oc-1581 - CSRF protection issue

[msrex]

From http://bugs.owncloud.org/thebuggenie/owncloud/issues/oc-1581

Unable to reproduce without access to vulture. But maybe @LukasReschke or somebody else knows something.

Description:
I use owncloud 4.0.7 behind a reverse proxy called vulture. It acts has a reverse proxy, a WAF and and authentication forwarder. I currently face a strange issue with the CSRF protection mechanism wihtin owncloud (4.0.7). I am not a php programmer so I hope you could fix it in a next release or explain me why I have this bug

I have a modified the code a little so I can trace where the bug is.

// CSRF protection
if(isset($_SERVER['HTTP_REFERER'])) $referer=$_SERVER['HTTP_REFERER']; else $referer='';
$refererhost=parse_url($referer);
if(isset($refererhost['host'])) $refererhost=$refererhost['host']; else $refererhost='';
$server=OC_Helper::serverHost();
$serverhost=explode(':',$server);
$serverhost=$serverhost['0'];
echo "serverhost : ", $serverhost, "<br />";
echo "referer : ", $refererhost, "<br />";
if(($_SERVER['REQUEST_METHOD']=='POST') and ($refererhost<>$serverhost)) {
echo "fail 1 <br />";
$url = OC_Helper::serverProtocol().'://'.$server.OC::$WEBROOT.'/index.php';
header("Location: $url");
echo "fail2 <br />";
exit();
}
else {
echo "yes!<br />";
}

My system looks like this:

Internet --> Vulture --> web serveur with owncloud --> mysql server backend

When I connect to the url for owncloud, the reverse proxy acces the web page and populate the fields user and password with the user information I gave earlier in a web form (ldap user name and password) and then perform a post so I can access owncloud. It currently does not work with the CSRF code. If I comment all the lines below, it works fine and I can go into owncloud

if(($_SERVER['REQUEST_METHOD']=='POST') and ($refererhost<>$serverhost)) {
echo "fail 1 <br />";
$url = OC_Helper::serverProtocol().'://'.$server.OC::$WEBROOT.'/index.php';
header("Location: $url");
echo "fail2 <br />";
exit();
}

With the code modified code, I see that: - echo "serverhost is displayed and is the same as referer - "yes!" is displayed

So it could mean that the CSRF test is ok. But in fact, I face the login screen again and again whatever I enter a valid username and password and the debug log keep saying "{"app":"core","message":"redirectToDefaultPage","level":0,"time":1342115228}"

And now, if I comment the ligne

exit();

The "Yes" test is displayed but this time, I do not have the issue and connect automatically to owncloud. I do not understand at all.. If commenting the "exit" line fix the issue it means that the "if.." test is true and the "fail' should be displayed? But "fail" is never displayed, still commenting the "exit" line fix the issue.

Can you help? Thanks

Reproduction steps:

• Use a reverse proxy called vulture with web sso enable - install owncloud 4.0.7
  Fix URL to sources #1 Comment posted by Romain Sep 10, 13:49

Hi, I haven't see an update on the ticket yet, maybe because of the hard work you all do on the next release. Can someone just take it and add a comment? Just to be sure that it will be investigated. Thanks
#2 Comment posted by MTRichards Dec 14, 15:58

Is this still an issue in 4.5.4? Curious, and want to see if you are still having trouble.

[LukasReschke]

We rewrote the CSRF protection with oC 4.5.x, the new method uses a token sent via an HTTP header to verify the request instead of just checking the referrer in case if it's a POST request. (This is a safer and better approach)

As it is - at least for me - not reasonable to backport all these changes (we would need to change every app!), I think we can close this ticket and ask users with these setups to upgrade to a newer version of oC.