FS#60 - Anwiki should protect against Cross-Site Request Forgery
Opened by Strict Standards: array_map() expects parameter 1 to be a valid callback, non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 281 Wladimir Palant (trev) - Strict Standards: Non-static method Filters::noXSS() should not be called statically in /data/web/a5/4e/8e/bugs.anwiki.com/htdocs/includes/class.tpl.php on line 613 Monday, 22 February 2010, 09:35 GMT
|
DetailsFrom the look of it, there is no protection against CSRF (http://en.wikipedia.org/wiki/Cross-site_request_forgery) in Anwiki. This allows the following attack scenario: an attacker (who knows where my Anwiki instance is located) posts a link to his site in my forum disguising it as a legitimate question. When I click it the attacker's page sends off an invisible form to my Anwiki instance. This request is sent with my cookies so that Anwiki accepts it and executes the requested action (like removing all contents or giving a particular user additional privileges).
Most trivial protection against CSRF: send out user's session ID as a parameter with all POST forms. This could be done by adding a boolean postForm parameter to linkMe method - if true the session ID will be added automatically. All callers generating POST forms need to be adjusted of course. When POST parameters are evaluated (for example in AnwEnv:_POST) it should be checked whether the session ID parameter is identical to the session ID in the cookie - if they are not the POST parameters should be ignored. This will do assuming that all modifying actions use POST forms (which I think they do). |