Nope.
On Sep 30, 2008, at 11:57 PM, Ashley wrote:
Might be pretty simple in Cat stuff. The crux of the POST
issue seems that the target site's cookies are still safe
from the attacking site's POST.
...
Form template:
<form action="[% c.request.uri() %]" method="post">
[% USE Digest.SHA1 -%]
<input type="hidden" value="csrf_check" value="[% c.sessionid |
sha1_hex %]" />
</form>
This won't work because the attacker can grab it by a GET and
while it doesn't expose the sessionid, it does remain constant
for the life of the session. As the white paper suggests, it
has to be pseudo-random and it looks like it has to be per
request. If no one else fields this in the next couple of days
I'll come back to it and post a real solution.
-Ashley
_______________________________________________
List: Catalyst@lists.scsys.co.uk
Listinfo: http://lists.scsys.co.uk/cgi-bin/mailman/listinfo/catalyst
Searchable archive: http://www.mail-archive.com/catalyst@lists.scsys.co.uk/
Dev site: http://dev.catalyst.perl.org/
