[#30971] - [4] System page Ajax over POST when also available over GET.
- Closed
- 6 Mar 2022
- Medium
- Build: staging
- # 30971
Steps to reproduce the issue
When loading the System Dashboard in Joomla 4 admin several Ajax calls are made to get badge information
eg: http://127.0.0.1:4444/administrator/index.php?option=com_installer&task=discover.getMenuBadgeData&format=json
The calls made are POST calls with no form_data.
The same information is available by a GET call.
Expected result
For getting information a GET call would be used.
You should not be able to make a POST and a GET to the same url and get the same data. Architecturally wrong.
No CRSF token is required when using GET to access these urls.
Actual result
The calls made are POST calls with no form_data.
The same information is available by a GET call.
Also
The call to http://127.0.0.1:4444/administrator/index.php?option=com_joomlaupdate&task=getMenuBadgeData&format=json returns a blank string for data
{
"success": true,
"message": null,
"messages": null,
"data": ""
}whereas all the others will return a integer 0 for data - eg
http://127.0.0.1:4444/administrator/index.php?option=com_installer&task=update.getMenuBadgeData&format=json
{
"success": true,
"message": null,
"messages": null,
"data": 0
}best to ensure its always a integer returned and be type safe...
joomla-cms-bot
- | Labels |
Added:
?
|
||
jwaisner
- | Labels |
Added:
J4 Issue
|
||
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2022-03-06 22:29:05 |
| Closed_By | ⇒ | PhilETaylor | |
| Labels |
Added:
No Code Attached Yet
Removed: ? |
||
Caused by security issue here #37180