CSRF Protection

Get help with installation and running phpBB 3.2.x here. Please do not post bug reports, feature requests, or extension related questions here.
Post Reply
User avatar
juliolopez78
Registered User
Posts: 14
Joined: Wed Jan 17, 2018 4:26 pm

CSRF Protection

Post by juliolopez78 » Wed Jan 17, 2018 4:33 pm

Just wondering if phpBB comes with CSRF Protection enabled by default or does it need to be enabled through config or template-specific programming?

I'm new to phpBB, but not to PHP ;)

User avatar
JimA
Community Team Leader
Community Team Leader
Posts: 7662
Joined: Thu Jul 31, 2008 5:54 am
Location: The Netherlands
Name: Jim Mossing Holsteyn
Contact:

Re: CSRF Protection

Post by JimA » Wed Jan 17, 2018 4:54 pm

Hi, welcome to the phpBB community!

Yes, we do protect against CSRF. It doesn't need to be enabled manually, that would be very bad security practice. To see what exactly the phpBB code base does against CSRF, you might want to read this blog post. It's a bit older, but the basics are still the same. :)
Image Jim Mossing Holsteyn - Community Team Leader
Knowledge Base | Documentation | Board rules

If you're having any questions about the rules/customs of this website, feel free to drop me a PM.

User avatar
juliolopez78
Registered User
Posts: 14
Joined: Wed Jan 17, 2018 4:26 pm

Re: CSRF Protection

Post by juliolopez78 » Wed Jan 17, 2018 4:59 pm

Thank for the quick reply Jim. I'll check out that post.

User avatar
lbowner
Registered User
Posts: 2
Joined: Thu Sep 19, 2019 9:45 am

Re: CSRF Protection

Post by lbowner » Thu Sep 19, 2019 9:49 am

Hello,

although this post is old, it still leaves me confused.

I am running 3.2.7 and I can't find a csrf token in the source code of the board overview page (esp. the search form).
Thus, my penetration test throws endless (250+) errors with CSRF Warnings.

In addition a blind NoSQL vulnerability was found in search.php.

Am I missing something here?
Kind regards
Mario

User avatar
Noxwizard
Support Team Leader
Support Team Leader
Posts: 10347
Joined: Mon Jun 27, 2005 8:41 pm
Location: Texas, USA
Name: Patrick Webster
Contact:

Re: CSRF Protection

Post by Noxwizard » Fri Sep 20, 2019 3:32 am

Not every form has a CSRF token associated with it. The search form is one that doesn't. Forms that result in an action that represents a specific user are protected with a CSRF token. Things like login, posting, private messages, all ACP actions, etc. are protected. In the HTML source, you will see something like this:

Code: Select all

<input type="hidden" name="form_token" value="abcdefghijklmnopqrstuvwxyz1234567890" />
In the phpBB template code, this can look like:

Code: Select all

{S_FORM_TOKEN}
If you feel that the search forms should have a CSRF token, you could put in a bug ticket for hardening them: https://tracker.phpbb.com/browse/PHPBB3

lbowner wrote:
Thu Sep 19, 2019 9:49 am
In addition a blind NoSQL vulnerability was found in search.php.
If you believe you have found a security issue, please report it to the Security tracker: https://tracker.phpbb.com/browse/SECURITY
If you're using an automated vulnerability scanner, be forewarned that they are notorious for reporting false positives.
[Support Template] - [Read Before Posting] - [phpBB Knowledge Base]
Do not contact me for private support, please share the question in our forums.

User avatar
lbowner
Registered User
Posts: 2
Joined: Thu Sep 19, 2019 9:45 am

Re: CSRF Protection

Post by lbowner » Sat Sep 21, 2019 2:54 pm

Thank you very much for this information!

kind regards
Mario

Post Reply

Return to “[3.2.x] Support Forum”