Talk:PHP CSRF Guard

2012/12/08
Thanks very much.

--- Jakub

On 8 December 2012 00:54, Abbas Naderi  wrote: Yes but then I assumed you don't have edit permissions on the wiki. I'll do this and mention you on the bottom and discussion page. -Abbas On ۱۸ آذر ۱۳۹۱, at ۳:۱۷, Jakub Kałużny  wrote:

You probably meant changing wiki, sorry :)

On 8 December 2012 00:47, Jakub Kałużny  wrote: Hi, just change if (!isset($_POST['CSRFName'])) to if (!isset($_POST['CSRFName']) || !isset($_POST['CSRFToken'])) this should work.

Jakub

On 8 December 2012 00:43, Abbas Naderi  wrote: Hi Jakub, You are right and we are aware of this. Would you like to fix it or I shall do so? -Abbas On ۱۸ آذر ۱۳۹۱, at ۳:۱۱, Jakub Kałużny  wrote:

Hi Abbas,

I found a note about a bug in PHP CSRF Guard (http://blog.kotowicz.net/2012/12/on-handling-your-pets-and-csrf.html) The code was patched so that a NULL $token cannot be validated with empty ("") CSRFToken parameter. Isn't the code still vulnerable by passing a non existing CSRFName and not passing CSRFToken ? Only the CSRFName is checked - if(!isset($_POST['CSRFName'])) but later then there is $token=$_POST['CSRFToken'] which still can be null if no CSRFToken parameter is passed.

Regards, Jakub

2012/12/06
Hi Krzysztof, Thanks for the tip. Actually I did the code on the fly and never got to test it! And never had a chance to review it. Thanks for fixing the flaw. Would be a good idea to post this email on discussion page of the wiki so that people know the flow and update it. Also add a version on top of the code. Regards -Abbas On ۱۶ آذر ۱۳۹۱, at ۱۷:۴۴, Krzysztof Kotowicz  wrote:

Hi!

PHP CSRFGuard that you posted at OWASP wiki https://www.owasp.org/index.php/PHP_CSRF_Guard is vulnerable to a simple bypass method:

When you submit a non-existing form id as CSRFName and empty CSRFToken csrf_validate_token function will return true.

function csrfguard_validate_token($unique_form_name,$token_value) {	$token=get_from_session($unique_form_name);

// non existing form name, $token = null;

if ($token===false) {		return true; }	elseif ($token==$token_value) // type insensitive comparison!! {             // $token_value = "", $token = null, both are equivalent to == operator $result=true; }	else { 		$result=false; } 	unset_session($unique_form_name); return $result; }

I've been able to exploit it already on a live site for a client that used PHP CSRFGuard. I've fixed the code on wiki by using === operator. This is just to notify you of the change, if you use this project elsewhere.

-- Best regards, Krzysztof Kotowicz SecuRing