-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security Bugs] CSRF + XSS in Change User Profile #49
Comments
Is anybody working on this? |
Hi,
We are planning to implement token for each form in Simbio for protection
against CSRF,
thank you for your suggestion
Regards,
…On Mon, Jun 5, 2017 at 3:05 AM, matlam ***@***.***> wrote:
Is anybody working on this?
As far as I know there is no protection against CSRF anywhere in slims. It
would be good to add it to a central place(maybe in simbio) and use the
CSRF-protection on all the forms
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#49 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAHI6wBIymta71C8WpxCZccFxF0_2MRNks5sAw3vgaJpZM4NnilP>
.
--
Open Source is about respecting other people creation and sharing knowledge
to others.
Sebaik baiknya manusia adalah yang bermanfaat bagi orang lain.
http://dicarve.blogspot.com
|
Is there any progress on this or the other security bugs? Do you need any help? |
@trichimtrich and @matlam i have added CSRF token in Simbio Form Maker class in commit 2bc5e5e23926d855d997df2d4f40f3217f3a6a8c could you please help me check for it? thank you |
I'm not sure if I understand you correctly. Are you asking us to check if your implementation of a CSRF token is correct? Or do you want help in looking for places where a CSRF-Token is needed? I had a quick look at the implementation and noticed two things:
|
@matlam Yes i need help in testing the token implementation as i just only implement it on Bibliography form. Currently there is only one valid token in session, i will implement token form name to make it sure it will only validate the related form. Maybe i should try another hash mechanisme such as hash or sha512 function to generate random string |
that is better, but it still has a problem if a user opens the same form in two windows. I don't know what the best solution is. Maybe something like this:
But this has the disadvantage that sessions grow over time.
For what purpose? A hash function in itself doesn't create a random string. You could generate one random value per session and use a cryptographic hash function to combine it with the form name. This is slightly less secure, but avoids the growing sessions. And it would allow the resending of the same form, but I'm not sure if that's a good or bad thing. |
How it will be helpful if add a field of current password? If current password doesn't match, password will not be changed. |
Is there any progress on this? |
In Change User Profile function, there is no
Old password
to confirm change user password, and also noCSRF Token
to protect CSRF malicious request. Reference Owasp.So when the admin user access to malicious web, it will trigger to automatically change admin password to attacker's password.
Example request:
This will change
admin password
totrichimtrich
And also, there is a stored XSS in here too. All the field
realName
,eMail
,social[xx]
have the same problem.Sample request:
&realName=Admin" autofocus onfocus="alert(1)
PoC
![screen shot 2017-05-26 at 8 23 11 pm](https://cloud.githubusercontent.com/assets/7029140/26494426/3217f274-4251-11e7-8329-790b6204b5e4.png)
Attacker can trigger admin to execute abitrary javascript to do anything.
The text was updated successfully, but these errors were encountered: