httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joe Orton <jor...@redhat.com>
Subject Re: [PATCH] prevent CSRF in mod_proxy_balancer
Date Tue, 11 Mar 2008 14:47:54 GMT
On Tue, Mar 11, 2008 at 03:39:22PM +0100, Plüm, Rüdiger, VF-Group wrote:
> > It occurred to me recently that it is relatively simple to prevent 
> > "CSRF" attacks against the balancer-handler (see CVE-2007-6420), by 
> > generating a "secret" nonce at startup and requiring the presence of 
> > that secret in the submitted parameters.
> > 
> > Any objections?
> 
> Just that I understand this correctly: The GET requests that actually do
> some configuration changes via the balancer manager become invalid as
> soon as httpd is restarted (gracefull restart is not sufficient, correct?).
> As long as httpd keeps running the GET requests remain valid and can be
> reused.

Correct.  If you submit a form making some balancer config changes, and 
httpd has been through a full stop/start since the form was loaded into 
the browser, the changes will be ignored.

(You could perhaps argue that this is a good thing anyway, since the 
balancer config may have changed completely in the restart?)

joe

Mime
View raw message