Tags:
create new tag
, view all tags

Feature Proposal: CSRF Fix for TWiki

Motivation

The fix discussed in SecurityAlert-CVE-2009-1339 is not complete fix for CSRF kind of attacks.

Examples can provided on request. I can post the examples to this proposal/Bug once CSRF is fixed for TWiki

Description and Documentation

We can have fix based on tokens:

  • Create the token for each forms which modify the content of TWiki topics/metadata's
  • The token's are accompanied with the requests of various actions like "save", "register", "comment".
  • The valid tokens are verified while performing the secured actions. The successfully verified tokens expired from token database.
  • The false tokens/used tokens throw the error.

Examples

Impact

Implementation

-- Contributors: SopanShewale - 2009-07-30

Discussion

This is documented for admins at SecurityAuditTokenBasedCsrfFix

-- PeterThoeny - 2009-09-02

This is now released with TWiki-4.3.2

-- PeterThoeny - 2009-09-28

Edit | Attach | Watch | Print version | History: r3 < r2 < r1 | Backlinks | Raw View | Raw edit | More topic actions
Topic revision: r3 - 2009-09-28 - PeterThoeny
 
  • Learn about TWiki  
  • Download TWiki
This site is powered by the TWiki collaboration platform Powered by Perl Hosted by OICcam.com Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.
Copyright © 1999-2017 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.