#29 Vulnerable to CSRF attacks

closed
nobody
None
5
2015-06-05
2011-05-09
No

change_password.php is vulnerable to Cross Site Request Forgery attacks. To prevent these type of attacks, we can include a hidden token with the form and save this token in a session before rendering the page to the user. When the user submits the form, we can compare the hidden token to our session token. Alternatively (for this particular form), we can make the user enter their current password when changing passwords.
Other forms in this project may also be vulnerable to these attacks, and a hidden token should resolve this issue. I plan on submitting a patch for change_password.php to demonstrate this fix. I have also uploaded a possible CSRF attack.

Discussion

  • Nicholas Tsoi-A-Sue

    A sample CSRF attack

     
    Attachments
  • Andy Grayndler

    Andy Grayndler - 2015-06-05
    • Status: open --> closed
     

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:





No, thanks