httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, VF-Group <>
Subject Re: [PATCH] prevent CSRF in mod_proxy_balancer
Date Tue, 11 Mar 2008 14:39:22 GMT

> -----Ursprüngliche Nachricht-----
> Von: Joe Orton 
> Gesendet: Dienstag, 11. März 2008 15:23
> An:
> Betreff: [PATCH] prevent CSRF in mod_proxy_balancer
> It occurred to me recently that it is relatively simple to prevent 
> "CSRF" attacks against the balancer-handler (see CVE-2007-6420), by 
> generating a "secret" nonce at startup and requiring the presence of 
> that secret in the submitted parameters.
> Any objections?

Just that I understand this correctly: The GET requests that actually do
some configuration changes via the balancer manager become invalid as
soon as httpd is restarted (gracefull restart is not sufficient, correct?).
As long as httpd keeps running the GET requests remain valid and can be



View raw message