Drupal CSRF Exploit reported on packetstorm
Heine Fri, 2012/03/09 - 11:06
Update: The Drupal security team just published an official, detailed response.
On March 2nd 2012, security researcher Ivano Binetti published an advisory on Drupal 7 anti-CSRF measures. He/She rightly identified the long standing Logout CSRF annoyance (#144538), but the rest of his/her advisory is not helpful.
Form Build ID
Contrary to what's said in the advisory, Drupal 6 and 7 do not use the form-build-ID to protect against CSRF. The build-ID is used to fetch state from a database table during certain operations.
Anti-CSRF token system
In accordance with OWASP CSRF recommendations Drupal uses the field form_token to protect against CSRF with a challenge token that is tied to the current user's session and the form's form_id (not form-build-ID). The form_token has to remain secret.
Defeat the anti-CSRF token system
There are several ways for the anti-CSRF challenge token system to be defeated:
- When the site has a Cross site scripting (XSS) vulnerability.
- When traffic between an authorized user agent and the server can be sniffed.
- When traffic between an authorized user agent and the server can be intercepted, changed and send on in a Man In The Middle attack (MITM).
The token challenge system was not designed to cope with these issues as the defenses were either pointless or impossible. As an example; When traffic can be sniffed or intercepted, an attacker can in typical cases simply extract the authorized user's password or session ID and use these to get access to the site.
The proposed HTTP_REFERRER check in 2.4 is also not very helpful. It fails just like the challenge token system when the site has an XSS vulnerability. In addition, user-generated content on the same site can also bypass the check by design.
In order to prevent a bypass of the anti-CSRF system, Drupal developers or site administrators should use appropriate defenses:
- Prevent sniffing and MITM with HTTPS.
- Prevent XSS by using the appropriate APIs.
Apart from the Logout link, the advisory does not identify an exploitable CSRF issue in Drupal 7.
This is not an official security team response. I've stepped down as team lead.