under the topic of against CSRF ... (2)
Date 2006-06-01 04:16:00 | Category: XOOPS
|
XOOPS has a simple system preventing from CSRF in DB layer.
POST && Good Referer --> allow all SQL !POST || Bad Referer --> allow only SQL starting with "SELECT"
This is troublesome.
If someone post a news with referer off, he will get message "Your post has been received, successfully" but there is no such a post in fact.
It's both obscure and insecure.
I insist such protection in DB layer should be removed, and each controller has been implemented with token(ticket).
|
|