CSRF tokens are not cryptographically secure

A place for security related announcements and discussions - please check this forum frequently!
Post Reply
cmb
Posts: 12766
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

CSRF tokens are not cryptographically secure

Post by cmb » Tue Oct 17, 2017 3:20 pm

Hi!

It has been noticed that the CSRF tokens generated by CMSimple_XH are not cryptographically secure, and as such do not really fulfill their purpose. This issue has been fixed in CMSimple_XH 1.7.1, so it's best to update to this version. If you're still stuck with CMSimple_XH 1.6 for whatever reason, it is recommended that you apply the patch yourself. However, note that this will only work if you use at least PHP 7.0.0! Unfortunately, there is no easy fix for CMSimple_XH 1.6/PHP 5!
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

cmss
Posts: 103
Joined: Mon Jan 02, 2017 6:15 pm

Re: CSRF tokens are not cryptographically secure

Post by cmss » Sat Sep 22, 2018 12:10 pm

A question in this content is for the safety of the session ID

I read a code like
...if ($session['HTTP_USER_AGENT] != hash("sha512", $_SERVER['HTTP_USER_AGENT'])) ......

I also read about the hash-salt combination for the password (https://www.webmasterpro.de/coding/arti ... chern.html)

Is there a built in alternative in Cmsimple-xh.

cmb
Posts: 12766
Joined: Tue Jun 21, 2011 11:04 am
Location: Mü-Sa, RLP, DE
Contact:

Re: CSRF tokens are not cryptographically secure

Post by cmb » Sat Sep 22, 2018 12:49 pm

cmss wrote:
Sat Sep 22, 2018 12:10 pm
I also read about the hash-salt combination for the password (https://www.webmasterpro.de/coding/arti ... chern.html)

Is there a built in alternative in Cmsimple-xh.
This article is crap, since simple hash algos are insufficient for secure password hashes, and equality comparisons of password and hash are susceptible to timing attacks. The simplest good solution for PHP is to use the Password Hashing functions. CMSimple_XH 1.7 provides a shim for PHP ≥ 5.3.7.
Christoph M. Becker –Plugins for CMSimple_XH, but not for CMSimple 4+

Post Reply