Re: [Koha-devel] CSRF token problem ?

Katrin Fischer Mon, 20 Mar 2017 04:55:02 -0700

Hi all,

please remember to file security bugs in the non-public area of bugzilla and also be careful with the discussion here:

https://koha-community.org/security/ (we should probably update the list of names)

Katrin

Gesendet: Montag, 20. März 2017 um 12:27 Uhr
Von: "Julian Maurice" <julian.maur...@biblibre.com>
An: "koha-devel@lists.koha-community.org" <koha-devel@lists.koha-community.org>
Betreff: [Koha-devel] CSRF token problem ?

Hi,

I think I found a problem with how we use CSRF tokens.
If a token is discovered by an attacker, and if the user leaves their
session open, the attacker can use the token to impersonate the user on
every CSRF-protected form during 8 hours (Koha::Token::CSRF_EXPIRY_HOURS).

Is this a known issue ?

Bug 18124 restricts token to a user's session. Maybe it would be good to
restrict to a particular form too.
To go further, I think we should have a way to invalidate tokens after
their use, so a token can never be used twice.

Any thoughts ?

--
Julian Maurice <julian.maur...@biblibre.com>
BibLibre
_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

_______________________________________________
Koha-devel mailing list
Koha-devel@lists.koha-community.org
http://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-devel
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/

Re: [Koha-devel] CSRF token problem ?

Reply via email to