Anwiki CMS

Anwiki CMS : the first wiki/CMS dedicated to multilingual contents
| Tasklist |

FS#60 - Anwiki should protect against Cross-Site Request Forgery

Attached to Project: Anwiki CMS
Opened by Wladimir Palant (trev) - Monday, 22 February 2010, 09:35 GMT
Task Type Security issue
Category Core
Status Unconfirmed
Assigned To No-one
Operating System All
Severity High
Priority Normal
Reported Version Anwiki 0.2.1
Due in Version Undecided
Due Date Undecided
Percent Complete 0%
Votes 0
Private No


From the look of it, there is no protection against CSRF ( in Anwiki. This allows the following attack scenario: an attacker (who knows where my Anwiki instance is located) posts a link to his site in my forum disguising it as a legitimate question. When I click it the attacker's page sends off an invisible form to my Anwiki instance. This request is sent with my cookies so that Anwiki accepts it and executes the requested action (like removing all contents or giving a particular user additional privileges).

Most trivial protection against CSRF: send out user's session ID as a parameter with all POST forms. This could be done by adding a boolean postForm parameter to linkMe method - if true the session ID will be added automatically. All callers generating POST forms need to be adjusted of course. When POST parameters are evaluated (for example in AnwEnv:_POST) it should be checked whether the session ID parameter is identical to the session ID in the cookie - if they are not the POST parameters should be ignored. This will do assuming that all modifying actions use POST forms (which I think they do).
This task depends upon