Support CSRF for logged-out users
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	epriestley
	Jan 23 2014, 4:32 PM

Description

See https://hackerone.com/reports/774. A researcher reports that you can CSRF the login form for a logged-out user. That is, if you know the username and password of a Phabricator account, you can execute a targeted attack which logs a victim in with those credentials by having them visit a page which submits a login form on their behalf. (They must not already be logged in to another account.)

I think this is really scraping the bottom of the barrel in terms of legitimacy, but does represent a capability escalation and isn't an attack I was cognizant of (the lack of logged-out CSRF is known, but not threatening in other cases). I'm going to award this as legitimate and fix it.

Revisions and Commits

rP Phabricator
	D8051	rPfebc494737be Actually check CSRF on Password and LDAP forms
	D8046	rPf9ac534f255d Support CSRF for logged-out users
	D8045	rP24544b1a2f24 Straighten out absolute/relative URIs in login providers
	D8044	rPa2515921b635 Detect developer error when constructing forms with absolute URIs
	D8043	rP69ddb0ced631 Issue "anonymous" sessions for logged-out users
	D8041	rP072741802350 Consolidate use of magical cookie name strings