User: Password:
|
|
Subscribe / Log in / New account

Security

Cross-site request forgery

By Jake Edge
October 17, 2007

Cross-site request forgery (CSRF or XSRF) is yet another web application flaw that can have serious impacts. By exploiting the trust that the targeted site has in a logged-in user, usually encapsulated in a cookie, CSRF can perform actions on behalf of that user, without any indication that the action took place. It shares many traits with its better-known sibling, cross-site scripting (XSS), but, unlike a site targeted via XSS (for login spoofing or cookie stealing for example), the target web site can make changes to avoid CSRF.

A CSRF attack targets a specific web site, one that requires credentials to perform actions. Financial and shopping sites are common targets, but as described in last week's article on this page, home routers and similar equipment are also targets. Another popular target is sites like Digg, where users vote on particular stories to increase their popularity; an attacker can drive more traffic to a site of their choosing by using a CSRF exploit to add votes.

The exploit itself is typically contained in an <img> tag or form submission, with Javascript sometimes used to hide the form submission. The URL used causes some kind of side effect on the target website as long as a properly authenticated cookie is delivered with the request. For example, if LWN had a voting system, a tag like the following could perform a CSRF exploit:

    <img src="http://lwn.net/vote?type=y;story=some_lame_story_URL" width=0 height=0>
When the browser goes to fetch that "image", it helpfully sends along any cookies that correspond to the domain; if the vote application wasn't written correctly, anyone viewing the web page - and who was also logged-in to LWN - would add a vote for the story. There would be no indication that anything had happened, other than possibly a fleeting notice in the browser noting a connection to LWN.

Getting the user to visit the page with the CSRF is done in the usual way, via a link in email, instant message, or on another web page. CSRF does not require inserting code into the vulnerable website, which is the hallmark of XSS; instead it exploits the target from afar. The link the victim follows will not in any way indicate the target site.

There are a few things that web application programmers can do to eliminate CSRF problems; the basic idea is not to perform actions solely based on a proper cookie. Just as some non-internet authentications require two forms of identification, web applications should do the same. The second identification should come from something other than the cookie, something that can be known only by a properly authenticated user.

Two basic techniques are used, random form tokens or re-authentication. For sensitive operations, the best protection is to require the user to provide their credentials (username and password for example) before performing the action. This can be cumbersome, so, for less sensitive actions, hidden fields with random names and values can be inserted into each form, associated with a particular session, and checked on form submission. This isn't completely secure, as the values might be guessed, but with sufficient randomness, it is good enough for many operations.

It should be noted that preventing CSRF requires that all XSS problems are removed first. An XSS flaw can be used to retrieve the form, then grab the random tokens before submitting the CSRF request. XSS may also be able to spoof the user into entering their credentials, which would allow the CSRF to bypass re-authentication as well.

CSRF has been called the "sleeping giant" of web application security flaws, because it has yet to be exploited widely. It is only a matter of time, web programmers should be making the changes needed to ensure that their sites are not vulnerable.

Comments (15 posted)

New vulnerabilities

ampache: multiple vulnerabilities

Package(s):ampache CVE #(s):CVE-2007-4437 CVE-2007-4438
Created:October 15, 2007 Updated:October 17, 2007
Description: SQL injection vulnerability in albums.php in Ampache before 3.3.3.5 allows remote attackers to execute arbitrary SQL commands via the match parameter. Session fixation vulnerability in Ampache before 3.3.3.5 allows remote attackers to hijack web sessions via unspecified vectors.
Alerts:
Gentoo 200710-13 ampache 2007-10-13

Comments (none posted)

balsa: buffer overflow

Package(s):balsa CVE #(s):CVE-2007-5007
Created:October 17, 2007 Updated:October 17, 2007
Description: Evil Ninja Squirrel discovered a stack-based buffer overflow in the ir_fetch_seq() function when receiving a long response to a FETCH command (CVE-2007-5007).
Alerts:
Gentoo 200710-17 balsa 2007-10-16

Comments (none posted)

denyhosts: denial of service

Package(s):denyhosts CVE #(s):CVE-2007-4323
Created:October 15, 2007 Updated:October 17, 2007
Description: DenyHosts 2.6 does not properly parse sshd log files, which allows remote attackers to add arbitrary hosts to the /etc/hosts.deny file and cause a denial of service by adding arbitrary IP addresses to the sshd log file, as demonstrated by logging in via ssh with a client protocol version identification containing an IP address string, a different vector than CVE-2006-6301.
Alerts:
Gentoo 200710-14 denyhosts 2007-10-13

Comments (1 posted)

hplip: arbitrary command execution

Package(s):hplip CVE #(s):CVE-2007-5208
Created:October 12, 2007 Updated:January 14, 2008
Description: Kees Cook discovered a flaw in the way the hplip hpssd daemon handled user input. A local attacker could send a specially crafted request to the hpssd daemon, possibly allowing them to run arbitrary commands as the root user.
Alerts:
Debian DSA-1462-1 hplip 2008-01-13
Gentoo 200710-26 hplip 2007-10-24
Mandriva MDKSA-2007:201 hplip 2007-10-22
SuSE SUSE-SR:2007:021 hplip, kdelibs3, kdebase3, NX, festival, opal, openssl 2007-10-19
Fedora FEDORA-2007-724 hplip 2007-10-15
Fedora FEDORA-2007-2527 hplip 2007-10-12
Ubuntu USN-530-1 hplip 2007-10-12
Red Hat RHSA-2007:0960-01 hplip 2007-10-11

Comments (none posted)

initscripts: information exposure

Package(s):initscripts CVE #(s):
Created:October 12, 2007 Updated:October 26, 2007
Description: The initscripts package do not set sufficiently restrictive permissions on the /var/log/btmp file, leading to an information exposure vulnerability in which users' passwords may be revealed to unprivileged users in cases when the passwords have been inadvertently entered as usernames at some login prompts.
Alerts:
Foresight FLEA-2007-0060-1 initscripts 2007-10-26
rPath rPSA-2007-0214-1 initscripts 2007-10-11

Comments (1 posted)

java-1.5.0-sun: multiple vulnerabilities

Package(s):java-1.5.0-sun CVE #(s):CVE-2007-5232 CVE-2007-5238 CVE-2007-5239 CVE-2007-5240 CVE-2007-5273 CVE-2007-5274
Created:October 12, 2007 Updated:April 25, 2008
Description: Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when applet caching is enabled, allows remote attackers to violate the security model for an applet's outbound connections via a DNS rebinding attack. (CVE-2007-5232)

Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, and SDK and JRE 1.4.2_15 and earlier does not properly enforce access restrictions for untrusted applications, which allows user-assisted remote attackers to obtain sensitive information (the Java Web Start cache location) via an untrusted application, aka "three vulnerabilities." (CVE-2007-5238)

Java Web Start in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier does not properly enforce access restrictions for untrusted (1) applications and (2) applets, which allows user-assisted remote attackers to copy or rename arbitrary files when local users perform drag-and-drop operations from the untrusted application or applet window onto certain types of desktop applications. (CVE-2007-5239)

Visual truncation vulnerability in the Java Runtime Environment in Sun JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier allows remote attackers to circumvent display of the untrusted-code warning banner by creating a window larger than the workstation screen. (CVE-2007-5240)

Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when an HTTP proxy server is used, allows remote attackers to violate the security model for an applet's outbound connections via a multi-pin DNS rebinding attack in which the applet download relies on DNS resolution on the proxy server, but the applet's socket operations rely on DNS resolution on the local machine, a different issue than CVE-2007-5274. NOTE: this is similar to CVE-2007-5232. (CVE-2007-5273)

Sun Java Runtime Environment (JRE) in JDK and JRE 6 Update 2 and earlier, JDK and JRE 5.0 Update 12 and earlier, SDK and JRE 1.4.2_15 and earlier, and SDK and JRE 1.3.1_20 and earlier, when Firefox or Opera is used, allows remote attackers to violate the security model for JavaScript outbound connections via a multi-pin DNS rebinding attack dependent on the LiveConnect API, in which JavaScript download relies on DNS resolution by the browser, but JavaScript socket operations rely on separate DNS resolution by a Java Virtual Machine (JVM), a different issue than CVE-2007-5273. NOTE: this is similar to CVE-2007-5232. (CVE-2007-5274)

Alerts:
SuSE SUSE-SA:2008:025 IBMJava2,IBMJava5,java-1_4_2-ibm,java-1_5_0-ibm 2008-04-25
Gentoo 200804-20 sun-jre, sun-jdk 2008-04-17
Red Hat RHSA-2008:0100-01 java-1.4.2-bea 2008-03-11
Red Hat RHSA-2008:0156-02 java-1.5.0-bea 2008-03-05
Red Hat RHSA-2008:0132-01 java-1.4.2-ibm 2008-02-14
Red Hat RHSA-2007:1041-01 java-1.5.0-ibm 2007-11-26
Foresight FLEA-2007-0061-1 sun-jre sun-jdk 2007-10-26
SuSE SUSE-SA:2007:055 Sun Java 2007-10-17
Red Hat RHSA-2007:0963-01 java-1.5.0-sun 2007-10-12

Comments (1 posted)

libvorbis: multiple vulnerabilities

Package(s):libvorbis CVE #(s):CVE-2007-4065 CVE-2007-4066
Created:October 11, 2007 Updated:January 22, 2008
Description: libvorbis has a number of vulnerabilities that can be triggered by opening a specially crafted Ogg file. Vulnerabilities include crashing and the execution of arbitrary code.
Alerts:
Debian DSA-1471-1 libvorbis 2008-01-21
SuSE SUSE-SR:2007:023 mono ImageMagick t1lib libvorbis 2007-10-31
Red Hat RHSA-2007:0912-01 libvorbis 2007-10-11
Mandriva MDKSA-2007:194 libvorbis 2007-10-10

Comments (1 posted)

skktools: insecure temporary file creation

Package(s):skktools CVE #(s):CVE-2007-3916
Created:October 15, 2007 Updated:October 17, 2007
Description: skkdic-expr.c insecurely writes temporary files to a location in the form $TMPDIR/skkdic$PID.{pag,dir,db}, where $PID is the process ID. A local attacker could create symbolic links in the directory where the temporary files are written, pointing to a valid file somewhere on the filesystem that is writable by the user running the SKK software. When SKK writes the temporary file, the target valid file would then be overwritten with the contents of the SKK temporary file.
Alerts:
Gentoo 200710-10 skktools 2007-10-12

Comments (none posted)

tar: buffer overflow

Package(s):tar CVE #(s):CVE-2007-4476
Created:October 16, 2007 Updated:March 17, 2010
Description: Buffer overflow in the safer_name_suffix function in GNU tar has unspecified attack vectors and impact, resulting in a "crashing stack."
Alerts:
CentOS CESA-2010:0141 tar 2010-03-16
CentOS CESA-2010:0144 cpio 2010-03-16
Red Hat RHSA-2010:0144-01 cpio 2010-03-15
Red Hat RHSA-2010:0141-01 tar 2010-03-15
Ubuntu USN-650-1 cpio 2008-10-02
Ubuntu USN-709-1 tar 2009-01-15
Debian DSA-1566-1 cpio 2008-05-02
Debian DSA-1438-1 tar 2007-12-28
Mandriva MDKSA-2007:233 cpio 2007-11-28
Gentoo 200711-18 cpio 2007-11-14
Fedora FEDORA-2007-2827 cpio 2007-11-06
Fedora FEDORA-2007-2800 tar 2007-11-06
Fedora FEDORA-2007-2744 cpio 2007-11-05
Fedora FEDORA-2007-742 cpio 2007-11-05
Fedora FEDORA-2007-735 tar 2007-11-05
Fedora FEDORA-2007-2673 tar 2007-10-29
rPath rPSA-2007-0222-1 cpio 2007-10-23
Mandriva MDKSA-2007:197 tar 2007-10-15

Comments (none posted)

tk: denial of service

Package(s):tk8.3 tk8.4 CVE #(s):CVE-2007-5137
Created:October 12, 2007 Updated:March 17, 2009
Description: It was discovered that Tk could be made to overrun a buffer when loading certain images. If a user were tricked into opening a specially crafted GIF image, remote attackers could cause a denial of service or execute arbitrary code with user privileges.
Alerts:
Debian DSA-1743-1 libtk-img 2009-03-17
Red Hat RHSA-2008:0136-01 tk 2008-02-21
Fedora FEDORA-2008-1131 tk 2008-02-05
Fedora FEDORA-2007-728 tk 2007-10-17
Mandriva MDKSA-2007:200 tk 2007-10-18
Fedora FEDORA-2007-2564 tk 2007-10-18
Ubuntu USN-529-1 tk8.3, tk8.4 2007-10-11

Comments (none posted)

wesnoth: denial of service

Package(s):wesnoth CVE #(s):CVE-2007-3917
Created:October 12, 2007 Updated:December 3, 2007
Description: A malicious user could send a long chat message with multibyte characters, the server would truncate the message on a fixed length, without paying attention to the multibyte characters. This led to invalid utf-8 on the client and an uncaught exception was thrown.
Alerts:
Debian DSA-1386-2 wesnoth 2007-10-15
Debian DSA-1386-1 wesnoth 2007-10-15
Fedora FEDORA-2007-2496 wesnoth 2007-10-11

Comments (none posted)

Page editor: Jake Edge
Next page: Kernel development>>


Copyright © 2007, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds