Talk:PHP CSRF Guard

From OWASP
Jump to: navigation, search

Flaws and Updates

2012/12/08

Thanks very much.


---
Jakub

On 8 December 2012 00:54, Abbas Naderi <abbas.naderi@owasp.org> wrote:
Yes but then I assumed you don't have edit permissions on the wiki. I'll do this and mention you on the bottom and discussion page.
-Abbas
On ۱۸ آذر ۱۳۹۱, at ۳:۱۷, Jakub Kałużny <jakub.artur.kaluzny@gmail.com> wrote:

You probably meant changing wiki, sorry :)

On 8 December 2012 00:47, Jakub Kałużny <jakub.artur.kaluzny@gmail.com> wrote:
Hi,
just change
              if (!isset($_POST['CSRFName']))
to
              if (!isset($_POST['CSRFName']) || !isset($_POST['CSRFToken']))
this should work.


Jakub

On 8 December 2012 00:43, Abbas Naderi <abbas.naderi@owasp.org> wrote:
Hi Jakub,
You are right and we are aware of this. Would you like to fix it or I shall do so?
-Abbas
On ۱۸ آذر ۱۳۹۱, at ۳:۱۱, Jakub Kałużny <jakub.artur.kaluzny@gmail.com> wrote:

Hi Abbas,

I found a note about a bug in PHP CSRF Guard
(http://blog.kotowicz.net/2012/12/on-handling-your-pets-and-csrf.html)
The code was patched so that a NULL $token cannot be validated with
empty ("") CSRFToken parameter.
Isn't the code still vulnerable by passing a non existing CSRFName and
not passing CSRFToken ?
Only the CSRFName is checked - if(!isset($_POST['CSRFName']))
but later then there is $token=$_POST['CSRFToken'] which still can be
null if no CSRFToken parameter is passed.


Regards,
Jakub

2012/12/06

Hi Krzysztof,
Thanks for the tip. 
Actually I did the code on the fly and never got to test it! And never had a chance to review it.
Thanks for fixing the flaw.
Would be a good idea to post this email on discussion page of the wiki so that people know the flow and update it.
Also add a version on top of the code.
Regards
-Abbas
On ۱۶ آذر ۱۳۹۱, at ۱۷:۴۴, Krzysztof Kotowicz <krzysztof.kotowicz@securing.pl> wrote:

Hi!

PHP CSRFGuard that you posted at OWASP wiki
https://www.owasp.org/index.php/PHP_CSRF_Guard is vulnerable to a simple
bypass method:

When you submit a non-existing form id as CSRFName and empty CSRFToken
csrf_validate_token() function will return true.

function csrfguard_validate_token($unique_form_name,$token_value)
{
	$token=get_from_session($unique_form_name); 

      // non existing form name, $token = null;

	if ($token===false)
	{
		return true;
	}
	elseif ($token==$token_value) // type insensitive comparison!!
	{
              // $token_value = "", $token = null, both are equivalent to == operator
		$result=true;
	}
	else
	{ 
		$result=false;
	} 
	unset_session($unique_form_name);
	return $result;
}

I've been able to exploit it already on a live site for a client that
used PHP CSRFGuard. I've fixed the code on wiki by using === operator.
This is just to notify you of the change, if you use this project elsewhere.

-- 
Best regards,
Krzysztof Kotowicz
SecuRing