[opencms-dev] OpenCms 10.5.4 and CSRF resolution?

Daniel Seidel d.seidel at alkacon.com
Thu Jun 27 14:05:52 CEST 2019


Hi Filip,

I think the release note is related to

https://github.com/alkacon/opencms-core/commit/bea871a767a7c4c7edc34004a17710121df60cd7

Best, Daniel.

Am 17.06.19 um 10:58 schrieb Filip.Kratochvil at ibacz.eu:
> Hi guys,
>
> i have a question about CSRF security issue in older OpenCms versions.
>
> According to release notes for OpenCms 10.5.4, i think that problem 
> should be resolved:
> http://www.opencms.org/en/news/180517-opencms-v1054.html
>
> "Improved security by using a client id token to prevent session 
> hijacking."
>
> I have to know in detail, how is it resolved (i need to aprove it). I 
> checked headers/cookies in administration (during manipulation with 
> user groups) and i don't see any unique token/id which send to the server.
>
> Can someone explain how it works please (you can send me to link to 
> the GitHub commits in OpenCms 10.5.4 - we can compare it with OpenCms 
> 10.5.3.)?
>
> I know that old-styled workplace was removed in OpenCms 11, but we 
> have to check all options... Thank you in advance.
>
> S pozdravem / Kind regards
>
> Filip Kratochvil
> Web & Portal Consultant
>
> IBA CZ, s.r.o.
> Office: Radlická 751/113e, 158 00 Praha, CZ
> Phone: +420 777 366 998
> E-mail: filip.kratochvil at ibacz.eu <mailto:filip.kratochvil at ibacz.eu>
>
> ------------------------------------------------------------------------
> Disclaimer:
>
> The information contained in this communication is intended solely for 
> the use of the individual or entity to whom it is addressed and others 
> authorized to receive it.
> It may contain confidential or legally privileged information.
> If you are not the intended recipient you are hereby notified that any 
> disclosure, copying, distribution or taking any action in reliance on 
> the contents of this information is strictly prohibited and may be 
> unlawful.
> If you have received this communication in error, please notify us 
> immediately by forwarding this email to ict at ibacz.eu and then delete 
> it from your system.
> IBA Group is neither liable for the proper and complete transmission 
> of the information contained in this communication nor for any delay 
> in its receipt.
>
> _______________________________________________
> This mail is sent to you from the opencms-dev mailing list
> To change your list options, or to unsubscribe from the list, please visit
> http://lists.opencms.org/cgi-bin/mailman/listinfo/opencms-dev
>
>
>
-- 
Kind Regards,
Daniel.
  
-------------------

Daniel Seidel

Alkacon Software GmbH & Co. KG - The OpenCms Experts
http://www.alkacon.com - http://www.opencms.org

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://webmail.opencms.org/pipermail/opencms-dev/attachments/20190627/ece32ca4/attachment.htm>


More information about the opencms-dev mailing list