Roundup Tracker - Issues

Message4246

Author joseph_myers
Recipients joseph_myers
Date 2011-02-22.20:15:53
Message-id <1298405753.8.0.247936330488.issue2550690@psf.upfronthosting.co.za>
In-reply-to
Roundup's web interface checks that requests modifying the database come
via HTTP POST.  This is not sufficient protection against cross-site
request forgery attacks; a user's browser can easily be induced by a
hostile site to send an arbitrary POST request, through Javascript or
otherwise.

In addition to the POST check, all those actions checking for POST
should also check for a secret token in a hidden form field, linked in
the database to the session ID.  (Because of incompatibility with
existing templates it may not be possible to do this unconditionally,
but I think security against CSRF should be the default.)

The POST check is still useful, as it makes it unlikely for the secret
token to appear in URLs (since it wouldn't work there) and URLs are
liable to leak (in Referers etc.).  It's useful for the secret token to
be a separate random token rather than a copy of the session ID, so that
if the contents of a form are leaked (e.g. if the user sends of copy of
the page to someone) that doesn't by itself enable impersonating the user.
History
Date User Action Args
2011-02-22 20:15:53joseph_myerssetrecipients: + joseph_myers
2011-02-22 20:15:53joseph_myerssetmessageid: <1298405753.8.0.247936330488.issue2550690@psf.upfronthosting.co.za>
2011-02-22 20:15:53joseph_myerslinkissue2550690 messages
2011-02-22 20:15:53joseph_myerscreate