Hi, I think I found a problem with how we use CSRF tokens. If a token is discovered by an attacker, and if the user leaves their session open, the attacker can use the token to impersonate the user on every CSRF-protected form during 8 hours (Koha::Token::CSRF_EXPIRY_HOURS). Is this a known issue ? Bug 18124 restricts token to a user's session. Maybe it would be good to restrict to a particular form too. To go further, I think we should have a way to invalidate tokens after their use, so a token can never be used twice. Any thoughts ? -- Julian Maurice <julian.maurice@biblibre.com> BibLibre
On Mar 20, 2017 7:54 AM, "Katrin Fischer" <Katrin.Fischer.83@web.de> wrote: Hi all, please remember to file security bugs in the non-public area of bugzilla and also be careful with the discussion here: https://koha-community.org/security/ (we should probably update the list of names) The update should include module maintainers. This would go a ways toward heading off problems such as this: https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=18044#c3 Kind regards, Chris
participants (3)
-
Christopher Nighswonger -
Julian Maurice -
Katrin Fischer