Launchpad itself

add csrf tokens to forms.

Bug #678401 reported by dave b.
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
Launchpad itself
New
Undecided
Unassigned

Bug Description

So while checking the REFERER is ok in most situations. It may be possible spoof the REFERER.
If an attacker can spoof the REFERER they can can potentially post to a url like https://launchpad.net/~USERNAME/+editsshkeys and add their ssh key.
Really, csrf tokens should be added to forms.

[0] - https://answers.launchpad.net/launchpad/+faq/1024
[1] - http://www.cgisecurity.com/csrf-faq.html

See original description
dave b. (d+b)
description: updated
Revision history for this message
Robert Collins (lifeless) wrote :

Specifically http://www.cgisecurity.com/csrf-faq.html#referer seems relevant.

Revision history for this message
Robert Collins (lifeless) wrote :

We have a nonce system for oauth; extending that to forms should be totally doable without big infrastructure.

Revision history for this message
William Grant (wgrant) wrote :

All known Referer spoofing vulnerabilities are long-fixed, and there are far worse old browser holes that could be exploited.

However, it's still fragile since lots of people block the header. CSRF tokens should be added.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.