MyBB Community Forums

MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Suggestions and Feedback > Cross Site Request Forgeries (CSRF)
Full Version: Cross Site Request Forgeries (CSRF)
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
Pages: 1 2

Martin M.

2006-08-28, 12:40 PM
The sad thing is that it's really easy to send POST to an offsite page with php.

DCoder

2006-08-28, 03:10 PM
labrocca Wrote:Forgive me if I am wrong but can't the img tag also be cleaned better to check for an actual image? I would think that easier to fix.

I remember when img bbcodes were exploited for sql injection....easily fixed then.
As pointed out, you cannot. Besides, [ img] isn't the only way to link to your pictures - avatars are one more way, I'm sure there are others. It is not difficult to code up a php script that sends a valid 15x15 image if the request comes from your forum server's IP, and a redirect otherwise.

CraKteR Wrote:The sad thing is that it's really easy to send POST to an offsite page with php.
CURL? Unless the php page is in the same domain as your forum, the php script won't have access to your users' cookies and won't impersonate them. A redirect, however, will.

One annoying thing that can be done with this (found it at ha.ckers.org) is redirecting to a mailto: link , which will spawn your e-mail client with a "Write New E-Mail" window open, and it is possible to include a default recipient and message that way... Big Grin

Asad_Niazi

2006-08-28, 03:49 PM
Well, I think it should be browsers that should implement ways to check for a proper image, proper javascripts etc. and prevent CSRF issues.

and yeah crakter, the malicious users won't be able to force forum users into sending a 'POST' request unless they are able to find XSS vulnerabilities. An offsite POST request won't be of much use as the cookies are only accessible by the domain they were set at, as dcoder mentioned.

Martin M.

2006-08-28, 04:01 PM
as far as I know it's very possible to send cookies aswell.

DCoder

2006-08-28, 04:21 PM
Why should the browser send the cookies from your.forum.com when requesting bad.guy.ws/a.png? The bad script won't have the good guy's cookie info and therefore won't be able to impersonate him.

Dennis Tsang

2006-08-28, 11:49 PM
CURL can deal with cookies, and can impersonate a user.

Proof: I use a script called Croissanga with my Wordpress to login to my Xanga and post an article there whenever I post something on my Wordpress.

DCoder

2006-08-29, 04:18 AM
Yes, it can. If it has those cookies in the first place.
Quote:Why should the browser send the cookies from your.forum.com when requesting bad.guy.ws/a.png?

sunspark

2006-08-29, 09:10 PM
For those that don't get it: Cross-Site Request Forgeries; what they are, how they work, and how you can defend against them.
Pages: 1 2
MyBB Community Forums > Community Archive > Archived Forums > Archived Development and Support > MyBB 1.6 > 1.6 Suggestions and Feedback > Cross Site Request Forgeries (CSRF)