Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Reg. CSRF Vulnerability
 
Daniel Toma
Jr. Member
 
Total Posts:  13
Joined:  2007-09-22
 

Because the attack is based on phishing, it can be prevented by securing email server first. The best way to do this is by adding SPF and DomainKeys to your mails. SPF defines a list of servers that are allowed to send emails for a domain, so if the attacker’s email is sent from another server with fake email address as sender, it will be refused by destination server (or at least marked as SPF failed). DomainKey is digital signature made by mail server and verified by recepient using public key from DNS.

URL obfuscation is not the best sollution because is hard to remember by admin. Creating a different user with lower rights than admin might be a way to improve security.

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top