Bugtraq mailing list archives
Re: squirrelmail CSRF vulnerability
From: Josh Zlatin-Amishav <josh () ramat cc>
Date: Sat, 12 May 2007 15:09:37 -0400 (EDT)
On Fri, 11 May 2007, Tim Newsham wrote:
1.4.8-4 is vulnerable to a XSS vulnerability, so an attacker could use theXSS vector to grab the session token ("CSRF token") and continue the CSRF attack.This might just be semantics: I wouldn't consider the XSS attack to be a CSRF attack.
The point is, if the application is vulnerable to an XSS vulnerability then having a CSRF token wont protect you from a CSRF attack. The attacker could use the XSS vector to steal the CSRF token, much like the Samy worm worked.
The XSS script runs in the same context that the user or any legitimate script running on behalf of the user runs. When it makes a reference, it has access to things like the CSRF token.
Exactly, thus the CSRF token wont be much help in protection you from a CSRF attack, if the attacker can just parse out that token and use it in CSRF attack. -- - Josh
Current thread:
- squirrelmail CSRF vulnerability p3rlhax (May 10)
- Re: squirrelmail CSRF vulnerability Josh Zlatin-Amishav (May 10)
- Re: squirrelmail CSRF vulnerability Tim Newsham (May 11)
- Re: squirrelmail CSRF vulnerability Josh Zlatin-Amishav (May 12)
- Re: squirrelmail CSRF vulnerability Pavel Kankovsky (May 14)
- Re: squirrelmail CSRF vulnerability Tim Newsham (May 11)
- Re: squirrelmail CSRF vulnerability Josh Zlatin-Amishav (May 10)