CodeIgniter Forums

Full Version: CI CSRF Protection bypass
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
While I was trying to tighten the security of a project of mine that uses CI, I figured that the CI CSRF protection is insecurely implemented and can be easily bypassed. I found that there are more than one issue associated with the way the default CI CSRF protection is implemented.

Since CSRF is a critical issues and my assumption is there are huge number of application deployments with default CI CSRF protection, I don't want to share the detailed report in the forum.

Looking for the CI contact for reporting security bugs or an email from the CI contact to my email ID would do.
Good point about not posting details in the open.We don't currently have a "security chiief", but it sounds like a good idea.

Let me dig into this and get back to you Smile
(11-12-2014, 02:34 PM)nopsled Wrote: [ -> ]While I was trying to tighten the security of a project of mine that uses CI, I figured that the CI CSRF protection is insecurely implemented and can be easily bypassed. I found that there are more than one issue associated with the way the default CI CSRF protection is implemented.

Since CSRF is a critical issues and my assumption is there are huge number of application deployments with default CI CSRF protection, I don't want to share the detailed report in the forum.

Looking for the CI contact for reporting security bugs or an email from the CI contact to my email ID would do.

Very sensible.

What version of CI are you using?
Do you mean on the 3.0 dev branch or the 2.2.0 stable branch, they handle this differently?
(11-14-2014, 09:29 AM)Chroma Wrote: [ -> ]
(11-12-2014, 02:34 PM)nopsled Wrote: [ -> ]While I was trying to tighten the security of a project of mine that uses CI, I figured that the CI CSRF protection is insecurely implemented and can be easily bypassed. I found that there are more than one issue associated with the way the default CI CSRF protection is implemented.

Since CSRF is a critical issues and my assumption is there are huge number of application deployments with default CI CSRF protection, I don't want to share the detailed report in the forum.

Looking for the CI contact for reporting security bugs or an email from the CI contact to my email ID would do.

Very sensible.

What version of CI are you using?

Latest!
There's no such issue.
Btw .. for me the CSRF implementation should be complete rewriten. its not very confortable to use right now.