You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

magnolia admincentral is vulnerable to CSRF attacks. 

See:  MAGNOLIA-5807 - Getting issue details... STATUS

A good resource about the vulnerability is: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet

Status

We looked into the token method but are concerned that too many things must be changed to implement it.

And that this could cause problems for existing magnolia installations.

Investigate Referrer Method

https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Checking_The_Referer_Header

Referer header example: Referer: http://demoauthor45.magnolia-cms.com/.magnolia/trees/website.html?mgnlCK=1404726339576

But I dont understand all of these statements:

  • For example, open redirect vulnerabilities can be used to exploit GET-based requests that are protected with a referer check 
    • Does this mean someone can take advantage of a browsers broken redirect behaviour to make the referer header set to the wrong value?
  • and some organizations or browser tools remove referrer headers as a form of data protection.
    • This is OK. That organization would have to turn the referrer headers back on.
  • There are also common implementation mistakes with referer checks. For example if the CSRF attack originates from an HTTPS domain then the referer will be omitted. In this case the lack of a referer should be considered to be an attack when the request is performing a state change.
    • Can we simply consider all requests with no referrer to be an attack?
    • What is this implying about HTTPS requests? Is the Referrer header not included? Is it not readable on the server?
This we can be sure to cover:
  • For example, if the victim's domain is "site.com" then an attacker have the CSRF exploit originate from "site.com.attacker.com" which may fool a broken referer check implementation. XSS can be used to bypass a referer check.

Support existing installation: WhiteList? Special Code? Tokens??!?

Should it be possible to configure a white list of additional referrers? Perhaps some integrations would like to make direct requests from external servers, or would this be introducing too great of a vulnerabilty?

Notes

"And in addition to that we also have the fact that referring websites can remove the Referer header with tricks like META refresh"


http://en.wikipedia.org/wiki/HTTP_referer

Most web browsers do not send the referer field when they are instructed to redirect using the "Refresh" field. 

If a website is accessed from a HTTP Secure (HTTPS) connection and a link points to anywhere except another secure location, then the referer field is not sent.[9] "Clients SHOULD NOT include a Referer[sic] header field in a (non-secure) HTTP request if the referring page was transferred with a secure protocol"

FYI: Meta tag referrer

http://smerity.com/articles/2013/where_did_all_the_http_referrers_go.html

 

  • No labels