<<< Date Index >>>     <<< Thread Index >>>

Re: squirrelmail CSRF vulnerability



II. Application should use CSRF token which is random enough to identify every legitimate post login request.

According to: http://squirrelmail.org/security/issue/2006-12-02 version
1.4.8-4 is vulnerable to a XSS vulnerability, so an attacker could use the
XSS vector to grab the session token ("CSRF token") and continue the CSRF attack.

This might just be semantics: I wouldn't consider the XSS attack to be a CSRF attack. The XSS script runs in the same context that the user or any legitimate script running on behalf of the user runs. When it makes a reference, it has access to things like the CSRF token. It's not forging a reference. It's creating one in the same way as any legitimate script action would.

summary:
  CSRF - forging a reference blindly.
  XSS script - acting on behalf of the user after same-origin policy
       protections have been compromised

- Josh

Tim Newsham
http://www.thenewsh.com/~newsham/