Skip to Content Skip to Menu

CSRF attack recognized

  • slabbi
  • slabbi
  • OFFLINE
  • Posts: 3709
  • Thanks: 250
  • Karma: 153
15 years 7 months ago #94262 by slabbi
Replied by slabbi on topic Re:CSRF attack recognized
Ok, I try to explain why and when this message appears:

In simple words a CSRF attack means that someone else uses your form in order to execute commands in your context without your knowledge.

en.wikipedia.org/wiki/Cross-site_request_forgery

To prevent this the web app (here uddeIM) creates a random number that is delivered within the form. Only the correct user can fill in the form and send it back, a different user with the wrong number will raise a "CSRF attack" error.

The problem is that when a user uses the back button the session which stores the number on server side is also destroyed, so that uddeIM cannot verify the correctness of the number and raises the error. Also when a user does not allow cookies or uses a web washer, this error may appear.

Since I have not heard that a uddeIM site was used for a CSRF attack before it is ok to switch the protection of. I added it because of a request of a very major site which could be used for such an attack.

uddeIM & uddePF Development
CB Language Workgroup
CB 3rd Party Developer

Please Log in or Create an account to join the conversation.

13 years 4 months ago #170108 by 01globalnet
Replied by 01globalnet on topic Re:CSRF attack recognized - inside component loade
Hi!

found this post from google... uddeim donator here. A quick question:

We had enabled CSRF control, worked ok. But, when we included the form in component loader ( extensions.joomla.org/extensions/core-enhancements/embed-a-include/10721 ) the error appears (special situation, we had to include the form outside normal layout).

Is there a non-hack way to disable CSRF for that situation?
( otherwise I can touch the code in uddeIMwriteCSRF() / uddeIMcheckCSRF() for this situation ).

Thank you!

Please Log in or Create an account to join the conversation.

  • slabbi
  • slabbi
  • OFFLINE
  • Posts: 3709
  • Thanks: 250
  • Karma: 153
13 years 4 months ago #170115 by slabbi
Sure, you can disable this in uddeIM backend (system tab).

uddeIM & uddePF Development
CB Language Workgroup
CB 3rd Party Developer

Please Log in or Create an account to join the conversation.

Moderators: beatnantslabbikrileon
Powered by Kunena Forum