Addressing a possible cross-site request forgery (CSRF) attack, I published the beta version of FlatPress 1.1.1.
Please take a look at it and tell me if everything works fine - thank you very much!
Details and download on the FlatPress project blog: https://www.flatpress.org/2020/10/18/se ... p-testing/
Thanks a lot,
Arvid
Security Update: Please help testing
Re: Security Update: Please help testing
Thanks for working on this update! There is a minor quirk I noticed, which can be replicated as follows:
Of course, logging out and logging back in fixes things but this still could catch users off-guard. Perhaps we could modify new function sess_getCsrfToken() so that:
- Start with the current stable release and login
- Update to the preview release
- At this point you should still be logged in (ie, you never logged out)
- Go to the uploads area and try to delete an item (notice that the CSRF token in the URL is empty)
- Trying to delete an image doesn't work, because we check to see if the CSRF token has been passed but it hasn't
Of course, logging out and logging back in fixes things but this still could catch users off-guard. Perhaps we could modify new function sess_getCsrfToken() so that:
- If a CSRF token is not set and the user is logged in, call sess_setCsrfToken()
- It then returns the token as it currently does
Last edited by Croikey on Tue Oct 27, 2020 10:41 pm, edited 3 times in total.
Re: Security Update: Please help testing
One other thought, and thinking of the principal of security in depth: as currently implemented, a token is set once (each time a user logs in) and stays the same until the user logs out. When they log back in again, it is refreshed. However, might it be better to have a more specific 'number once' token?
We could draw inspiration here from WordPress and its concept of nonces: https://codex.wordpress.org/WordPress_Nonces
We could draw inspiration here from WordPress and its concept of nonces: https://codex.wordpress.org/WordPress_Nonces
Who is online
Users browsing this forum: No registered users and 70 guests