[RCD] Roundcube session management

Reindl Harald h.reindl at thelounge.net
Thu May 22 17:03:01 CEST 2014



Am 22.05.2014 16:42, schrieb Daniel Kahn Gillmor:
> On 05/22/2014 09:59 AM, Reindl Harald wrote:
>> i am not a roundcube dev but my job is development and security
>>
>> * if you don't pass the token verification no login code is running
>> * the login in case of roundcube implies network connections
>> * the login in case of roundcube affects also the mailserver
>>
>> the django project thought the same as you:
>> https://www.djangoproject.com/weblog/2013/sep/15/security/
> 
> It's worth noting that django's mitigation of this issue *didn't* have
> to do with CSRF protection -- rather, they limited the size of the
> submitted passwords to 4KiB

yes *for that* issue

but it's also worth noting that *if they would have* used
CSRF protection for the login the issue never would have
happened at least for bots not accepting a cookie and doing
a second request with the correct token

if($token_class->verify($input_token))
{
 $user_class->login($username, $password);
}

and the difference is that with limit the passwords to 4 KiB
that single issue is solved, with the CSRF other issues in
the future are also solved

* what if the hash-function is vulerable with special inputs
* what if someone just DOS your webmail
* what if your mailserver has rate-controls
* what if that rate-controls are not enabled for the webmail-host

you need to understand layered security and defensive programming
to prevent fix this issue and that issue and the next issue because
you did not imagine this and that and the next attack vector

besides limit the input data you proceed and security-tokens
there are also two easy ways left with honeypot fields to
make any webform more secure which leads to someone has to
careful study the login page to achieve a single really
processed login attempt wether the credentials are correct
or not and *that* is how you have to design a sane application

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 246 bytes
Desc: OpenPGP digital signature
URL: <http://lists.roundcube.net/pipermail/dev/attachments/20140522/439f6e79/attachment.sig>


More information about the dev mailing list