Feature Proposal: CSRF Fix for TWiki
Motivation
The fix discussed in SecurityAlert-CVE-2009-1339 is not complete fix for CSRF kind of attacks. Examples can provided on request. I can post the examples to this proposal/Bug once CSRF is fixed for TWikiDescription and Documentation
We can have fix based on tokens:- Create the token for each forms which modify the content of TWiki topics/metadata's
- The token's are accompanied with the requests of various actions like "save", "register", "comment".
- The valid tokens are verified while performing the secured actions. The successfully verified tokens expired from token database.
- The false tokens/used tokens throw the error.
Examples
Impact
Implementation
-- Contributors: SopanShewale - 2009-07-30Discussion
This is documented for admins at SecurityAuditTokenBasedCsrfFix -- PeterThoeny - 2009-09-02 This is now released with TWiki-4.3.2 -- PeterThoeny - 2009-09-28
Topic revision: r3 - 2009-09-28 - PeterThoeny
Home 
Site map
Blog web
Create New Topic
Index
Search
Advanced search
My topics of interest
Changes
Major changes only
All tags
Notifications
RSS Feed
Statistics
Preferences
Community 
Readme first
Developers News
How you can help
Community roles
#twiki IRC
Jerusalem Release
Feature Proposals
Bugs Changes
Categories 
Account 
Ideas, requests, problems regarding TWiki? Send feedback. Ask community in the support forum.Copyright © 1999-2012 by the contributing authors. All material on this collaboration platform is the property of the contributing authors.