Re: phppgadmin / CVE-2019-10784

To: Emilio Pozuelo Monfort <pochu@debian.org>
Cc: Brian May <bam@debian.org>, Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: phppgadmin / CVE-2019-10784
From: Ola Lundqvist <ola@inguza.com>
Date: Fri, 13 Mar 2020 22:09:05 +0100
Message-id: <[🔎] CABY6=0nGvgAT95SekVzUS5DRmcrsQ4J2YqmeYzE81s0SR7prKg@mail.gmail.com>
In-reply-to: <[🔎] 0a927029-7ced-3f32-d1d1-c0652e3a60b6@debian.org>
References: <CABY6=0=y_=tF9QUydiCvL5MU0y+8Y77nToZrcTgr_mDaTBD4HQ@mail.gmail.com> <[🔎] 87lfo5waln.fsf@silverfish.pri> <[🔎] 0a927029-7ced-3f32-d1d1-c0652e3a60b6@debian.org>

If this is the case, it looks like the perfect solution to the problem.

And I think it should be strict too.

// Ola

On Fri, 13 Mar 2020 at 10:50, Emilio Pozuelo Monfort <pochu@debian.org> wrote:

On 12/03/2020 22:02, Brian May wrote:
> Ola Lundqvist <ola@inguza.com> writes:
>
>> I have ideas on how we can reduce the attack possibilities but I cannot
>> find any perfect solution to this.
>
> What about setting samesite=Lax in the session Cookie?

Wouldn't you need Strict rather than Lax? Otherwise if basite.com sends a POST
request to your phppgadmin instance, the cookie will be sent and you won't have
fixed anything.

Cheers,
Emilio

--- Inguza Technology AB --- MSc in Information Technology ----

| ola@inguza.com opal@debian.org |

| http://inguza.com/ Mobile: +46 (0)70-332 1551 |

---------------------------------------------------------------

Reply to:

Follow-Ups:
- Re: phppgadmin / CVE-2019-10784
  - From: Sylvain Beucler <beuc@beuc.net>

References:
- Re: phppgadmin / CVE-2019-10784
  - From: Brian May <bam@debian.org>
- Re: phppgadmin / CVE-2019-10784
  - From: Emilio Pozuelo Monfort <pochu@debian.org>

Prev by Date: Re: Limiting concurrent claims?
Next by Date: Re: phppgadmin / CVE-2019-10784
Previous by thread: Re: phppgadmin / CVE-2019-10784
Next by thread: Re: phppgadmin / CVE-2019-10784
Index(es):
- Date
- Thread