random "access to this resource is secured against CSRF" message at logout #4956

Closed
rcubetrac opened this Issue Jan 15, 2016 · 4 comments

Comments

Projects
None yet
2 participants
@rcubetrac

Reported by telnetsrl on 15 Jan 2016 14:26 UTC as Trac ticket #1490641

After upgrading my PHP (and forgetting to load the openssl module) very often instead of logging out correctly I get the CSRF warning message. It's pretty gross how I nailed it, but adding

echo ("ST $sess_tok<br>TK $token");

just before

if (empty($sess_id) || $token != $sess_tok) {

in program/lib/Roundcube/rcube.php

I was able to quickly understand why the comparison was failing:

ST Bla$=BlahBlahBlahBlahBla+=BlahBl
TK Bla$=BlahBlahBlahBlahBla =BlahBl

ST Bla_$Bla_BlahB*Blah&%Blah&BlahBl
TK Bla_$Bla_BlahB*Blah               

Instead of auditing lots of lines of code seeking for a perfect encode/decode path, the most immediate fix is to generate random bytes that encode to themselves (or to load mod_openssl.so in php :)
Here is my proposed patch,
regards

Keywords: csrf token urldecode openssl
Migrated-From: http://trac.roundcube.net/ticket/1490641

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Jan 15, 2016

Owner changed by @alecpl on 15 Jan 2016 17:47 UTC

=> alec

Owner changed by @alecpl on 15 Jan 2016 17:47 UTC

=> alec

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Jan 15, 2016

Milestone changed by @alecpl on 15 Jan 2016 17:47 UTC

later => 1.1.5

Milestone changed by @alecpl on 15 Jan 2016 17:47 UTC

later => 1.1.5

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Jan 16, 2016

Comment by @alecpl on 16 Jan 2016 11:16 UTC

Fixed in 3f6fbdc.

Comment by @alecpl on 16 Jan 2016 11:16 UTC

Fixed in 3f6fbdc.

@rcubetrac

This comment has been minimized.

Show comment
Hide comment
@rcubetrac

rcubetrac Jan 16, 2016

Status changed by @alecpl on 16 Jan 2016 11:16 UTC

new => closed

Status changed by @alecpl on 16 Jan 2016 11:16 UTC

new => closed

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment