Note: this issue has been reviewed by the Drupal security team and it was decided that this can be handled as public security improvement.
Problem/Motivation
In Drupal 7 and 8 cron is vulnerable to CSRF attacks. Cron doesn't have csrf protection so sites can be affected via GET requests and no tokens are checked.
Mitigation
The vulnerability may be mitigated because running cron is task generally considered safe. Protecting cron runs was considered more of a hardening issue than an actual security fix.
However, depending on the type of the CSRF attack (and the site) this could lead to a Denial of Service attack.
Proposed resolution
Use csrf token protection or add a confirmation form to cron.
Beta phase evaluation
| Issue category | Bug because it exposes cron to CSRF vulnerability. |
|---|---|
| Issue priority | Major because, although it is a security improvement, protecting cron runs was considered more of a hardening issue than an actual security fix. |
| Prioritized changes | The main goal of this issue is security improvement, and therefore a prioritized change. |
| Disruption | None. |