Re: squirrelmail CSRF vulnerability
>> II. Application should use CSRF token which is random enough to identify
>> every legitimate post login request.
>
> According to: http://squirrelmail.org/security/issue/2006-12-02 version
> 1.4.8-4 is vulnerable to a XSS vulnerability, so an attacker could use the
> XSS vector to grab the session token ("CSRF token") and continue the CSRF
> attack.
This might just be semantics: I wouldn't consider the XSS attack to be a
CSRF attack. The XSS script runs in the same context that the user or any
legitimate script running on behalf of the user runs. When it makes a
reference, it has access to things like the CSRF token. It's not forging
a reference. It's creating one in the same way as any legitimate script
action would.
summary:
CSRF - forging a reference blindly.
XSS script - acting on behalf of the user after same-origin policy
protections have been compromised
> - Josh
Tim Newsham
http://www.thenewsh.com/~newsham/
討論串 (同標題文章)
完整討論串 (本文為第 3 之 5 篇):