Cross-site request forgery fix?

[DomDom Skye]

Hi!

I run a security script and I was notified that the forum 2.0.11 I use has a Cross-site request forgery issue.
I saw that will be fixed in ver. 2.1.

Do you have a patch for 2.0.11 ?

Regards, Dom

[Illori]

without some more details as to exactly what you think the issue is we cant say there is any fix to anything as we are not aware of the issue.

[DomDom Skye]

Sorry, I forget to post it. Here are the detail of the report I receive:

Login Cross Site Request Forgery (CSRF/XSRF) foud at: http://www.domain.com
CVSS 6.2 of 10.0
Tags critical

What does this mean?
The web site seems to be lacking CSRF token on a login form.

Read more at our knowledge base.

What can happen?
An attacker can force an unsuspecting user to sign in to the attacker's account. What can be done from there depends on the application. Example: An attacker can force an unsuspecting user to login to the attacker's account, when the user then buys something the credit card is added to the attacker's account.

Request Headers
POST /forum/smf/index.php?action=login2 HTTP/1.1
Accepttext/html application/xhtml+xml application/xml; q=0.9 image/webp */*; q=0.8
User-AgentMozilla/5.0 (compatible; Detectify) +https://domain.com/bot/036f3430c25260fb82e37cd12a33d5a6fa04e863
Hostwww.domain.com
CookiePHPSESSID=juq8luokdnj8d6s40kgco8tub7; PHPSESSID=juq8luokdnj8d6s40kgco8tub7; PHPSESSID=juq8luokdnj8d6s40kgco8tub7; PHPSESSID=juq8luokdnj8d6s40kgco8tub7; PHPSESSID=juq8luokdnj8d6s40kgco8tub7; sessionid=ag25kdifrg8gj21f9fijbcgcr3
Cache-Controlno-store, no-cache
Pragmano-cache
Accept-Encodinggzip deflate

Response Headers
HTTP/1.1 200 OK
X-Frame-OptionsSAMEORIGIN
X-XSS-Protection1
X-Content-Type-Optionsnosniff
Pragmano-cache
Content-Encodinggzip
VaryAccept-Encoding
Transfer-Encodingchunked
Cache-Controlprivate
Content-Typetext/html; charset=UTF-8
DateSun, 13 Mar 2016 16:11:42 GMT
ExpiresMon, 26 Jul 1997 05:00:00 GMT
Last-ModifiedSun, 13 Mar 2016 16:11:43 GMT
ServerApache

Details:

Code Select Expand


<form action="forum/smf/index.php?action=login2" name="frmLogin" id="frmLogin" method="post" accept-charset="UTF-8" onsubmit="hashLoginPassword(this, '30691ca82945d062dfa2d7d73e8db800');">
<div class="tborder login">
<div class="cat_bar">
<h3 class="catbg">
<span class="ie6_header floatleft"><img src="forum/smf/Themes/mytheme/images/icons/login_sm.gif" alt="" class="icon"> Login</span>
</h3>
</div>
<span class="upperframe"><span></span></span>
<div class="roundframe"><br class="clear">
<p class="error">You need to fill in a username.</p>
<dl>
<dt>Username:</dt>
<dd><input type="text" name="user" size="20" value="" class="input_text"></dd>
<dt>Password:</dt>
<dd><input type="password" name="passwrd" value="" size="20" class="input_password"></dd>
</dl>
<dl>
<dt>Minutes to stay logged in:</dt>
<dd><input type="text" name="cookielength" size="4" maxlength="4" value="60" class="input_text"></dd>
<dt>Always stay logged in:</dt>
<dd><input type="checkbox" name="cookieneverexp" class="input_check" onclick="this.form.cookielength.disabled = this.checked;"></dd>
</dl>
<p><input type="submit" value="Login" class="button_submit"></p>
<p class="smalltext"><a href="forum/smf/index.php?action=reminder">Forgot your password?</a></p>
<input type="hidden" name="hash_passwrd" value="">
</div>
<span class="lowerframe"><span></span></span>
</div></form>

Hope this help.
Dom

[margarett]

Yes, there is no token in SMF's login form, yet it's the first time I've seen this reported as a potential vulnerability...

[DomDom Skye]

It coming from https://detectify.com
What can i do?

Dom

[Kindred]

I also don't recall seeing anything about this being "fixed" in 2.1 - since I've never seen it reported before.


Personally, I think that the report is not really valid for SMF - but I'll let a dev comment and/orclose the issue for sure.

[DomDom Skye]

I saw it here:

Form Tokens - The results of adding tokens are improved security, such as basically no CSRF (Cross-site request forgery) can occur, even if an exploit successfully gained the admins session var and value they would still not gain access.

http://www.simplemachines.org/community/index.php?topic=511570.msg3612042#msg3612042

[Illori]

then it might not have been directly noted as being "fixed" it was as far as we are aware a feature that was added, tokens for added security.

SMF 2.0 does not have the same token system in place and i dont think we can add such a system at this point.

[DomDom Skye]

Humm... So no fix.
When will com vers. 2.1?

[margarett]

Please wait for developer's input.

[DNC]

I saw it here:

Form Tokens - The results of adding tokens are improved security, such as basically no CSRF (Cross-site request forgery) can occur, even if an exploit successfully gained the admins session var and value they would still not gain access.

http://www.simplemachines.org/community/index.php?topic=511570.msg3612042#msg3612042

Thats a low risk threat not even worth calling one . Run sqlmap or acunetix on your website and you get a few of these exploits and there not worth worrying about . Your quote here even says it

[DomDom Skye]

Thx for inputs. If it's minor, I wonder why it's tagged critical.
Was just asking about this issue 

[Illori]

they are not related to us... they dont know the specifics of SMF so they put their own rating on their own site. they may consider it critical but it may not be for us. in the past there have been so called security issues found that may have been critical that are not even valid issues.

[DomDom Skye]

Thx for your comment. I'm not aware of the things and that. Better ask than doing nothing in case of  I was wondering if it's a risk.
So I will take this and ignore the message till the update of the forum. Cool! Any date range for the release of vers. 2.1?

[Kindred]

there is never an issue with asking


as for a release range... no... only "When it is ready"

[DomDom Skye]

Thx for the reply.
Patience is a virtue 

Dom

[Steve]

Going to go ahead and mark this solved. If you have further questions, by all means, mark it unsolved and ask away.