CodeIgniter Forums
CI CSRF Protection bypass - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Development (https://forum.codeigniter.com/forum-6.html)
+--- Forum: Issues (https://forum.codeigniter.com/forum-19.html)
+--- Thread: CI CSRF Protection bypass (/thread-230.html)



CI CSRF Protection bypass - nopsled - 11-12-2014

While I was trying to tighten the security of a project of mine that uses CI, I figured that the CI CSRF protection is insecurely implemented and can be easily bypassed. I found that there are more than one issue associated with the way the default CI CSRF protection is implemented.

Since CSRF is a critical issues and my assumption is there are huge number of application deployments with default CI CSRF protection, I don't want to share the detailed report in the forum.

Looking for the CI contact for reporting security bugs or an email from the CI contact to my email ID would do.


RE: CI CSRF Protection bypass - ciadmin - 11-12-2014

Good point about not posting details in the open.We don't currently have a "security chiief", but it sounds like a good idea.

Let me dig into this and get back to you Smile


RE: CI CSRF Protection bypass - Chroma - 11-14-2014

(11-12-2014, 02:34 PM)nopsled Wrote: While I was trying to tighten the security of a project of mine that uses CI, I figured that the CI CSRF protection is insecurely implemented and can be easily bypassed. I found that there are more than one issue associated with the way the default CI CSRF protection is implemented.

Since CSRF is a critical issues and my assumption is there are huge number of application deployments with default CI CSRF protection, I don't want to share the detailed report in the forum.

Looking for the CI contact for reporting security bugs or an email from the CI contact to my email ID would do.

Very sensible.

What version of CI are you using?


RE: CI CSRF Protection bypass - Chroma - 11-14-2014

Do you mean on the 3.0 dev branch or the 2.2.0 stable branch, they handle this differently?


RE: CI CSRF Protection bypass - nopsled - 11-14-2014

(11-14-2014, 09:29 AM)Chroma Wrote:
(11-12-2014, 02:34 PM)nopsled Wrote: While I was trying to tighten the security of a project of mine that uses CI, I figured that the CI CSRF protection is insecurely implemented and can be easily bypassed. I found that there are more than one issue associated with the way the default CI CSRF protection is implemented.

Since CSRF is a critical issues and my assumption is there are huge number of application deployments with default CI CSRF protection, I don't want to share the detailed report in the forum.

Looking for the CI contact for reporting security bugs or an email from the CI contact to my email ID would do.

Very sensible.

What version of CI are you using?

Latest!


RE: CI CSRF Protection bypass - Narf - 11-17-2014

There's no such issue.


RE: CI CSRF Protection bypass - Rufnex - 11-17-2014

Btw .. for me the CSRF implementation should be complete rewriten. its not very confortable to use right now.