Am 22.05.2014 16:42, schrieb Daniel Kahn Gillmor: > On 05/22/2014 09:59 AM, Reindl Harald wrote: >> i am not a roundcube dev but my job is development and security >> >> * if you don't pass the token verification no login code is running >> * the login in case of roundcube implies network connections >> * the login in case of roundcube affects also the mailserver >> >> the django project thought the same as you: >> https://www.djangoproject.com/weblog/2013/sep/15/security/ > > It's worth noting that django's mitigation of this issue *didn't* have > to do with CSRF protection -- rather, they limited the size of the > submitted passwords to 4KiB
yes *for that* issue
but it's also worth noting that *if they would have* used
CSRF protection for the login the issue never would have
happened at least for bots not accepting a cookie and doing
a second request with the correct token
if($token_class->verify($input_token))
{
$user_class->login($username, $password);
}
and the difference is that with limit the passwords to 4 KiB
that single issue is solved, with the CSRF other issues in
the future are also solved
* what if the hash-function is vulerable with special inputs
* what if someone just DOS your webmail
* what if your mailserver has rate-controls
* what if that rate-controls are not enabled for the webmail-host
you need to understand layered security and defensive programming
to prevent fix this issue and that issue and the next issue because
you did not imagine this and that and the next attack vector
besides limit the input data you proceed and security-tokens
there are also two easy ways left with honeypot fields to
make any webform more secure which leads to someone has to
careful study the login page to achieve a single really
processed login attempt wether the credentials are correct
or not and *that* is how you have to design a sane application
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Roundcube Development discussion mailing list [email protected] http://lists.roundcube.net/mailman/listinfo/dev
