Fixing CSRF exploits in Infrastructure
johnp at redhat.com
Tue Nov 25 21:18:22 UTC 2008
The only way to fix the man in the middle trust issue would be to have the client somehow sign the session hash, but even then, the client would have to register a public key on a server you trust.
----- "Toshio Kuratomi" <a.badger at gmail.com> wrote:
> Greetings all,
> I've been researching the CSRF exploit and how it affects our web
> recently. The short story is that our code is pretty open to this at
> the moment. I've written up a proposal for fixing this but it will
> require a lot of coding so I'd love to have some more eyes on it to
> sure I'm not making any stupid mistakes.
> The proposal is here::
> The ticket for the overall CSRF fixing is here::
> I consider fixing this to be a fairly high priority so I'll be
> work on implementing this for a few pkgdb methods very soon.
> the technique works we'll need to port every method that can change
> in every app to use this.
> Fedora-infrastructure-list mailing list
> Fedora-infrastructure-list at redhat.com
John (J5) Palmieri
Red Hat, Inc.
More information about the infrastructure