Am 22.05.2014 16:42, schrieb Daniel Kahn Gillmor:
On 05/22/2014 09:59 AM, Reindl Harald wrote:
i am not a roundcube dev but my job is development and security
- if you don't pass the token verification no login code is running
- the login in case of roundcube implies network connections
- the login in case of roundcube affects also the mailserver
the django project thought the same as you: https://www.djangoproject.com/weblog/2013/sep/15/security/
It's worth noting that django's mitigation of this issue *didn't* have to do with CSRF protection -- rather, they limited the size of the submitted passwords to 4KiB
yes *for that* issue
but it's also worth noting that *if they would have* used CSRF protection for the login the issue never would have happened at least for bots not accepting a cookie and doing a second request with the correct token
if($token_class->verify($input_token)) { $user_class->login($username, $password); }
and the difference is that with limit the passwords to 4 KiB that single issue is solved, with the CSRF other issues in the future are also solved
- what if the hash-function is vulerable with special inputs
- what if someone just DOS your webmail
- what if your mailserver has rate-controls
- what if that rate-controls are not enabled for the webmail-host
you need to understand layered security and defensive programming to prevent fix this issue and that issue and the next issue because you did not imagine this and that and the next attack vector
besides limit the input data you proceed and security-tokens there are also two easy ways left with honeypot fields to make any webform more secure which leads to someone has to careful study the login page to achieve a single really processed login attempt wether the credentials are correct or not and *that* is how you have to design a sane application