Ticket #1077 (fixed bug)
Possible CSRF in login?
- Created: 2016-01-15 07:31:34
- Reported by: TheBritain
- Assigned to: nsuchy
- Milestone: 1.5.11
- Component: security
- Priority: normal
I am not an expert with this, just curious.
I am assuming since the login.php isn't elevated until you actually log in, that it's not a big deal. The only problem I an see is someone embedding the form somewhere else, and convincing users to log in with it. Since it passes everything correctly, users would have no idea that anything happened. I created a simple form with localhost, and was able to authenticate on my actual site. Would even a simple header check be worth it?
Maybe there should be a way to validate where the post data is coming from somehow?
I can also embed register.php, which is not critical I don't think, but I didn't know if that was intended. Someone could use that for click-jacking. Would xframe options take care of this?
History
Franz 2016-01-15 07:33:55

We have prevented clickjacking with the appropriate security headers.
Technically, login.php is probably susceptible to CSRF attacks, however the attacker would need to know the user's password to log them in without knowing, right?
TheBritain 2016-01-15 16:25:59

Yeah, that's what I thought. Since the login form isn't elevated, I am just going to write this one off as silly. I do have a problem with people being able to fake a login form, and have it still login appropriately to the site. This could mean a third party could capture login information, and it would appear to the user that everything has gone as intended.

We can add the following, however, then you can't have your own custom login form like we have it here on fluxbb.org:
confirm_referrer('login.php');
nsuchy 2018-07-17 22:18:36

- Owner set to nsuchy.
- Uploaded patch 0001-Fix-CSRF-on-login.php.patch. (view)
- Status changed from open to fixed.
This issue is patched in the upcoming 1.5.11 release.
Visman 2019-01-03 13:57:35

Why then did not add token in the registration form and the password recovery form?