Decius wrote: noteworthy wrote: http://www.memestreams.net/memebox?mode=showmeme&oid=422632 That isn't really a secret, but it's not a URL you'd serve up to just anybody. (The message doesn't display if it's not yours.)
No, it doesn't, but other vulnerabilities could be employed to delete if from your memebox. You'd have to guess which user and entice them to click on a link. Unfortuantely there is no fast and easy way to resolve that, but thanks for pointing it out...
As for the Deleting problem this is simply XSRF rearing its head again and actually you can fix it fairly easily: Always always always have a landing page! Right off the bat, I should never be able visit a single URL and the result of me visiting that URL is that a meme gets deleted. 1- This violates RFC 2616 about HTTP's "safe" methods GET and HEAD vs. a POST. 2- This is why Google's Web Accelerator fucked some many websites (mainly people who learned some Ruby and Rails and suddenly thought they are web developers). 3- This makes you way vulnerable to XSRF. I just point the target of a Hyperlink or an IMG+SRC, etc, at the "delete" URL and watch the fun. Every "delete this meme" link on should take you to a page that says "are you sure?" On that "are you sure" page, the server should place a random, time limited token in a hidden HTML field. The "yes, delete this" should be a button that causes a HTTP POST back to Memestreams with the oid of the meme and the random token. Only if the supplied token matches what the server pushed down should the meme deleted. I can think of two special cases where an "Are you sure" landing page isn't practical for deleting meme on Memestreams: 1- Multiple select memes in the Memebox summary page to delete. The "delete" button already makes a POST, so you are safe there. Every time the summary page is generated a random token should a hidden HTML field should be downloaded. If you really want to be paranoid you can store on the server in your Sessions collection what oid's can be deleted with a token for that user. That way a single token for generated from a Memebox summary page cannot be used to delete memes that weren't shown on that summary page. Regardless, you can fix this. 2-When viewing a single meme. Again, same as before. Make "delete this meme" a button and style it to look nice. Send down a token whenever someone looks at an individual meme. |