Re^2: Secure Webmin

Replies are listed 'Best First'.
Re^3: Secure Webmin by SwellJoe (Scribe) on May 28, 2009 at 03:59 UTC
I'm not sure I understand how. Could you explain a bit more?	[reply]
Re^4: Secure Webmin by Anonymous Monk on May 28, 2009 at 04:13 UTC
XSS and CSRF go hand in hand, and simple referer checking isn't enough. http://www.cgisecurity.com/csrf-faq.html	[reply]
Re^5: Secure Webmin by SwellJoe (Scribe) on May 30, 2009 at 10:25 UTC
My understanding of the changes Jamie made included session-awareness (making every request unique; I've noticed this when I fire up Firefox after a crash...Webmin refuses to respond to the requests to reload the old pages, despite the fact that the session data is provided by Firefox on recovery and most sites remain logged in). I'm not actually involved in that aspect of the code, but there were CSRF protections added at the same time (as you say, they go hand in hand). But I'll poke around a bit to make sure there's actually protection against them. I'm pretty deeply ignorant about XSS and CSRF, but there was an audit performed by a security research company a while back which found that batch of vulnerabilities. CSRF was certainly a known attack vector at the time, so I'm pretty sure it was among the exploits covered.	[reply]