Thread: [Cppcms-users] empty action in POST a potential vulnerability ?

Brought to you by: artyom-beilis

cppcms-users

[Cppcms-users] empty action in POST a potential vulnerability ?

From: Marius C. <mf...@gm...> - 2014-08-24 22:13:27

 I was just reading on a blog post that an empty action in post could
in theory trigger a bypassing of CSRF. Details here:

 http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html

 Is this true for cppcms ? I've noticed that the wiki code does indeed
use empty actions in post forms. It would also seem that html5 doesn't
allow this anymore and that a non empty action must be specified.

 Thanks.

Re: [Cppcms-users] empty action in POST a potential vulnerability ?

From: Joerg S. <jo...@br...> - 2014-08-24 22:32:03

On Mon, Aug 25, 2014 at 01:13:21AM +0300, Marius Cirsta wrote:
>  I was just reading on a blog post that an empty action in post could
> in theory trigger a bypassing of CSRF. Details here:
> 
>  http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html
> 
>  Is this true for cppcms ? I've noticed that the wiki code does indeed
> use empty actions in post forms. It would also seem that html5 doesn't
> allow this anymore and that a non empty action must be specified.

I can't make that much sense of the post, but keep in mind that cppcms's
CSRF handler is applied first and an invalid CSRF token gives an
exception without hitting the normal view.

Joerg

Re: [Cppcms-users] empty action in POST a potential vulnerability ?

From: Artyom B. <art...@ya...> - 2014-08-25 10:53:53

See, you don't check the token on your own directly.

- If you use cppcms::widgets - they already run csrf checks.
- if you write your own widgets implementing your own load and you call pre_load() it would run the csrf checks (and it is a part of a standard widget)

And finally if you want to check on your own (for some custom form code) you should call the

cppcms::session_interface::validate_request_origin()


function in any case...

So unless you write your own bad code it shouldn't happen. Normal flow does not include cases shown there.

Of course you should turn CSRF validation on in configuration file and read the secure programming article.

 
Artyom Beilis 
-------------- 
CppCMS - C++ Web Framework:   http://cppcms.com/ 
CppDB - C++ SQL Connectivity: http://cppcms.com/sql/cppdb/


>________________________________
> From: Marius Cirsta <mf...@gm...>
>To: cpp...@li... 
>Sent: Monday, August 25, 2014 1:13 AM
>Subject: [Cppcms-users] empty action in POST a potential vulnerability ?
> 
>
>I was just reading on a blog post that an empty action in post could
>in theory trigger a bypassing of CSRF. Details here:
>
>http://blog.andlabs.org/2010/03/bypassing-csrf-protections-with.html
>
>Is this true for cppcms ? I've noticed that the wiki code does indeed
>use empty actions in post forms. It would also seem that html5 doesn't
>allow this anymore and that a non empty action must be specified.
>
>Thanks.
>
>------------------------------------------------------------------------------
>Slashdot TV.  
>Video for Nerds.  Stuff that matters.
>http://tv.slashdot.org/
>_______________________________________________
>Cppcms-users mailing list
>Cpp...@li...
>https://lists.sourceforge.net/lists/listinfo/cppcms-users
>
>
>