Fixing CSRF exploits in Infrastructure
Mike McGrath
mmcgrath at redhat.com
Tue Nov 25 18:40:45 UTC 2008
On Tue, 25 Nov 2008, Till Maas wrote:
> On Mon November 24 2008, Toshio Kuratomi wrote:
>
> > I've been researching the CSRF exploit and how it affects our web apps
> > recently. The short story is that our code is pretty open to this at
> > the moment. I've written up a proposal for fixing this but it will
> > require a lot of coding so I'd love to have some more eyes on it to make
> > sure I'm not making any stupid mistakes.
> >
> > The proposal is here::
> > https://fedorahosted.org/fas/wiki/CSRF
>
> From the proposal:
> | make a GET request that can change state on the server
>
> It is recommended to not use GET requests to change state on the server,
> therefore it would be probably better to change these GET requests to POST
> requests.
>
GET vs POST is an interesting discussion. From a security point of view
though the only advantage is in how we log and that GET requests stay in
the logs.
Obviously though an authenticated web crawler could do accidently do some
serious damage.
-Mike
More information about the Fedora-infrastructure-list
mailing list