Vulnerability type CSRF, a malicious attack cans logout users

[Phorum]

Hello,

I found a vulnerability in login.php. This vulnerability is a CSRF (Cross Site Request Forguery), and with this, a malicious user cans logout users. How is it ?

URL for do logout is it:

forum.false.com/login.php?XX,logout=1 ; where XX is the number of section.

This can be exploited by a PHP script whose function is extrac this XX from de Referer, and with header() redirect the user to forum.false.com/login.php?XX,logout=1. And finaly, put this script like a image in my signature.

When a user watchs my post, he send a GET request to my script, and it send other GET request to the login.php.

For resolve this vulnerability, the best way is adding a token to can logout.

PD: sorry for my english, I alwais fall it in the school :D

Reported by: camaleon__81@hotmail.com
Imported from TRAC: http://trac.phorum.org/ticket/849

[Phorum]

We are aware of this issue, but we have not yet taken counter measures. It takes some low level changes for something that is annoying, but not a vulnerability as you state it. It is on our list, but first we have taken care of CSRF attacks on POST forms and on URLs that might actually destroy some data on the forums (e.g. the message delete functions, that were GET request driven).

We will take care of adding a token for this URL, but for now it is a low priority issue.

By: mmakaay

[brianlmoon]

Flickr's solution seems like a good idea here. They generate a key on the URL that specific to the user. Probably using the user id + a secret string to generate a hash. We have all that already in Phorum. Should be easy to do.