Tags:

Share:
Twitter
Facebook

Is MeFi protected against cross-site request forgery?
October 22, 2006 3:12 AM Subscribe

Is MeFi protected against CSRF? I know the logout link isn't (should be a form button anyway) and could be triggered by displaying an image to a MeFi user, but if the forms are vulnerable things could get nasty (imagine someone posting a link that changes your prefs, or makes you create a post, etc.). Just askin'...
posted by malevolent to Bugs at 3:12 AM (97 comments total) 5 users marked this as a favorite

From RFC 2616:

In particular, the convention has been established that the GET and HEAD methods SHOULD NOT have the significance of taking an action other than retrieval. These methods ought to be considered "safe". This allows user agents to represent other methods, such as POST, PUT and DELETE, in a special way, so that the user is made aware of the fact that a possibly unsafe action is being requested.

The logout link fails this. Obviously this is a bigger problem than that though.
posted by grouse at 3:59 AM on October 22, 2006 [1 favorite]

No, it's not. Favoriting, flagging, etc. are all done through GET and are thus readily vulnerable. example.
posted by Rhomboid at 6:48 AM on October 22, 2006

Excellent, Rhomboid. Of course there would be vulnerability even if POST were used, but GET makes it especially easy.

I would set up something to auto-flag the same post, but I suspect that would get me banninated :)
posted by grouse at 7:10 AM on October 22, 2006

Golf clap on that one, Rhomboid.
posted by Saucy Intruder at 7:18 AM on October 22, 2006

Of course there would be vulnerability even if POST were used

You can't put JavaScript into comments can you?!

alert("ARGHAGH?!?!");
posted by public at 7:23 AM on October 22, 2006

No, the pool would definitely be closed if that were possible. Allowing JS from untrusted users is a serious security risk. That is why the custom CSS for user profile pages was removed, IIRC.

However, the possibility of using Flash/Actionscript still remains. I don't know anything about that but if it allows for POSTing then the threat model could be to post a link to some flash video on a site you control, and have that flash player do the normal video-playing but also hit the desired nasty URL.
posted by Rhomboid at 7:26 AM on October 22, 2006

Shortly after 'thinking out loud' about MeFi and CSRF I wished I hadn't; although it's an old, fundamental problem, and every other web developer reading about the topic will think the same thing, my normal approach is to stay out of specific security issues. Sooner or later someone oversteps the mark (we're looking at you, Rhomboid) and things get ugly.
posted by malevolent at 7:51 AM on October 22, 2006

You say the img tag is a security risk, huh? Interesting...
posted by crunchland at 8:26 AM on October 22, 2006

Oh, so we're back to "don't talk about it, pretend it doesn't exist, hope that the badguys are stupid and uneducated" as security precaution now?

Filtering out the IMG tag would be one fix, yes. It would neither be the only way to fix it, nor would it be a complete fix. I refer you back to the thread where someone's archiving software fave'd all the comments, wherein I made the same warning about GET. That kind of thing would not be fixed by filtering IMG. But using POST for state-changing actions would fix everything, and would not result in bitching about the loss of IMG. Combine that with referer-sanity-checking (yes I realize this can be spoofed but it just makes it a little bit harder) for extra measure.
posted by Rhomboid at 8:33 AM on October 22, 2006

But using POST for state-changing actions would fix everything

Well, not really - remember the 'cross-site' part? Anyone who would bother to go to this effort would not be foiled by referer-checking, methinks.
posted by MetaMonkey at 8:42 AM on October 22, 2006

This is going to be fun for Matt when he wakes up on a Sunday morning. Very nice of you.
posted by smackfu at 8:44 AM on October 22, 2006

But by that point you've mitigated it to the point where successfully pulling off the stunt requires orders of magnitude more effort than simply sticking an IMG tag in a comment.
posted by Rhomboid at 8:47 AM on October 22, 2006

Very nice of you.

So you would also be upset if someone flagged you down on the street to tell you that your car's rear tire was dangerously underinflated to the point of near failure? Pretending that everything's fine doesn't fix anything.
posted by Rhomboid at 8:52 AM on October 22, 2006

Discussing it in an open forum was probably the unwise move. If you'd emailed or IM'd Matt, you'd have gotten the same results without aggrandizing the exploit.
posted by crunchland at 8:58 AM on October 22, 2006

People keep saying flash is a problem here, but how can you embed flash in a comment when embed and object tags are filtered out (as well as javascript)?
posted by mathowie (staff) at 9:01 AM on October 22, 2006

Again, you're back to the stance of "let's hope the potential attacker is an ignoramus", which I just don't see being a very solid position. And as you can see from the linked thread the issue was brought up nearly two months ago (if not earlier) with no sign of any remedial action being taken. So if mock had never made the FPP, malevalent this MeTa, and me my POC, then we'd probably still be in a state of collective ignorance.
posted by Rhomboid at 9:07 AM on October 22, 2006

Regarding Flash, I think it was brought up in the context of using it on an external third party site to both do the POST and forge the referer, but then the fact that music.mefi uses Flash really confused the issue. I agree that in terms of things local to mefi flash is not a vector.
posted by Rhomboid at 9:09 AM on October 22, 2006

Rhombold, I think people saying "don't say anything in public!" are saying all this would have been better over email. I actually IMed with mock a bunch a month or two ago and fixed a whole bunch of things as a result.

If someone showed me the favorite thing, I would have been able to fix it in peace.
posted by mathowie (staff) at 9:13 AM on October 22, 2006

And as you can see from the linked thread the issue was brought up nearly two months ago (if not earlier) with no sign of any remedial action being taken.

What are you talking about exactly? I don't see anything referencing any two month old thread here. URL?
posted by mathowie (staff) at 9:14 AM on October 22, 2006

What Rhombold did, and the following discussion helped the lightbulb go on for me. If it aided other less technical people in understanding, too, perhaps there was some value.
However, my awareness of the issue doesn't lessen my vulnerability that much.
posted by kingfisher, his musclebound cat at 9:16 AM on October 22, 2006

I was referring to this comment. I realize that it did not come out and say "you could also do this by posting an IMG" so I guess I can't say that this very attack vector was specifically mentioned.
posted by Rhomboid at 9:21 AM on October 22, 2006

I was referring to this comment.

One comment talking about possibilities on a discussion I was skimming along with 250 other discussions that day. Before you say I am ignoring problems and not taking "any remedial action", consider that a single email to my inbox would have done wonders towards fixing it.
posted by mathowie (staff) at 9:26 AM on October 22, 2006

By the way, I turned off img tags, while I work on this.
posted by mathowie (staff) at 9:32 AM on October 22, 2006 [1 favorite]

Someone call the DHS.
posted by cellphone at 9:34 AM on October 22, 2006

Matt, I wasn't trying to cast blame on you for not doing something earlier, I was just trying to make the point that I think we are better off with "problem publicly exposed and now steps in place to work around it" rather than "everybody remain quiet and hope nobody figures it out on their own and uses it for evil." I realize that "private email to admin mentioning the problem" would have been better than either of those two, but we all make mistakes.

FWIW I went through this exact same scenario on another forum about 6 months ago, but in that case it went much worse.
posted by Rhomboid at 9:41 AM on October 22, 2006

I turned off img tags, while I work on this.

I feel a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened.
posted by jessamyn (staff) at 9:41 AM on October 22, 2006 [9 favorites]

I feel a great disturbance in the Force, as if millions of voices suddenly cried out in terror and were suddenly silenced. I fear something terrible has happened.

I HAD CAT PICTURES FOR CAPS LOCK DAY!!!
posted by pyramid termite at 9:43 AM on October 22, 2006

I guess it's no longer caturday.
posted by Rhomboid at 9:45 AM on October 22, 2006 [1 favorite]

!!!
posted by loquacious at 9:45 AM on October 22, 2006

I may cry out in terror, but I will not be silenced!
posted by The Great Big Mulp at 9:50 AM on October 22, 2006

I'll live. I'm hanging in there. I think. *lights 15th cig*
posted by loquacious at 9:52 AM on October 22, 2006

Kidding. No pressure. And I'm on an image hiatus anyway.
posted by loquacious at 9:55 AM on October 22, 2006

I can't live without ceiling cat.
posted by languagehat at 10:04 AM on October 22, 2006

Dude if you keep doing that you'll go blind.
posted by loquacious at 10:05 AM on October 22, 2006

Rhomboid's demonstration helped me grok the issue.. I wasn't awake enough to grasp how scary CSRF was and mentally dismissed it, until I saw his comment. Thanks.
posted by rajbot at 10:16 AM on October 22, 2006

Oh, and the common complaint about using POST is that you have to suffer with the ugliness of a FORM-style button for every action, where currently we have things like [!] which are more appealing. But I am fairly sure this can be overcome with CSS styling of the button and/or JS that gracefully degrades, so that users without JS enabled get the button but normal users get the equivalent of <A href="#" onclick="javascript:document.some.form.id.submit()"> or whatnot.

You can't do much with styling unless you ignore some major browsers, but you can do this with Javascript easily enough. (<a method="POST" ... > would help but, as I mentioned in the last thread, it doesn't look like we'll be getting it.)

One thing which hasn't been mentioned is that the POST method needs to be enforced on the server side. Many web frameworks don't distinguish at the business logic level between parameters passed via GET and POST; I don't know if ColdFusion is one of these, but if so, changing the favorite links to POST submits won't help if it's still possible to send a GET with a manually-constructed query string and have the same effect.
posted by IshmaelGraves at 10:18 AM on October 22, 2006

Ishmael, I'm rewriting all the GETs to POSTs right now. I'm almost done with the basic coding. And no, sending a GET to the same URL will not perform POST actions.
posted by mathowie (staff) at 10:25 AM on October 22, 2006

Also, Rhomboid, that was a simple yet brilliant hack to get the favorites. Sorry I was crabby earlier, this kind of thing tends to be like someone peeing in your cornflakes on a Sunday morning.
posted by mathowie (staff) at 10:38 AM on October 22, 2006

RHOMBOID RUINT CPAS LKOC AYD
posted by quonsar at 10:39 AM on October 22, 2006

Actually, it was all a gambit by the anti-<IMG> cabal. The fact that I was a vocal supporter of <IMG> in an earlier thread was all part of this stratagem.
posted by Rhomboid at 10:42 AM on October 22, 2006

Nah just kidding, I love me some ceilingcat like something fierce.
posted by Rhomboid at 10:43 AM on October 22, 2006

mathowie did a good job of beefing up the filters to catch more XSS attacks a couple of months ago, but I think images should stay off.

Opera and IE are incredibly permissive in terms of what they will execute inside img tags, it makes it very hard to figure out what you need to look out for.
posted by Olli at 11:11 AM on October 22, 2006

MetaTalk: this kind of thing tends to be like someone peeing in your cornflakes on a Sunday morning.
posted by loquacious at 11:19 AM on October 22, 2006

All favorites and flags are now POSTs instead of GETs. I just need to convert the remove favorites GET to a POST and then this is mostly done. I should add a nonce to the POST forms, to seal the deal.
posted by mathowie (staff) at 11:19 AM on October 22, 2006

I'm still not sure I understand how this exploit works. Can someone post a diagram?
posted by goodnewsfortheinsane at 11:38 AM on October 22, 2006

favorite removal is a POST now as well. I'm pretty much done with the basics now that img tags are off and there are no more GETs for favorites and flagging. I'll continue to work on this stuff all week. Anyone that finds a new exploit is welcome to email me and I'll do my best to squash them.
posted by mathowie (staff) at 11:48 AM on October 22, 2006

Seriously though, shouldn't the img tag ban be noted on the sidebar and/or posting pages? Not everyone's reading this thread, so it might help the confused and perhaps avoid MeTa threads asking about it.
posted by goodnewsfortheinsane at 12:07 PM on October 22, 2006

You could possibly allow IMG tags again by making sure the URL ends with a known image extension (.png, .gif, .jpg, .jpeg) and that the URL doesn't contain any question marks.
posted by kindall at 12:08 PM on October 22, 2006 [2 favorites]

I'll add notes to posting pages and the sidebar, yes.
posted by mathowie (staff) at 12:08 PM on October 22, 2006

People keep saying flash is a problem here, but how can you embed flash in a comment when embed and object tags are filtered out (as well as javascript)?

I hope you won't mind if I try an experiment on that? (Using an innocuous Flash file that does nothing except display some text?)

Straight "embed" attempt (presumably will fail):

embed with hex-obfuscated keyword:

< %#0065;%#006d;%#0062;%#0065;%#0064; src="http://denbeste.nu/external/flashstub.swf" application/x-shockwave-flash width="250" height="100">
posted by Steven C. Den Beste at 12:22 PM on October 22, 2006

Good job!
posted by Steven C. Den Beste at 12:22 PM on October 22, 2006

Man. Not with a bang but a whimper—Capone went the same way. Don't worry, <img>; we won't forget you while you're in the joint.
posted by cortex at 12:22 PM on October 22, 2006

Don't worry, <img>; we won't forget you while you're in the joint.

Just pre-emptively: I am *not* going to write a song this time. :)
posted by goodnewsfortheinsane at 12:28 PM on October 22, 2006 [1 favorite]

Poor <img> and mathowie...it seems they both got their cornflakes peed in.
posted by taosbat at 12:35 PM on October 22, 2006

mathowie, did you take care of the cross-site aspect? I'd email you, but it seems easier to ask once and for all here. If not, you probably want to talk to mock, or someone else who knows what they're doing to sort it.
posted by MetaMonkey at 12:44 PM on October 22, 2006

I fail to understand the danger here. Somebody could insert a fake image tag that would call a script to do what exactly? Apart from flag things as favorites etc? Are there worse potential consequences than minor annoyance?
posted by nowonmai at 12:44 PM on October 22, 2006

nowonmai: Someone could put some JavaScript on another site that'd make you post something to MeFi without realising it. To be super-evil, they could even make it contain dozens of double-posted links to YouTube, right-wing blogs and PDFs. Imagine the horror.
posted by malevolent at 1:06 PM on October 22, 2006

nowonmai, the danger is that if you're logged in to another site (say, your bank) while you're reading MeTa and authentication is maintained using cookies, then the fake image tag could execute a script on the bank's site (e.h. transfer.php?recipient=greatgefilte&amount=$1000000), and since your browser is the one making the request, it would be considered authenticated and processed. Does that help?
posted by greatgefilte at 1:06 PM on October 22, 2006

Of course, malevolent's example is far more realistic, but if a malicious haxor knew that you had an account at such-and-such bank, it would theoretically be possible.

Couldn't this all be prevented by having the webserver test the IMG to see if the resulting data is binary, or check the image header, or something like that?
posted by greatgefilte at 1:08 PM on October 22, 2006

Bah, strike that, my solution isn't very practical. I guess the easiest way to avoid real (i.e. money-losing) security risks is to keep only one browser window open when getting cookies from the bank, and then make sure to logout.
posted by greatgefilte at 1:18 PM on October 22, 2006

No. having the webserver test IMG link is obviously equivalent to having the webserver perform the GET request. Also, allowing images with specific file types will not work either, as I can just set a 302 redirect on the image name and use that to attack the server. I honestly can't think of any way that IMG tags can be safe. Even if they can't be made to do an evil GET request here, you can use them to take down people's mailservers, ssh servers, and dns. Plus given some assumption about the average home user's network equipment and default passwords, you could cause a lot of havoc...
posted by mock at 1:34 PM on October 22, 2006 [1 favorite]

Steven C. Den Beste: If you want to test these things it's probably better to use the description field in your profile.

greatgefilte: I don't think the bank thing is really our problem. It's up to the bank to make sure that third party sites can't mess with their customers when they are logged in. Thats why you restrict your cookies to your own domains, etc.

As malevolent says, the problem is more about what users can do on Metafilter using XSS. The worst case there would probably be stealing other users logins.
posted by Olli at 1:36 PM on October 22, 2006

mock, but if the webserver performs the GET, at least it won't be processed due to lack of authentication. But as you say, still a potential source of DoS attacks...
posted by greatgefilte at 1:37 PM on October 22, 2006

6 YEARS OF IMG TAGS AND NOTHING BAD HAPPENED. ONE DAY SOME CLOWN AUTOMATICALLY FAVORITES HIS OWN COMMENT AND MATHOWIE ACTS LIKE GEORGE BUSH AFTER BUILDINGS FALL IN MANHATTAN. MEANWHILE THE REST OF THE FORUM WORLD GOES ON ENJOYING THIER IMG TAGS WITHOUT SUCCUMBING TO TREMBLING FEAR AND CURTAILMENT OF FREEDOMS.
posted by quonsar at 2:11 PM on October 22, 2006 [5 favorites]

I'M IN UR MEFI FORUM DRAINING YER BANK ACCOUNTS
posted by quonsar at 2:12 PM on October 22, 2006

I told you so.
posted by cytherea at 2:25 PM on October 22, 2006

eat a bag of dick, quonsar.
posted by mathowie (staff) at 2:27 PM on October 22, 2006 [15 favorites]

THAT WOULD BE "BUCKET OF COCKS" MATHOWIE
posted by quonsar at 2:33 PM on October 22, 2006 [5 favorites]

eat a bag of dick, quonsar.

WHILE MATHOWIE MAKES A COMPELLING ARGUMENT, THIS IS STILL CLEARLY A CONSPIRACY TO DEFRAY CAPSLOCK DAY OF ITS STATUTORY POWERS.

NOTE THAT THE ACRONYM "CSRF" IS CLEARLY CAPITALIZED. CLEARLY, COULD THIS MEAN ANYTHING ELSE? CLEARLY IT COUILD NOT!!!1
posted by poweredbybeard at 2:38 PM on October 22, 2006

A BAG OF DICK AND A BUCKET OF COCK STROLLING PARK IN DRAG
PACK TROUSER FISH AND SHOUTING SMOCK! NO CAPSLOCK IMG TAG!
posted by quonsar at 2:47 PM on October 22, 2006

A BAG OF DICK AND A BUCKET OF COCK STROLLING PARK IN DRAG
PACK TROUSER FISH AND SHOUTING SMOCK! NO CAPSLOCK IMG TAG!

cortex must must must turn that line into a song.
posted by ThePinkSuperhero at 3:02 PM on October 22, 2006 [1 favorite]

Hmm...

Matt, with regards to the new javascript form submission for adding a post to favorites, are you sure you want to have both link_id and author_id fields in addition to the user field? I don't think you should trust the client to not provide an incorrect author_id field, you should be looking it up yourself in the DB using the link_id. Although I doubt it would cause much trouble if someone submitted a manually constructed POST to the server with an author_id that did not correctly correspond to a link_id, it's still probably best not to trust the client in this fashion.
posted by RichardP at 3:15 PM on October 22, 2006 [1 favorite]

Yeah, I could do a lookup there.
posted by mathowie (staff) at 3:20 PM on October 22, 2006

Apparently it does still work for posting. No idea why the <image> tag would do anything, it's not a standard HTML tag as far as I know.
posted by matthewr at 3:44 PM on October 22, 2006

image tag removed now.
posted by mathowie (staff) at 4:05 PM on October 22, 2006 [1 favorite]

<input type="image" src="/favicon.ico"> seem to work in the live preview window but not with the Preview button.

posted by crysflame at 4:17 PM on October 22, 2006

Just so we've got this straight:

If I'm logged into MeFi and my bank at the same time
and the attacker knows which online bank I use
and my banking website has URLs which are easily constructed and use no other authentication than cookies
and the attacker knows how to construct a single magical URL which would transfer money out of my bank and into theirs

Then I'm in trouble?

Personally, I won't lose much sleep then.

I mean, seriously. Point one might happen. Point two is incredibly unlikely. Point three would mean that my bank is ludicrously, laughably insecure anyway so I should take my own damn money out.
posted by AmbroseChapel at 4:36 PM on October 22, 2006

The attacker doesn't need to know which service you use, but instead can try all the ones for which an attack is known.
posted by grouse at 4:49 PM on October 22, 2006

They don't need to know which bank you use, they just need to choose a bank which some readers use and they are guaranteed a few successes.

On preview, what grouse said.
posted by elephantday at 4:51 PM on October 22, 2006

I'd note that <img> tags aren't the only problem, anchor tags (i.e. <a href="...">) can also be exploited. Due to the very nature of front page posts, a great many people click on the post's anchor tag. It would be easy to post a URL that appears innocuous that actually attempts an exploit via a redirect. It might be nearly as effective as an <img> tag in a thread. Even someone without access to a server could try this. For example, clicking on this "Google" link will unexpectedly log you out of MetaFilter. I think Matt should just worry about protecting MetaFilter itself from these sorts of attacks (since a viewer of a page at MetaFilter is highly likely to be logged into MetaFilter). Ultimately I don't think it will be possible to eliminate the ability of an unscrupulous member to use MetaFilter as an attack vector on third-party sites if you give users the ability to include their own <a> or <img> tags.
posted by RichardP at 5:36 PM on October 22, 2006

This settles it. We need to stop using this internet thing for Metafilter. It's too prone to malicious bullshit. OK, now who's going to print the weekly newsletter?
posted by I Am Not a Lobster at 5:53 PM on October 22, 2006 [1 favorite]

.
posted by If I Had An Anus at 6:24 PM on October 22, 2006

Well there is the issue of malicious inks.
posted by mock at 6:25 PM on October 22, 2006 [1 favorite]

You could possibly allow IMG tags again by making sure the URL ends with a known image extension (.png, .gif, .jpg, .jpeg) and that the URL doesn't contain any question marks.

That would be completely useless in terms of security. All the attacker would have to do would be to point to an URL on a server he controls, and have that URL redirect to the target URL. So "http://badsite.example.com/foo/bunny.jpg" redirects to "http://targetsite.example.com/bar/deletepost.php?option1=harder&option2=deeper". There is no way to tell just from looking at the URL whether it is an image or not. And this redirection could even discriminate based on IP/browser/OS, so that it would not be detectable by the site admins, for example.

<input type="image" src="/favicon.ico"> seem to work in the live preview window but not with the Preview button.

The live preview does zero filtering of tags, so it's useless to determine what kind of things are filtered server-side.

I'd note that <img> tags aren't the only problem, anchor tags (i.e. <a href="...">) can also be exploited.

I think that's taking the issue to absurdity. It's like warning that someone could craft a FPP with a link to goatse. Sure, they certainly could, and people would click on it. They could even try to hide it with a redirection service like tinyurl.com. But people would instantly notice it after clicking the link, and contact the admins and flag the post, and that would be the end of the story. That's just a fundamental fact of any website that accepts links from users.
posted by Rhomboid at 8:06 PM on October 22, 2006 [1 favorite]

The big ruckus here is that an <img> tag that leads to an URL that some malfeasant wants gotten is pretty much undetectable to the end user, and scales terrifically.
posted by blasdelf at 9:07 PM on October 22, 2006 [1 favorite]

But people would instantly notice it after clicking the link, and contact the admins and flag the post, and that would be the end of the story.

While true for the simple example I gave, it's not true in general. If the action I want to exploit can be done with a GET and I control the server that is the target of the link then it is trivial to hide the action (perhaps a hidden iframe) and then bounce onward to the innocuous site that is the subject of the post. One thing I would agree with, this certainly isn't be as simple or as elegant as the <img> exploit. In any case, I think Matt should concentrate on protecting MetaFilter from these kinds of exploits and let third-party websites look to their own security.
posted by RichardP at 3:34 AM on October 23, 2006

RichardP: I asked a similar question in the main thread, and at the moment, I don't think its possible to protect a site against attacks from third-party sites, without making that site unusable (eg re-login or captcha before every post)..

As an example, I could post a thread with 'Free P0rn' links (at 3am), but in one of the linked sites, I could have put a script that posts a comment like 'me likey porn' back to the thread, so that each user that clicks on the link would spam the thread. It would be taken down (and I would be probably banned) but it is a proof of concept.

Rusty's FormKeys idea would be easily cirumvented with some more advanced JS...

I am interested because I have a written a dynamic web server for a PVR app, and I would prefer it if it was not susceptable to these sort of attacks!
posted by nielm at 7:58 AM on October 24, 2006

neilm, how about checking the IP of whoever requests and then submits a form? I guess this would work as long as the user had a fixed IP (or even IP range), which would then turn up as different to the IP requesting the formkey.
posted by MetaMonkey at 8:17 AM on October 24, 2006

um, no: the point of JS is that it runs in the scope of the browser: therefore the formkey is requested by the same IP that posts the form response; even any cookies set by the formkey request will be passed in the form response.
Almost everything that a user can do in a browser can be done with JS (excluding captchas).
posted by nielm at 9:37 AM on October 24, 2006

Right you are, nielm, that was a silly mistake.
posted by MetaMonkey at 10:16 AM on October 24, 2006

Will someone please link me to an img to ASCII converter?
posted by Eideteker at 10:55 AM on October 24, 2006

im in ur metafilter, ceiling ur cats

CCCCCCCCCCCCCCCCCCCCCCCOCOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOCOOCCCCOCCC CCCCCCCCCCCCCCCCCCCCCCCCCOCCCOCOCOCOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOCOOOCCOCCCCCCCCCCCCC CCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCOCOCOOCOCOOCOCOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOCOCOCCOCCCCCCCCCCCCCCCCCCC oCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCOCCOCCOOOCOCOOOCOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOOCOOOOCOCOOCOOCCOCCCCCCCCCCCCCCCCCCCCCCCCCCCC ooCoCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCOCCCCCCOCCCCCCCOOOOOCOCCCCCCOCOCOCCCCCCCOCOCOCOCOOCCCCCCOCOCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC oooCoCCCCCCCCCCCCooCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCOCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC oooooCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC oooooCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCOCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC ooooooooooCooCoCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCo . . o :ccOOCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCoCo ooooooooooCooooCoCoCoCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCo ccccccc:::.:. ccCcccoOOCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCoCooooo oooooooooooooooooooooCoCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCC .:ccccccc:ccc::ccccc::ccc:::. .:coCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCoCoooooooooooo oooooooooooooooooooooooooooCoCooCoCCCCCCCCCCCCCCCCCCCCCCCCCoC. cccccoccccccccccoccoc:occooooc:.. .:coCCCCCCCCCCCCCCCCCCCoCCCCoooooooooooooooooooo oooooooooooooooooooooooooooooooCoooCoCooCoCoCCCCCCCCCCCCCCC:. :cccccccccccoccccocccocccccccccccc:c:ccoCCooCCCCCCCCCooCooooooooooooooooooooooooooooooo ooooooooooooooooooooooooooooooooooooooCoooCoooooooooCoCoCC:. :ccccccccccccoccCooccoococcccccccc..OCCCoCCCCCooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooCoCoooCc:.. .:c:coocooc::oCoCCCooCCoCooocc:::.oCooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooooc::.:. .::::::cC:.. :CCoCooCo . .o:::.coooooooooooooooooooooooooooooooooooooooooooooooooooooo oooooooooooooooooooooooooooooooooooooooooooooooooooooo:::::::. ::cccccoo::::.cOCoooC...ccCc::cCoooooooooooooooooooooooooooooooooooooooooooooooooooooo oocooooooooooooooooooooooooooooooooooooooooooooooooooCCCCCocc:. :::cooccccoCCo:CoooccoCCooccccooooooooooooooooooooooooooooooooooooooooooooooooooocccoc ccccccoocooooooooooooooooooooooooooooooooooooooooooCCCCCOCCCCCCoCCc.ccccccooooccoooo:coocccooooooooooooooooooooooooooooooooooooooooooooococccccccccccc cccccccoccococcccccooooooooooooooooooooooooooooooooooooooooooocoooooo.:ccooooCocooCococcoooccooooooooooooooooooooooooooooooooooocccocccccccccccccccccc ccccccccccccccccccccccccccccccoooooooooooooooooooooooooooooooooooooooocc::ooooCCc:ccCooCCocoooooooococoocoooooooccoccccccccccccccccccccccccccccccccccc ccccccccccccccccccccccccccccccccocccccoccccccoooooooooooooooooooccooccooc..coCCCooooccoocoocccoccccccccoccoccccccccccccccccccccccccccccccccccccccccccc cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccoccccccccccc. .ccccccocccocccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc :c:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc:c::: ::::ccc:cc:ccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc:c:c:::::::::: :::::::::::cccc::cccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccccc:cccccc:c::c::::c::c::::::::::::: ::::::::::::::::::::::::::c:ccc:cc:cccccccccccccccccccccccccccccccccccccccccccccccccccccccccc:cccc:c::::c:c::::c::c::::::c:::::::::::::::::::::::::::: :::::::::::::::::::::::::::::::::::::::::::::c:c:ccc:c:c:c::c:c:::c:c:c:::cc:cc::::c:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::.:.... :::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::.:.:.:......... .:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::.:...................... .........::.::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::.::....:................................ .........................:.:.:.:.:.::::::::::::::::::::::::::::::::::::::::::::::::.::.:::.:..:...:................................................... ........................................:..:...:.:.:.:..:.::.:.:..:..:.::.:.:.:....................................................................... ...................................................................................................................................................... ...................................................................................................................................................... ................................................................................................................................................... .. .. .......O@c....8cCoCC............O@c....o:...@...............:c....CC..c8.......................................c:.......CC..... :c........ ........ .........8C..c@8.8oCoCCcO@O.8@@:..8o..CoC@@....O@O..Oo@c@:@8:@@ocCo8@:o@o8@O.C8:..@.@ccO.CcoC...@8O@O.@@c:@o@@o8.@.@@C8o:@@c@@Cc@O............. .........CC..@:.:@oCoCCoC:@oC.@:..CO..@c@.@c...@..C@..:@8@oCC8CoCc@..CC:Oo@o@.@o8.8:...@O.@ CCCcCC....@:@oOoC.:8oC:o8.@.@ CC.@COoCoO.@..:............ ....:::.::::::..:::::::::..:::@::::::::::::::::.::::::::.:.:......................8....8........ ......... . ........ ................................ ...:.:.:.::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::.::..::..........................................................................

Nevermind. I found one. But I won't link you to it, because links can be used to defraud you of your moneys! Coming up next, a post calling for an end to the A HREF tag on MetaFilter.
posted by Eideteker at 11:26 AM on October 24, 2006

posted by Eideteker at 1:17 PM on October 24, 2006

Eideteker, please do not make a habit out of giant ASCII art.
posted by jessamyn (staff) at 6:23 PM on October 24, 2006 [1 favorite]

The Drupal team recently had to deal with something along these lines -- the solution was twofold. First, have destructive actions triggered by a link go through a confirmation form. Second, forms get an automatically-generated hashkey in a hidden field. If the hashkey doesn't match a couple of other cross-referenced keys, the form doesn't get processed. It's transparent to end users but prevents a stolen cookie and a hacked POST from doing anything really nasty. Hopefully, at least.

it's an arms race, I guess.
posted by verb at 8:01 PM on October 24, 2006 [1 favorite]

STFU!
posted by homunculus at 11:39 PM on November 20, 2006

« Older On the sidebar on Metafilter (... | Portland Meetup pre-meetup? To... Newer »

You are not logged in, either login or create an account to post comments

Is MeFi protected against cross-site request forgery? October 22, 2006 3:12 AM Subscribe

Is MeFi protected against cross-site request forgery?
October 22, 2006 3:12 AM Subscribe