SSEQ-LIB Security Update 0.6.3 and 0.6.3.1

I am so sorry!

While redesigning the CSRF-tokens check routines I made a mistake in SSEQ-LIB version 0.6.2. I checked the name of the token but I forgot to check its value. This means that knowing the name of a token is enough to pass the CSRF protection. Fortunately there are still other protection mechanisms like absolute lifetime of a token or its binding to the users-agent which keep the shields up for a while.

Anyway in the new version 0.6.3 (and 0.6.3.1) the bug is fixed. Besides, the difference between 0.6.3 and 0.6.3.1 is minor and located only in the config file.

Credit for finding the bug goes to Andreas Mauf.

Das könnte Dich auch interessieren …

Schreibe einen Kommentar

Deine E-Mail-Adresse wird nicht veröffentlicht. Erforderliche Felder sind mit * markiert.

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.