Put CSRF Protection Into Place
Put CSRF Protection Into Place
| Issue ID: | 503 |
| Issue Category: | bug |
| Component: | core |
| Priority: | critical |
| Status: | fixed |
| Assigned: | zach |
| Milestone: | 0.6 |
| Keywords: | csrf, security |
Many parts of identi.ca seem to be vulnerable to Cross-Site Request Forgery. As an example, if I can convince somebody to go to a page I can make arbitrary GET or POST requests to various forms (post an update, delete an update, etc) as there are no authentication tokens on forms.
HTTP POST requests are not quite as easily taken advantage of, but it can still be done. Evidence of this type of bug was recently seen over on Twitter with the auto-follow issues.
Updates
#1
Attempting to bump this up as this really should be made a priority and taken care of sooner than later.
#2
Hi. I think I mentioned previously that we are NOT going to fix this bug until after Sep 30, 2008. We've called this our "Version 0 API" (see http://laconi.ca/trac/wiki/Version0API).
As far as I know we do NOT have any GET URLs that will take write action on the database. I'll happily change those if they can be found.
#3
The concern, though, is that POST URLs are susceptible to this as well. While it's not quite as easy as sticking an img tag in a forum, if I can get a user to browse to a specific url (simply by posting an enticing tinyurl on identi.ca, for example), I can take any action on the identi.ca site as that user - posting an update, changing subscriptions, etc.
That's a pretty serious vulnerability if somebody decided to take malicious advantage of it.
#4
I'm closing this one now that auth tokens have been added to all forms.
You can also subscribe to the
RSS feed for updates to this issue.