under the topic of against CSRF ... (2)

Date 2006-06-01 04:16:00 | Category: XOOPS
in englishin japanese
XOOPS has a simple system preventing from CSRF in DB layer.

POST && Good Referer --> allow all SQL
!POST || Bad Referer --> allow only SQL starting with "SELECT"

This is troublesome.

If someone post a news with referer off, he will get message "Your post has been received, successfully" but there is no such a post in fact.

It's both obscure and insecure.

I insist such protection in DB layer should be removed, and each controller has been implemented with token(ticket).


You can read more news at PEAK XOOPS.
http://xoops.peak.ne.jp

The URL for this story is:
http://xoops.peak.ne.jp/md/news/index.php?page=article&storyid=119