[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: phppgadmin / CVE-2019-10784

Hi,

On 13/03/2020 22:09, Ola Lundqvist wrote:
> On Fri, 13 Mar 2020 at 10:50, Emilio Pozuelo Monfort <pochu@debian.org
> <mailto:pochu@debian.org>> wrote:
> 
>     On 12/03/2020 22:02, Brian May wrote:
>     > Ola Lundqvist <ola@inguza.com <mailto:ola@inguza.com>> writes:
>     >
>     >> I have ideas on how we can reduce the attack possibilities but I
>     cannot
>     >> find any perfect solution to this.
>     >
>     > What about setting samesite=Lax in the session Cookie?
> 
>     Wouldn't you need Strict rather than Lax? Otherwise if basite.com
>     <http://basite.com> sends a POST
>     request to your phppgadmin instance, the cookie will be sent and you
>     won't have
>     fixed anything.

AFAIU SameSite=Lax blocks the external POST vector.

https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1.1
https://www.netsparker.com/blog/web-security/same-site-cookie-attribute-prevent-cross-site-request-forgery/

Strict may cause confusion like not being logged when clicking on that
phppgadmin link from the corporate wiki, but then being logged again
when refreshing the page. Another point of attention is if phppgadmin is
accessed through some SSO.

SameSite looks like a good mitigation though.

> If this is the case, it looks like the perfect solution to the
> problem.
> And I think it should be strict too.

Maybe let's continue the conversation at
https://github.com/phppgadmin/phppgadmin/issues/94
like you started :)

(still no news from upstream though :/)

- Sylvain
Reply to: