Ticket 1077: Possible CSRF in login? - FluxBB core

Download

Tickets

Milestones

Subscribe 4

Ticket #1077 (fixed bug)

Possible CSRF in login?

Created: 2016-01-15 07:31:34
Reported by: TheBritain
Assigned to: nsuchy

Milestone: 1.5.11
Component: security
Priority: normal

I am not an expert with this, just curious.

I am assuming since the login.php isn't elevated until you actually log in, that it's not a big deal. The only problem I an see is someone embedding the form somewhere else, and convincing users to log in with it. Since it passes everything correctly, users would have no idea that anything happened. I created a simple form with localhost, and was able to authenticate on my actual site. Would even a simple header check be worth it?

Maybe there should be a way to validate where the post data is coming from somehow?

I can also embed register.php, which is not critical I don't think, but I didn't know if that was intended. Someone could use that for click-jacking. Would xframe options take care of this?

History

Franz 2016-01-15 07:33:55

We have prevented clickjacking with the appropriate security headers.

Technically, login.php is probably susceptible to CSRF attacks, however the attacker would need to know the user's password to log them in without knowing, right?

TheBritain 2016-01-15 16:25:59

Yeah, that's what I thought. Since the login form isn't elevated, I am just going to write this one off as silly. I do have a problem with people being able to fake a login form, and have it still login appropriately to the site. This could mean a third party could capture login information, and it would appear to the user that everything has gone as intended.

quy 2016-01-15 16:50:50

We can add the following, however, then you can't have your own custom login form like we have it here on fluxbb.org: