From pentest: ApiScribuntoConsole (action=scribunto-console) does not require a CSRF token.
Looking at it right now, it also accepts GET requests.
I'm not sure this is an actual issue:
- Scribunto sessions are extremely ephemeral.
- What would an attacker even gain by messing with someone's scribunto debug session?
- Each session has a 31 bit (non-cryptographically secure. i.e. generated via mt_rand()) random identifier associated with it. The attacker would have to be able to guess this. Given its only 31 bits, and its not securely generated, this isn't outside the realm of possibility, but it also makes things harder to pull off.
That said, no harm in doing things properly. So I think we should do the normal, require CSRF token and make this module must POST.