On 02/19/2010 06:43 AM, Florian Weimer wrote:
* Paul Davis:
Do you have any examples of how other sites have protected against
this? Unless I'm missing something I don't see how this is specific to
Futon so surely someone else has some explicit documentation on how to
avoid such things.
The standard countermeasure puts session identifiers into URLs
(sometimes they are called "form tokens", but this doesn't fit the
context here).
Upon login, the client could specify if it wants a session with or
without form tokens.
This:
http://www.cgisecurity.com/csrf-faq.html
is a pretty thorough resource.
One of the first discoveries of the vulnerability was in Zope back in
2000. AFAIK, the issue has still not been fixed there (although it has
been in some CMSes built on top of Zope), which tells you something
about Zope, but also about how exploitable this bug is:
You need to target a specific site that you know is running a particular
back end, craft a POST url that will do something nasty, and then trick
someone with admin privileges into clicking that link, while being
logged in to the targeted site as admin.
I'm not saying it shouldn't be fixed, (with nonce tokens in any form
that does something potentially dangerous, as Florian says) but it's not
threat level 'change underwear'.
eric 'someday soon I'll write a whole mail without mentioning the good
old days of Zope' casteleijn
