[pLog-svn] Fwd: CSRF issue

[Jon Daley]

On Tue, 13 Jul 2010, Reto Hugi wrote:
>> http://secunia.com/advisories/40514
>
> It's a sad but old issue. That's why I once started the csrf branch.
> I've not done more than implementing the token logic and a proof of
> concept. It's still a lot of work until the protection would really work...
 	Yes, that's what I've been thinking.  Changing it to require POST 
helps a little - at least in terms of not a simple <img src> tag, though 
then it is just a javascript POST, so not much better.  And unless you 
protect every single page in all pages, can't the attacking javascript 
grab the form to get the token, and then POST with a valid token?
 	I was looking at some sample code that uses a token per-login. 
(which is easier to implement, and not quite as annoying as most CSRF 
protection schemes - where you can't have multiple tabs open, which would 
really annoy me.
 	People talk about the unique URL per login as something different 
than a token, but really, it is just adding another parameter to the URL 
line, and whether it is http://domain.com/admin.php?tok=123&op=blah or 
http://domain.com/admin/123?op=blah it seems the same thing to me.
 	I wonder if we could use the smarty template output filter to add 
in the token on all forms.
 	Does that solve the problem?  If you close your tab, and then go 
back to just admin.php without the token, you would have to login again, 
and so that would break the javascript bookmark thing, but that doesn't 
work for a lot of people anyway, so I don't care about that too much.

> But on the other hand: Almost none of the blog tools out there really
> protect users from CSRF attacks. At least none I know of.
 	I was going to take a look at what WP does - presumably they've 
worked on it.



-- 
Jon Daley
http://jon.limedaley.com
~~
In some ways we are more confused than ever, but we feel that we
are confused on a higher level and about more important things.