Page 1 of 1

Security Update: Please help testing

Posted: Sun Oct 18, 2020 12:11 pm
by Arvid
Addressing a possible cross-site request forgery (CSRF) attack, I published the beta version of FlatPress 1.1.1.
Please take a look at it and tell me if everything works fine - thank you very much!

Details and download on the FlatPress project blog: https://www.flatpress.org/2020/10/18/se ... p-testing/

Thanks a lot,
Arvid

Re: Security Update: Please help testing

Posted: Tue Oct 27, 2020 10:35 pm
by Croikey
Thanks for working on this update! There is a minor quirk I noticed, which can be replicated as follows:
  1. Start with the current stable release and login
  2. Update to the preview release
  3. At this point you should still be logged in (ie, you never logged out)
  4. Go to the uploads area and try to delete an item (notice that the CSRF token in the URL is empty)
  5. Trying to delete an image doesn't work, because we check to see if the CSRF token has been passed but it hasn't
If you don't see this, it might be because you already tested the security fix. So, be sure to clear your session data before rolling back to the stable release.

Of course, logging out and logging back in fixes things but this still could catch users off-guard. Perhaps we could modify new function sess_getCsrfToken() so that:
  • If a CSRF token is not set and the user is logged in, call sess_setCsrfToken()
  • It then returns the token as it currently does

Re: Security Update: Please help testing

Posted: Tue Oct 27, 2020 10:39 pm
by Croikey
One other thought, and thinking of the principal of security in depth: as currently implemented, a token is set once (each time a user logs in) and stays the same until the user logs out. When they log back in again, it is refreshed. However, might it be better to have a more specific 'number once' token?

We could draw inspiration here from WordPress and its concept of nonces: https://codex.wordpress.org/WordPress_Nonces