerability only happens in very particular circumstances, which we are not currently disclosing.

The vulnerability only can occur when the administrator already has a confirmed active login session open (not just a cookie login), and only when they are tricked into going to the malicious third-party site somehow. It is never-the-less a serious issue if a knowledgable hacker desires to directly trick your staff to perform this attack.

We highly recommend installing this hot-fix:
0002074: Security fix for CSRF vulnerability - ocPortal feature tracker

If you have a firewall tool that strips out referer headers then you should disable that firewall option, as it will significantly weaken security (it prevents us checking form origins). You should also not block cookies on your own site, as our added protection relies on being able to save a cookie.

Credit for the vulnerability goes to Arjun Basnet from Cyber Security Works Pvt Ltd (Welcome to Cyber Security Works). We appreciate the time taken to find this issue and report it to us.

View all


There have been no trackbacks yet