(2018-08-19, 01:43 PM)Serpius Wrote: [ -> ] (2018-08-19, 11:26 AM)effone Wrote: [ -> ]Would also like to mention there is another flag available in MyBB which is called "SameSite Cookie Flag". This has been introduced very recently and simultaneously implemented to prevent "Cross-Site Request Forgery" aka CSRF attacks.
Enabling this results in securing authentication and ofcourse recommended to enable in general cases (unless you are not using / expecting cross-origin post requests).
For a clueless dolt like me, how does CSRF attacks differ from XSS attacks?
XSS attacks involve injecting code that makes browsers perform unwanted actions, such as attempting to delete or modify posts without user interaction, passing sensitive information (like login keys) to someone else or redirecting users to deceitful sites.
Patches for XSS vulnerabilities are usually limited to "escaping" input values that get submitted by users (so HTML code is displayed, but not executed).
It's always been obvious that users shouldn't be able to execute HTML, but in MyBB 1.8's ACP the line between a vulnerability and a feature can sometimes be blurry because there's no information on what settings are actually intended to support HTML - that results in issues like
https://github.com/mybb/mybb/issues/3383, where administrators input HTML to e.g. show images with security questions. Many settings are unfiltered for various reasons and for that reason we assume that anyone with ACP access can insert HTML and perform XSS attacks, so that permission should be granted with caution.
CSRF attacks also rely on imitating users' requests to MyBB, but in this case no malicious code is inserted dierectly, and all possible outcomes are possible to achieve by normal user activity. In this case, MyBB could be tricked to believe that a "Delete" link for some post was clicked, even if that link was placed on a different website, with a innocuous title.
This threat is usually mitigated by verifying anti-CSRF codes (sometimes "CSRF codes", "tokens") that are attached to such links and buttons across MyBB - external links won't work because the attackers don't have the user-specific code (in MyBB, included in the HTML source code usually named
my_post_key - the main reason why the full page source shouldn't be shared, which sometimes happens on our support forums).
The mentioned
sameSite cookie flag is an additional layer of protection that also prevents login cookies from being included when external links are followed to MyBB, effectively making users logged out for that request.
The recent
Login CSRF patch addressed a CSRF vulnerability by including an anti-CSRF code for guests, without which it could've been possible for attackers to make someone logged in under a different account (an easy starting point for other, directly harmful attacks).