Mahara

Strengthen the non-cryptographically random generated tokens

Bug #1930171 reported by Robert Lyon
254
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Mahara
Fix Released
High
Unassigned
Mahara 21.10.1
20.10
Fix Released
High
Unassigned
Mahara 20.10.5
21.04
Fix Released
High
Unassigned
Mahara 21.04.4
21.10
Fix Released
High
Unassigned
Mahara 21.10.2
22.04
Fix Released
High
Unassigned
Mahara 22.04.0

Bug Description

In Mahara we have a CSRF token called 'sesskey' which is generated in an old style guessable way.

We need to update this to do the following:

1) Make the token more random using by using random_int() - That generates cryptographically secure pseudo-random integers

2) Rename the 'sesskey' to avoid confusion between this token and actual session key - need to change it to be some more obscure / generic name

3) Look at making the CSRF token be in the custom headers space rather than as a form field - to avoid having it exposed in GET urls etc

4) Make sure all the places we use get_random_key() are changed to the more secure way

CVE References

Robert Lyon (robertl-9)
no longer affects: mahara/20.04
Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote (last edit ):

Related to https://cve.mitre.org/cgi-bin/cvename.cgi?name=2021-29349 but is specifically looking at the random token generator

Vulnerability type: CSRF
Attack type: Physical?
Impact: Information disclosure, other

Affected components: Non-cryptographically random generated tokens are too easily guessable. They should be rendered in a cryptographical way. The current function to generate random keys is not random enough.

Suggested description: Mahara before 20.10.5, 21.04.4, 21.10.2, and 22.04.0 is vulnerable to Cross Site Request Forgery (CSRF) because randomly generated tokens are too easily guessable.

Reported by: Catalyst IT
Bug report: https://bugs.launchpad.net/mahara/+bug/1930171
CVE reference: CVE-2022-28892 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28892

Revision history for this message
Kristina Hoeppner (kris-hoeppner) wrote :

https://reviews.mahara.org/c/mahara/+/12117

summary: - Strengthen the CSRF key to make it unguessable
+ Strengthen the non-cryptographically random generated tokens
Gold (gold.catalyst)
information type: Private Security → Public Security
Revision history for this message
Mahara Bot (dev-mahara) wrote : A change has been merged

Reviewed: https://reviews.mahara.org/c/mahara/+/12688
Committed: https://git.mahara.org/mahara/mahara/commit/11be0ecdbfa2dadcc3f2861006a840c0774a07ec
Submitter: "Doris Tam <email address hidden>"
Branch: 21.10_DEV

commit 11be0ecdbfa2dadcc3f2861006a840c0774a07ec
Author: Robert Lyon <email address hidden>
Date: Fri Jun 4 14:50:22 2021 +1200

Security bug 1930171: Strengthen the random token generator

Make it generate a cryptographically random token and make sure it's
at least 8 chars long at minimum

Change-Id: I45b621846b1c9ed3221edfb8ebf1ee3635dc9161
Signed-off-by: Robert Lyon <email address hidden>
(cherry picked from commit 61b607d03dd1eae87eb91573a855bf801085e363)

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.