Quantcast

CSRF token problem ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

CSRF token problem ?

Julian Maurice
Hi,

I think I found a problem with how we use CSRF tokens.
If a token is discovered by an attacker, and if the user leaves their
session open, the attacker can use the token to impersonate the user on
every CSRF-protected form during 8 hours (Koha::Token::CSRF_EXPIRY_HOURS).

Is this a known issue ?

Bug 18124 restricts token to a user's session. Maybe it would be good to
restrict to a particular form too.
To go further, I think we should have a way to invalidate tokens after
their use, so a token can never be used twice.

Any thoughts ?

--
Julian Maurice <[hidden email]>
BibLibre
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CSRF token problem ?

Katrin Fischer-2
Hi all,
 
please remember to file security bugs in the non-public area of bugzilla and also be careful with the discussion here:
https://koha-community.org/security/ (we should probably update the list of names)
 
Katrin
 
Gesendet: Montag, 20. März 2017 um 12:27 Uhr
Von: "Julian Maurice" <[hidden email]>
An: "[hidden email]" <[hidden email]>
Betreff: [Koha-devel] CSRF token problem ?
Hi,

I think I found a problem with how we use CSRF tokens.
If a token is discovered by an attacker, and if the user leaves their
session open, the attacker can use the token to impersonate the user on
every CSRF-protected form during 8 hours (Koha::Token::CSRF_EXPIRY_HOURS).

Is this a known issue ?

Bug 18124 restricts token to a user's session. Maybe it would be good to
restrict to a particular form too.
To go further, I think we should have a way to invalidate tokens after
their use, so a token can never be used twice.

Any thoughts ?

--
Julian Maurice <[hidden email]>
BibLibre
_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: CSRF token problem ?

Christopher Nighswonger
On Mar 20, 2017 7:54 AM, "Katrin Fischer" <[hidden email]> wrote:
Hi all,
 
please remember to file security bugs in the non-public area of bugzilla and also be careful with the discussion here:
https://koha-community.org/security/ (we should probably update the list of names)
 

The update should include module maintainers. This would go a ways toward heading off problems such as this:

https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18044#c3

Kind regards,
Chris


_______________________________________________
Koha-devel mailing list
[hidden email]
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Loading...