Skip to content

Vulnerability type CSRF, a malicious attack cans logout users #747

Open
Phorum opened this Issue Jun 11, 2011 · 2 comments

2 participants

@Phorum
Phorum commented Jun 11, 2011

Hello,

I found a vulnerability in login.php. This vulnerability is a CSRF (Cross Site Request Forguery), and with this, a malicious user cans logout users. How is it ?

URL for do logout is it:

forum.false.com/login.php?XX,logout=1 ; where XX is the number of section.

This can be exploited by a PHP script whose function is extrac this XX from de Referer, and with header() redirect the user to forum.false.com/login.php?XX,logout=1. And finaly, put this script like a image in my signature.

When a user watchs my post, he send a GET request to my script, and it send other GET request to the login.php.

For resolve this vulnerability, the best way is adding a token to can logout.

PD: sorry for my english, I alwais fall it in the school :D

Reported by: camaleon__81@hotmail.com
Imported from TRAC: http://trac.phorum.org/ticket/849

@Phorum
Phorum commented Jun 11, 2011

We are aware of this issue, but we have not yet taken counter measures. It takes some low level changes for something that is annoying, but not a vulnerability as you state it. It is on our list, but first we have taken care of CSRF attacks on POST forms and on URLs that might actually destroy some data on the forums (e.g. the message delete functions, that were GET request driven).

We will take care of adding a token for this URL, but for now it is a low priority issue.

By: mmakaay

@brianlmoon
Phorum Development Team member

Flickr's solution seems like a good idea here. They generate a key on the URL that specific to the user. Probably using the user id + a secret string to generate a hash. We have all that already in Phorum. Should be easy to do.

@brianlmoon brianlmoon was assigned Jul 25, 2011
@brianlmoon brianlmoon was unassigned by oricgn Sep 11, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.