Return-Path: Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: (qmail 99161 invoked from network); 11 Mar 2008 14:48:28 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 11 Mar 2008 14:48:28 -0000 Received: (qmail 6822 invoked by uid 500); 11 Mar 2008 14:48:22 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 6748 invoked by uid 500); 11 Mar 2008 14:48:21 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 6737 invoked by uid 99); 11 Mar 2008 14:48:21 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Mar 2008 07:48:21 -0700 X-ASF-Spam-Status: No, hits=-4.0 required=10.0 tests=RCVD_IN_DNSWL_MED,SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of jorton@redhat.com designates 66.187.233.31 as permitted sender) Received: from [66.187.233.31] (HELO mx1.redhat.com) (66.187.233.31) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 11 Mar 2008 14:47:45 +0000 Received: from int-mx1.corp.redhat.com (int-mx1.corp.redhat.com [172.16.52.254]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id m2BEltAo001916 for ; Tue, 11 Mar 2008 10:47:55 -0400 Received: from turnip.manyfish.co.uk (IDENT:U2FsdGVkX1+l6XdAk5lktCuMDj5CIc2WO6pA4SVsDjs@vpn-14-50.rdu.redhat.com [10.11.14.50]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m2BElstq027051 for ; Tue, 11 Mar 2008 10:47:54 -0400 Received: from jorton by turnip.manyfish.co.uk with local (Exim 4.68) (envelope-from ) id 1JZ5li-0006Ed-4x for dev@httpd.apache.org; Tue, 11 Mar 2008 14:47:54 +0000 Date: Tue, 11 Mar 2008 14:47:54 +0000 From: Joe Orton To: dev@httpd.apache.org Subject: Re: [PATCH] prevent CSRF in mod_proxy_balancer Message-ID: <20080311144754.GA23708@redhat.com> Mail-Followup-To: dev@httpd.apache.org References: <20080311142317.GA28907@redhat.com> <99EA83DCDE961346AFA9B5EC33FEC08B66A926@VF-MBX11.internal.vodafone.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <99EA83DCDE961346AFA9B5EC33FEC08B66A926@VF-MBX11.internal.vodafone.com> User-Agent: Mutt/1.5.17 (2007-11-01) Organization: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SL4 1TE, United Kingdom. Registered in UK and Wales under Company Registration No. 03798903 Directors: Michael Cunningham (USA), Brendan Lane (Ireland), Matt Parson (USA), Charlie Peters (USA) X-Scanned-By: MIMEDefang 2.58 on 172.16.52.254 X-Virus-Checked: Checked by ClamAV on apache.org On Tue, Mar 11, 2008 at 03:39:22PM +0100, Plüm, Rüdiger, VF-Group wrote: > > It occurred to me recently that it is relatively simple to prevent > > "CSRF" attacks against the balancer-handler (see CVE-2007-6420), by > > generating a "secret" nonce at startup and requiring the presence of > > that secret in the submitted parameters. > > > > Any objections? > > Just that I understand this correctly: The GET requests that actually do > some configuration changes via the balancer manager become invalid as > soon as httpd is restarted (gracefull restart is not sufficient, correct?). > As long as httpd keeps running the GET requests remain valid and can be > reused. Correct. If you submit a form making some balancer config changes, and httpd has been through a full stop/start since the form was loaded into the browser, the changes will be ignored. (You could perhaps argue that this is a good thing anyway, since the balancer config may have changed completely in the restart?) joe