SSEQ-LIB Security Update 0.6.3 and

I am so sorry!

While redesigning the CSRF-tokens check routines I made a mistake in SSEQ-LIB version 0.6.2. I checked the name of the token but I forgot to check its value. This means that knowing the name of a token is enough to pass the CSRF protection. Fortunately there are still other protection mechanisms like absolute lifetime of a token or its binding to the users-agent which keep the shields up for a while.

Anyway in the new version 0.6.3 (and the bug is fixed. Besides, the difference between 0.6.3 and is minor and located only in the config file.

Credit for finding the bug goes to Andreas Mauf.

Das könnte dich auch interessieren …