Re: Need help figure out CSRF vulnerability on this cgi code

Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF. As you output all your variables without escaping, all your variables are CSRF opportunities. See HTML::Template for escaping. Basically, add add ESCAPE=HTML to all variables in your template.

Also see Is your web application really secure? ("CSRF").

Comment on Re: Need help figure out CSRF vulnerability on this cgi code Download Code

Replies are listed 'Best First'.
Re^2: Need help figure out CSRF vulnerability on this cgi code by tinita (Parson) on Mar 31, 2012 at 20:51 UTC
Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF. i'd rather say, you have XSS, and CSRF is an effect of this, and by eliminating XSS you are not safe from CSRF Basically, add add ESCAPE=HTML to all variables in your template. or better, use default_escape 'HTML', so you can't forget to do it in the template.	[reply]
Re^2: Need help figure out CSRF vulnerability on this cgi code by Anonymous Monk on Mar 31, 2012 at 20:38 UTC
Wherever you take in input from the internet, and output it directly as HTML, you have a CSRF. you also have XSS or Cross-site scripting	[reply]
Re^2: Need help figure out CSRF vulnerability on this cgi code by Anonymous Monk on Apr 01, 2012 at 02:35 UTC
Thank you all.... I have one other security issue i need your help on...posting as a new thread	[reply]