Ad Widget

**Aly** · 28-01-2010, 11:57

Ooh I see, and what the solution to CSRF could be?

**Alexei** · 28-01-2010, 12:23

Cross-site request forgery - Wikipedia

http://en.wikipedia.org/wiki/Cross-site_request_forgery

**alj** · 29-01-2010, 23:29

Originally posted by Aly

Ooh I see, and what the solution to CSRF could be?

Well its ok if SID will be present in admin interface or where people edit stuff.
But simple link to the graph or screen should not have that IMO.
What is it there so critical to forge or steal?

Alternatively you can always check referrer for critical urls. If referrer domain is different than Host header then you simply reset session and redirect to login screen.

**Aly** · 01-02-2010, 08:05

Originally posted by alj

Well its ok if SID will be present in admin interface or where people edit stuff.
But simple link to the graph or screen should not have that IMO.
What is it there so critical to forge or steal?

Alternatively you can always check referrer for critical urls. If referrer domain is different than Host header then you simply reset session and redirect to login screen.

CSRF on any page could lead to unwanted results. A bet many admins wouldn't be glad if some commercial customers zabbix account will be hacked through small security hall.

FYI Referrer can't be trusted.

**alj** · 02-02-2010, 01:32

Originally posted by Aly

CSRF on any page could lead to unwanted results. A bet many admins wouldn't be glad if some commercial customers zabbix account will be hacked through small security hall.

FYI Referrer can't be trusted.

Referrers can be trusted good enough.
If referrer is forged then this is NOT authenticated user browser so it doesn't have cookie you worry about.

Anyway if you don't want to clean up URLs what is the proper solution for users to send link to the publicly available graphs to each other?

I have no problem filtering SIDs but i had to explain this to users every time they tell me "your graphs are broken" when they try to forward link to somebody and session expires.

Also forwarding authenticated session to someone is probably even higher security risk than storing it in the cookie.
This is straight forward privilege escalation, another user opens url with SID and BAM - he is not himself anymore. How is that more secure than a cookie?

**Aly** · 02-02-2010, 07:56

Originally posted by alj

Referrers can be trusted good enough.
If referrer is forged then this is NOT authenticated user browser so it doesn't have cookie you worry about.

Referrer can be spoofed.

Originally posted by alj

Anyway if you don't want to clean up URLs what is the proper solution for users to send link to the publicly available graphs to each other?

I have no problem filtering SIDs but i had to explain this to users every time they tell me "your graphs are broken" when they try to forward link to somebody and session expires.

There is no problem sending URL to the graph to someone else, SID doesn't checked with such request.
If users sessions expired, he will not see any zabbix page, because his is not loged In.

Originally posted by alj

Also forwarding authenticated session to someone is probably even higher security risk than storing it in the cookie.
This is straight forward privilege escalation, another user opens url with SID and BAM - he is not himself anymore. How is that more secure than a cookie?

Did you checked this? I doubt.

**alj** · 02-02-2010, 21:21

Originally posted by Aly

Referrer can be spoofed.

How exactly would you spoof Referrer and get cookie from user's browser at the same time?

Originally posted by Aly

There is no problem sending URL to the graph to someone else, SID doesn't checked with such request.
If users sessions expired, he will not see any zabbix page, because his is not loged In.
Did you checked this? I doubt.

Yes i did checked it now and apparently this is not an issue anymore.
Probably got fixed at some point /shrug
Sorry to waste your time.

Ad Widget

Session ID in zabbix url

Session ID in zabbix url

Comment

Comment

Comment

Comment

Comment

Comment

Comment