Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

random "access to this resource is secured against CSRF" message at logout #4956

Closed
rcubetrac opened this issue Jan 15, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@rcubetrac
Copy link

commented Jan 15, 2016

Reported by telnetsrl on 15 Jan 2016 14:26 UTC as Trac ticket #1490641

After upgrading my PHP (and forgetting to load the openssl module) very often instead of logging out correctly I get the CSRF warning message. It's pretty gross how I nailed it, but adding

echo ("ST $sess_tok<br>TK $token");

just before

if (empty($sess_id) || $token != $sess_tok) {

in program/lib/Roundcube/rcube.php

I was able to quickly understand why the comparison was failing:

ST Bla$=BlahBlahBlahBlahBla+=BlahBl
TK Bla$=BlahBlahBlahBlahBla =BlahBl

ST Bla_$Bla_BlahB*Blah&%Blah&BlahBl
TK Bla_$Bla_BlahB*Blah               

Instead of auditing lots of lines of code seeking for a perfect encode/decode path, the most immediate fix is to generate random bytes that encode to themselves (or to load mod_openssl.so in php :)
Here is my proposed patch,
regards

Keywords: csrf token urldecode openssl
Migrated-From: http://trac.roundcube.net/ticket/1490641

@rcubetrac

This comment has been minimized.

Copy link
Author

commented Jan 15, 2016

Owner changed by @alecpl on 15 Jan 2016 17:47 UTC

=> alec

@rcubetrac

This comment has been minimized.

Copy link
Author

commented Jan 15, 2016

Milestone changed by @alecpl on 15 Jan 2016 17:47 UTC

later => 1.1.5

@rcubetrac

This comment has been minimized.

Copy link
Author

commented Jan 16, 2016

Comment by @alecpl on 16 Jan 2016 11:16 UTC

Fixed in 3f6fbdc.

@rcubetrac

This comment has been minimized.

Copy link
Author

commented Jan 16, 2016

Status changed by @alecpl on 16 Jan 2016 11:16 UTC

new => closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.