II. Application should use CSRF token which is random enough to identify every legitimate post login request.According to: http://squirrelmail.org/security/issue/2006-12-02 version 1.4.8-4 is vulnerable to a XSS vulnerability, so an attacker could use theXSS vector to grab the session token ("CSRF token") and continue the CSRF attack.
This might just be semantics: I wouldn't consider the XSS attack to be a CSRF attack. The XSS script runs in the same context that the user or any legitimate script running on behalf of the user runs. When it makes a reference, it has access to things like the CSRF token. It's not forging a reference. It's creating one in the same way as any legitimate script action would.
summary:
CSRF - forging a reference blindly.
XSS script - acting on behalf of the user after same-origin policy
protections have been compromised
- Josh
Tim Newsham http://www.thenewsh.com/~newsham/