CSRF in the "configure custom field" Multi Checkboxes add new custom field option screen

The administration screen which facilitates the addition of new custom field options is vulnerable to csrf, as it does not check that the atl_token submitted is in fact legitimate for the user submitting it (you can put in any value for the token field).

To access this screen you can go to a url similar to the following ( it is linked off the issue custom fields administration page (/secure/admin/ViewCustomFields.jspa) ):

http://$host/secure/admin/EditCustomFieldOptions!default.jspa?fieldConfigSchemeId=10300&fieldConfigId=10300&customFieldId=10200&returnUrl=ConfigureCustomField!default.jspa%3FcustomFieldId%3D10200