History: TikiSecurity

View published page Collapse Into Edit Sessions

Preview of version: 10

Our current implemented system works well, however we do have a problem with those users who use more than one tab or window to browse the same Tiki site, in these situations you will probably see the Tiki CSRF message.

Disclose a vulnerability

To allow us time to patch the system, please report the vulnerability using the bug tracking system using the category "security" but without detailing the vulnerability so it cannot be exploited. Leave your e-mail so we can contact you.

List of Security issues Present

Cross-Site Request Forgeries (CSRF)

Taken from PHP Under Attack:
Cross Site Request Forgery (CSRF) exploits the trust a web site has for a particular user. It involves tricking a user into unknowingly sending a HTTP request of the attacker's choosing to the vulnerable web site. The following example demonstrates CSRF:

A trusted user logs into http://top-secret-site.com/vulnerable.cgi
The user is tricked into visiting a malicious site.
The malicious web site sends the user the followig HTML:

< img src="http://top-secret-site.com/vulnerable.cgi?action=trusteduseraction&user=gullibledude">

The following is an article from ApacheCon - very good reading.
Secure PHP Programming: Foiling Cross-Site Attacks

Here are some pieces of background for your personnal knowledge :
(excerpt from many mails from Jun Moriya )

Jun 13, 2001 bugtraq at securityfocus.com
Cross Site Request Forgeries (CSRF, pronounced "sea surf")
http://www.tux.org/~peterw/csrf.txt

2003/07 php conference at oscon 2003
http://conferences.oreillynet.com/os2003/php/

PHP Under Attack
http://conferences.oreillynet.com/cs/os2003/view/e_sess/4114

PHP Under Attack OSCON 2003 (slide)
http://talks.php.net/show/php-under-attack
http://talks.php.net/show/php-under-attack/11
http://talks.php.net/show/php-under-attack/15

Read documentation in comments of file lib/tikiticketlib.php :
http://de.tikiwiki.org/xref-head/lib/tikiticketlib.php.source.html

security bugtraq

List of Security issues Past

security bugtraq

Easy DOS?

Hitting F5 repeatedly to refresh a page can ratchet up server load easily... try it at home see what happens
the ab command if you've got apache running... try this one at home
- ab -n 15 http://YOURTIKISITE.com:80/tiki-index.php
  - I watched my server load climb quickly as this benchmark was run... This seems like an easy DOS tactic to me.

Security issues when developing Tiki

How to Secure Tiki

History

Enable pagination rows per page

Advanced

Information	Version
12 Apr 2004 03:36 GMT-0000 Gustavo Muslera	13	View
29 Mar 2004 03:33 GMT-0000 Gustavo Muslera	12	View
23 Mar 2004 07:06 GMT-0000 Mose	11	View
28 Feb 2004 19:54 GMT-0000 DennisDaniels	10	View

«
1
2 (current)
»

History: TikiSecurity

Preview of version: 10

Cross-Site Request Forgeries (CSRF)

Easy DOS?

History

About Tiki

Support

Community

Documentation

Development

Legal

Tiki Project Sites

Networks

Navigation and related functionality and content

Related content

Custom Share Module 0.1dev

History: TikiSecurity

Preview of version: 10

Cross-Site Request Forgeries (CSRF)

Easy DOS?

History