> -----Ursprüngliche Nachricht----- > Von: Joe Orton > Gesendet: Dienstag, 11. März 2008 15:23 > An: [email protected] > Betreff: [PATCH] prevent CSRF in mod_proxy_balancer > > It occurred to me recently that it is relatively simple to prevent > "CSRF" attacks against the balancer-handler (see CVE-2007-6420), by > generating a "secret" nonce at startup and requiring the presence of > that secret in the submitted parameters. > > Any objections?
Just that I understand this correctly: The GET requests that actually do some configuration changes via the balancer manager become invalid as soon as httpd is restarted (gracefull restart is not sufficient, correct?). As long as httpd keeps running the GET requests remain valid and can be reused. Regards Rüdiger
