Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Login sends token, but doesn't check it. #433

Open
rliebig opened this issue Aug 5, 2013 · 2 comments
Open

Login sends token, but doesn't check it. #433

rliebig opened this issue Aug 5, 2013 · 2 comments

Comments

@rliebig
Copy link
Contributor

rliebig commented Aug 5, 2013

On the form for login, a token is placed. However it is possible to delete this token and send the request without it. This is theoretically a CSRF-Vulnerability, but it would allow the attacker to log a user on a specific account in. There are 2 Solutions for this: Simply remove the token or check it.
@nidico
Copy link

nidico commented Aug 5, 2013

Well, we should check it! The problem is that the login is performed by repoze.who.plugins.friendlyform, which is most likely the reason why this isn't implemented yet...

@ghost ghost assigned rliebig Aug 13, 2013
@rliebig
Copy link
Contributor Author

rliebig commented Aug 14, 2013

I just noticed that the same problem occurs with the OpenID form under /openid/init, more specific, that there isn't a token at all. I'm not sure if this is a security problem.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@nidico @rliebig