Posting in the Magento forums has been disabled pending the implementation of a new and improved forum solution which should better serve the community.

For new questions please post at magento.stackexchange.com, the community-run support site for the Magento community. We will be providing updates on the new forum solution soon. For questions or concerns please email community@magento.com.

Magento Forum

Was the CSRF Vulnerability sorted in 1.2.1.2? 
 
TGM
Member
 
Total Posts:  69
Joined:  2009-02-09
 

Hi. silly question but just wanted to check was the Was the CSRF Vulnerability sorted in 1.2.1.2?

thanks

 
Magento Community Magento Community
Magento Community
Magento Community
 
skippybosco
Enthusiast
 
Avatar
Total Posts:  796
Joined:  2008-10-03
 

1.2.1.2 Release notes would suggest yes.

 
Magento Community Magento Community
Magento Community
Magento Community
 
calvinh
Jr. Member
 
Avatar
Total Posts:  19
Joined:  2009-05-21
SoCal
 

Glad to hear. I just read this blog post, sent to my admin panel with the title “CSRF Attack Prevention,” and was utterly shocked at what I was reading.

The odd security vulnerability here and there is inevitable, especially with robust applications, and even more so with popular applications that are always under the scrutiny of hackers and security analysts. However, the suggested fix in the blog post is nothing more than security through obscurity. It’s a bit like thinking that you’re safe from theft leaving your doors unlocked at night because a thief won’t know that your doors are unlocked.

Now, don’t get me wrong. Obscurity can enhance the security of a well designed and security-hardened system, but you can’t rely on security through obscurity to protect an inherently insecure system.

I think the blog post needs to be edited so that Magento users running older versions know that the custom frontName setting is not a sound solution to this vulnerability, and that the only real solution is to upgrade to the latest version.

 
Magento Community Magento Community
Magento Community
Magento Community
 
aleghart
Jr. Member
 
Total Posts:  4
Joined:  2009-03-03
 

From Release Notes - Magento 1.3.0 (March 30, 2009)
Changes> .....CSRF Attack Prevention (added form_key param to all admin Urls)

Would be nice if Magento folks would update Yoav’s blog entry http://www.magentocommerce.com/blog/comments/csrf-vulnerabilities-in-web-application-and-how-to-avoid-them-in-magento/

Keep in mind that a NEW installation of 1.3.2.4 has a string of warnings and notices as far back as v1.1.  This includes a warning dated Feb 26, 2009 issued specifically for the described security issue, plus a link to the blog entry.

The warning says:

CSRF Attack Prevention
We have just posted a blog entry about a hypothetical CSRF attack on a Magento admin panel. Please read the post to find out if your Magento installation is at risk at (link)

But...the blog entry offers no analysis on how to find out if your installation is at risk.  If taken at face value, the post indicates that all installations are at risk, that there is no current fix, and that you must make hacks to hide the location of your admin pages.

That’s a lot of extra work to be un-done later.  Would it really be so hard to clarify the blog post?

 
Magento Community Magento Community
Magento Community
Magento Community
Magento Community
Magento Community
Back to top