Cross Site Request Forgery in Sphinn

I have removed the XSRF exploit, although you can click on the link below with the text “this story” to cause a vote to happen. Just imagine putting that into an iframe or an img src=, and it would accomplish the same thing w/o you knowing…. Thanks for the vote! If you are currently logged into Sphinn (or simply forgot to logout), chances are, you have just voted for this story. Sphinn’s vulnerability is one of the most common forms of XSRF, where the site allows actions to originate offsite without any authentication aside from the original cookie / session. There are multiple ways to prevent XSRF, the easiest of which is to generate a user-specific token for each action origination point on the site (a form, a link that votes, etc.) so...