Hello Manuell,
This kind of question has been a topic for us as well.
It seems to me that the first line of defense is the authentication. On the
Admin Interface communication may just be via POST requests, but the Admin
Interface is protected using (configurable) authentication.
So a CSRF attack would have to first "steal" a session cookie before
successfully being able to submit any request.
Assuming this is really a problem for you, I don't think the mgnlCK
("cache-killer") token will be of any help. This is just a "dummy" parameter
which has the effect of disabling any caching when working on the author
instance. AFAIK this parameter is simply ignored.
I think you could probably implement what you need by adding a filter (or maybe
a custom login-module) fairly early in magnolia's filter chain.
This filter could perform 2 checks:
1. On Login, associate the session with the client IP. Subsequently, if the
client IP changes for the session, reject the request. (IP-locked sessions)
2. Associate each response with a (cryptographically secured) cookie-based
token. Accept each request only if it has valid token.
This would prevent replay attacks (and use of the "Back" button!), but could be
some work to implement.
I wonder if this level of security is really required?
Regards from Vienna,
Richard
-----Ursprüngliche Nachricht-----
Von: dev-list-ow...@magnolia-cms.com [mailto:dev-list-ow...@magnolia-cms.com]
Im Auftrag von Manuel Hirschauer
Gesendet: Montag, 05. Dezember 2011 10:29
An: dev-list@magnolia-cms.com
Betreff: [magnolia-dev] Cross-Site Request Forgery
Hello All,
I posted this on the user list but maybe this is more appropriate here.
Is there a way to prepare Magnolia against Cross-Site Request Forgery?
If I create a form on a webpage it contains a form token. That is used for
multi-forms as I understand. But also protects against csrf.
But in the admin interface the commands are just post requests?
Is it possible to add a token to every action from the web interface?
There is a parameter mgnlCK. As far as I understand this is just a timestamp?
To disable the cache?
Could this be used as a security token?
Or is there another way to protect Magnolia from csrf?
Is there a solution for the enterprise edition maybe?
Or a future magnolia version (as for now I am using 4.4.4
Thanks and regards,
Manuel Hirschauer
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/ To unsubscribe,
E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------
