Bugtraq mailing list archives
Re: squirrelmail CSRF vulnerability
From: Tim Newsham <newsham () lava net>
Date: Fri, 11 May 2007 07:41:41 -1000 (HST)
II. Application should use CSRF token which is random enough to identify every legitimate post login request.According to: http://squirrelmail.org/security/issue/2006-12-02 version 1.4.8-4 is vulnerable to a XSS vulnerability, so an attacker could use theXSS vector to grab the session token ("CSRF token") and continue the CSRF attack.
This might just be semantics: I wouldn't consider the XSS attack to be a CSRF attack. The XSS script runs in the same context that the user or any legitimate script running on behalf of the user runs. When it makes a reference, it has access to things like the CSRF token. It's not forging a reference. It's creating one in the same way as any legitimate script action would.
summary:
CSRF - forging a reference blindly.
XSS script - acting on behalf of the user after same-origin policy
protections have been compromised
- Josh
Tim Newsham http://www.thenewsh.com/~newsham/
Current thread:
- squirrelmail CSRF vulnerability p3rlhax (May 10)
- Re: squirrelmail CSRF vulnerability Josh Zlatin-Amishav (May 10)
- Re: squirrelmail CSRF vulnerability Tim Newsham (May 11)
- Re: squirrelmail CSRF vulnerability Josh Zlatin-Amishav (May 12)
- Re: squirrelmail CSRF vulnerability Pavel Kankovsky (May 14)
- Re: squirrelmail CSRF vulnerability Tim Newsham (May 11)
- Re: squirrelmail CSRF vulnerability Josh Zlatin-Amishav (May 10)