[TYPO3-mvc] !!! Introduced request hash
Oliver Klee
typo3-german-02 at oliverklee.de
Tue Oct 13 11:10:21 CEST 2009
Hi,
Sebastian Kurfürst schrieb:
> 2) Introduction of a request hash check when objects are modified:
> http://forge.typo3.org/issues/show/4960
If I edit a record, will the hash then also be valid for other edits of
the same record type? If so, this hash will not (yet) protect against
XSRF because an attacker might use the form and then use the hash for
attacks.
For an XRSF protection, the hash needs to be unique to that instance of
the form (and even that is not 100% safe).
Oliver
More information about the TYPO3-project-typo3v4mvc
mailing list