1 (edited by StevenBullen 2008-02-14 10:44)

Topic: CSRF in common.php question...

Ok I have this page with a POST in it with no CSRF token. Works fine for guests/users... but not admin/mods.

Its this that stops it... which is no doubt security. The question I have... how do I get round it if I cannot POST a CSRF token. Thanks

// If we're an administrator or moderator, make sure the CSRF token in $_POST is valid (token in post.php is dealt with in post.php) 
if (!empty($_POST) && $pun_user['is_admmod'] && (isset($_POST['confirm_cancel']) || (!isset($_POST['csrf_token']) || $_POST['csrf_token'] !== generate_form_token(get_current_url()))) && basename($_SERVER['PHP_SELF']) != 'post.php') 
    csrf_confirm_form();

Re: CSRF in common.php question...

You can't get around the CSRF check. You need to implement it.
Of course, the confirm screen should allow people to still use the form.

3 (edited by StevenBullen 2008-02-14 11:18)

Re: CSRF in common.php question...

Smartys wrote:

You can't get around the CSRF check. You need to implement it.
Of course, the confirm screen should allow people to still use the form.

I cant edit the arcade game to add a csrf post? so how do I get round this?

Somewhere I read something about the csrf can be a word or something. Care to explain a little more, or where I see it lol. Cheers

Re: CSRF in common.php question...

You mean editing the games themselves? If you can't do that, you're pretty much stuck.

5 (edited by StevenBullen 2008-02-14 11:22)

Re: CSRF in common.php question...

Doh! You replied before I finished my edit.
Erm.. stuck! Other forums have these games. Is punbb the only one to run this csrf system?

So why does users work fine? Is that not the same risk.

Re: CSRF in common.php question...

I have absolutely no idea. But I don't see why you can't pass the game the proper CSRF token via the URL and then have it use that when POSTing.

Re: CSRF in common.php question...

Smartys wrote:

I have absolutely no idea. But I don't see why you can't pass the game the proper CSRF token via the URL and then have it use that when POSTing.

This is probably possible... But not really the ideal for 300 or so games. It would take me years... tongue

This is a little worrying because I cant even get round it lol. The hook wont let me as its after it lol.

Re: CSRF in common.php question...

When you're writing your own arcade.php file you can't add a call to the CSRF generation function in the right place? o.O

Re: CSRF in common.php question...

The posting is done from the flash object not from the page. Correct? Which means anything I have passed to the page will not be passed via the submit score button. Unless im missing something. Which is probably whats happening here... smile

Re: CSRF in common.php question...

game.swf?csrf_token=foo
You can't get the value of csrf_token from that?

Re: CSRF in common.php question...

One solution is to have a "proxy script", which just adds the CSRF token and sends it all along to wherever it should go.

Re: CSRF in common.php question...

Smartys wrote:

You can't get around the CSRF check. You need to implement it.

Can you explain how to do that or is too complicated?

13 (edited by Smartys 2008-02-18 23:57)

Re: CSRF in common.php question...

No, it's very simple. You should be able to understand it just by looking at the code. wink
Basically, when POSTing, you need to include a hidden field. The name should be csrf_token and the value should be the output of the function generate_form_token. The function takes one parameter, which is the absolute URL of the page you're submitting to.

Edit: Corrected the function name

Re: CSRF in common.php question...

Smartys wrote:

No, it's very simple. You should be able to understand it just by looking at the code. wink
Basically, when POSTing, you need to include a hidden field. The name should be csrf_token and the value should be the output of the function generate_csrf_token. The function takes one parameter, which is the absolute URL of the page you're submitting to.

Thanks Smartys, I was actually using the relative path.

(sidenote: the function's name is generate_form_token, not generate_csrf_token, just for those wondering).

Re: CSRF in common.php question...

Thanks, corrected smile

Re: CSRF in common.php question...

Smartys wrote:

game.swf?csrf_token=foo
You can't get the value of csrf_token from that?

Yeah but doing this I will still need to edit all the games to POST the csrf_token. Correct?

I done a few and this works fine. But I have no interest in doing all the games.
Any idea of a way around this?

Re: CSRF in common.php question...

No, for security reasons there is no way around it.

Re: CSRF in common.php question...

StevenBullen wrote:

Any idea of a way around this?

intedinmamma wrote:

One solution is to have a "proxy script", which just adds the CSRF token and sends it all along to wherever it should go.

smile

Re: CSRF in common.php question...

intedinmamma wrote:

One solution is to have a "proxy script", which just adds the CSRF token and sends it all along to wherever it should go.

Will this work on 100% of what PunBB 1.3 will work on? I am positive not all people/hosting lets you run proxy scripts etc.

Re: CSRF in common.php question...

StevenBullen wrote:
intedinmamma wrote:

One solution is to have a "proxy script", which just adds the CSRF token and sends it all along to wherever it should go.

Will this work on 100% of what PunBB 1.3 will work on? I am positive not all people/hosting lets you run proxy scripts etc.

It should be quite easy as long as you can use fsockopen(). (available in both PHP4 & 5) Doing it that way you will just have to resend the POST data along with a CSRF token, check php.net for examples on doing the harder half of it.