Security Update: Please help testing

General information and announcements regarding the FlatPress project
Post Reply
User avatar
Arvid
FlatPress Coder
Posts: 558
Joined: Sat Jan 26, 2019 7:40 pm
Contact:

Security Update: Please help testing

Post by Arvid » Sun Oct 18, 2020 12:11 pm

Addressing a possible cross-site request forgery (CSRF) attack, I published the beta version of FlatPress 1.1.1.
Please take a look at it and tell me if everything works fine - thank you very much!

Details and download on the FlatPress project blog: https://www.flatpress.org/2020/10/18/se ... p-testing/

Thanks a lot,
Arvid

User avatar
Croikey
Posts: 3
Joined: Tue Oct 27, 2020 10:17 pm

Re: Security Update: Please help testing

Post by Croikey » Tue Oct 27, 2020 10:35 pm

Thanks for working on this update! There is a minor quirk I noticed, which can be replicated as follows:
  1. Start with the current stable release and login
  2. Update to the preview release
  3. At this point you should still be logged in (ie, you never logged out)
  4. Go to the uploads area and try to delete an item (notice that the CSRF token in the URL is empty)
  5. Trying to delete an image doesn't work, because we check to see if the CSRF token has been passed but it hasn't
If you don't see this, it might be because you already tested the security fix. So, be sure to clear your session data before rolling back to the stable release.

Of course, logging out and logging back in fixes things but this still could catch users off-guard. Perhaps we could modify new function sess_getCsrfToken() so that:
  • If a CSRF token is not set and the user is logged in, call sess_setCsrfToken()
  • It then returns the token as it currently does
Last edited by Croikey on Tue Oct 27, 2020 10:41 pm, edited 3 times in total.

User avatar
Croikey
Posts: 3
Joined: Tue Oct 27, 2020 10:17 pm

Re: Security Update: Please help testing

Post by Croikey » Tue Oct 27, 2020 10:39 pm

One other thought, and thinking of the principal of security in depth: as currently implemented, a token is set once (each time a user logs in) and stays the same until the user logs out. When they log back in again, it is refreshed. However, might it be better to have a more specific 'number once' token?

We could draw inspiration here from WordPress and its concept of nonces: https://codex.wordpress.org/WordPress_Nonces

Post Reply

Who is online

Users browsing this forum: Google [Bot] and 22 guests