[Tickets #2565] Re: Gecko Bookmarks extension
bugs at bugs.horde.org
bugs at bugs.horde.org
Thu Aug 16 20:05:58 UTC 2007
DO NOT REPLY TO THIS MESSAGE. THIS EMAIL ADDRESS IS NOT MONITORED.
Ticket URL: http://bugs.horde.org/ticket/?id=2565
-----------------------------------------------------------------------
Ticket | 2565
Updated By | Chuck Hagenbuch <chuck at horde.org>
Summary | Gecko Bookmarks extension
Queue | Trean
Type | Enhancement
State | Feedback
Priority | 2. Medium
Owners |
-----------------------------------------------------------------------
Chuck Hagenbuch <chuck at horde.org> (2007-08-16 13:05) wrote:
> I remembered that the browser is caching the HTTP Basic credentials,
> which is bad. I think I can prevent that. I'm hoping after the
> first call using Basic auth, the cookie I get will be enough.
Unless we modify jsonrpc to use sessions instead of HTTP auth, that won't
work.
> But I think I see now how it's exploitable. Couldn't someone
> automatically submit a FORM with a POST to Horde, and the auth cookie
> would attach to the request regardless of the domain of the POSTing
> site? I guess they may not be able to do much with the response, but
> just sending is enough to do nasty things.
Right. This is a pretty good explanation:
http://en.wikipedia.org/wiki/Cross-site_request_forgery
> So you're suggesting my extension holds a unique, opaque session key
> (probably in addition to the cookie I already have) that isn't stored
> anywhere in the browser proper?
As long as it's not something that is passed when the browser makes a
regular page request, or an xhr request, it'll work.
> Also, is this really specific to JSON-RPC, or is it something that
> could be a problem with any of the RPC methods? Because on second
> thought, I think JSON-RPC requests would be difficult to forge
> because XHR is probably protected enough, and they can't be done by
> FORM that I know of, because they aren't sent using the standard URL
> encoding form. They use a POST Content-Type of 'application/json' or
> something, and the body is straight JSON, not wrapped in URL
> &key=value form.
XHR is protected by cross-domain restrictions; you can do GET requests for
javascript, but jsonrpc (and the other RPC stuff) uses POST.
Other RPC types could be vulnerable if they could be faked by a form
submission. I think you're right that a regular form submit couldn't be
used for jsonrpc (or most of the other RPC types) because you can't create
that data with a regular form. Since the only other way to get the user's
browser to do a POST is with XHR, and that's out of domain, then I think
we're okay here without additional changes and tokens. But it's a good
thing to think through. :)
I want to sit on this another day or so before committing it, though, just
in case.
Thanks!
More information about the bugs
mailing list