diff --git a/setup/index.php b/setup/index.php
index 3b4082b614..0573e827d1 100644
--- a/setup/index.php
+++ b/setup/index.php
@@ -247,6 +247,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
 		$setup_tpl->set_var('V_db_filled_block',$db_filled_block);
 		break;
 	case 4:
+		$setup_tpl->set_var('hidden_vars', html::input_hidden('csrf_token', egw_csrf::token(__FILE__)));
 		$setup_tpl->set_var('oldver',lang('You appear to be running version %1 of eGroupWare',$setup_info['phpgwapi']['currentver']));
 		$setup_tpl->set_var('automatic',lang('We will automatically update your tables/records to %1',$setup_info['phpgwapi']['version']));
 		$setup_tpl->set_var('backupwarn',lang('but we <u>highly recommend backing up</u> your tables in case the script causes damage to your data.<br /><strong>These automated scripts can easily destroy your data.</strong>'));
@@ -341,6 +342,7 @@ switch($GLOBALS['egw_info']['setup']['stage']['db'])
 					}
 					break;
 				case 'oldversion':
+					egw_csrf::validate($_POST['csrf_token'], __FILE__);
 					// create a backup, before upgrading the tables
 					if ($_POST['backup'])
 					{
diff --git a/setup/templates/default/setup_db_blocks.tpl b/setup/templates/default/setup_db_blocks.tpl
index 4e35d758af..159ed11a11 100644
--- a/setup/templates/default/setup_db_blocks.tpl
+++ b/setup/templates/default/setup_db_blocks.tpl
@@ -92,6 +92,7 @@
 		{automatic}
 		{backupwarn}<br />
 		<form method="post" action="index.php">
+		{hidden_vars}
 		<input type="hidden" name="oldversion" value="{oldver}" />
 		<input type="hidden" name="useglobalconfigsettings" />
 		<input type="hidden" name="action" value="Upgrade" />
@@ -108,25 +109,17 @@
 		</form>
 		<hr />
 		{dont_touch_my_data}.&nbsp;&nbsp;{goto}:
-		<form method="post" action="config.php">
-        <input type="hidden" name="action" value="Dont touch my data" />
+		<form method="get" action="config.php">
 		<input type="submit" name="label" value="{configuration}" />
         </form>
-		<form method="post" action="admin_account.php">
-        <input type="hidden" name="action" value="Dont touch my data" />
+		<form method="get" action="admin_account.php">
 		<input type="submit" name="label" value="{admin_account}" />
         </form>
-		<form method="post" action="lang.php">
-        <input type="hidden" name="action" value="Dont touch my data" />
-		<input type="submit" name="label" value="{language_management}" />
-        </form>
-		<form method="post" action="applications.php">
-        <input type="hidden" name="action" value="Dont touch my data" />
+		<form method="get" action="applications.php">
 		<input type="submit" name="label" value="{applications}" />
 		</form>
-		<form method="post" action="db_backup.php">
-        <input type="hidden" name="action" value="Dont touch my data" />
-		<input type="submit" name="label" value="{db_backup}" />
+		<form method="get" action="db_backup.php">
+ 		<input type="submit" name="label" value="{db_backup}" />
 		</form>
 	</td>
 </tr>
