Summary
purge_syslog_hosts is currently triggered by a GET link and performs destructive DELETE operations.
Evidence
- Trigger link:
setup.php:1621 (utilities.php?action=purge_syslog_hosts)
- Destructive path:
setup.php:1568-1604 (multiple DELETE statements)
- Core GET guard only blocks specific actions (
save, update_data, changepassword), so this path can still be GET-triggered.
Risk
Authenticated admin users can be induced to trigger data-destructive actions via crafted links/embedded requests.
Expected fix
- Require POST for
purge_syslog_hosts
- Require and validate
__csrf_magic
- Keep/extend explicit confirmation UX prior to executing deletes
Summary
purge_syslog_hostsis currently triggered by a GET link and performs destructive DELETE operations.Evidence
setup.php:1621(utilities.php?action=purge_syslog_hosts)setup.php:1568-1604(multipleDELETEstatements)save,update_data,changepassword), so this path can still be GET-triggered.Risk
Authenticated admin users can be induced to trigger data-destructive actions via crafted links/embedded requests.
Expected fix
purge_syslog_hosts__csrf_magic