#292 Improve XSS and XSRF protection

FlexWiki v2.0
closed-fixed
John Davidson
5
2008-10-17
2008-10-17
John Davidson
No

The login.aspx process has a minimal xss vulnerability and the WikiEdit.aspx and MessagePost.aspx pages are vulnerable to Cross Site Request Forgeries (XSRF)

Discussion

  • John Davidson
    John Davidson
    2008-10-17

    • status: open --> closed-fixed
     
  • John Davidson
    John Davidson
    2008-10-17

    Build 2.1.0.272

    Deleted the original session id cookie when a successful login occurs, which causes a new cookie to be created.
    Add configuration variables XsrfProtectionMessagePostTimeout and XsrfProtectionWikiEditTimeout to flexwiki.config, documented in flexwiki.config.template. Default timeout periods are 10 and 15 minutes respectively.

    Added a nonce to the forms in WikiEdit and MessagePost and generate a unique cookie for each form instance. The cookie and the nonce values must match for the save to occur. This guarantees that the save action came from a browser that had previously communicated with the flexwiki hosted site and that it was not the result of activity from a malicious site, or input from a bot.