My understanding of the changes Jamie made included session-awareness (making every request unique; I've noticed this when I fire up Firefox after a crash...Webmin refuses to respond to the requests to reload the old pages, despite the fact that the session data is provided by Firefox on recovery and most sites remain logged in). I'm not actually involved in that aspect of the code, but there were CSRF protections added at the same time (as you say, they go hand in hand). But I'll poke around a bit to make sure there's actually protection against them.
I'm pretty deeply ignorant about XSS and CSRF, but there was an audit performed by a security research company a while back which found that batch of vulnerabilities. CSRF was certainly a known attack vector at the time, so I'm pretty sure it was among the exploits covered. | [reply] |