Re: phppgadmin / CVE-2019-10784

To: Ola Lundqvist <ola@inguza.com>
Cc: Ola Lundqvist <ola@inguza.com>, Debian LTS <debian-lts@lists.debian.org>
Subject: Re: phppgadmin / CVE-2019-10784
From: Brian May <bam@debian.org>
Date: Fri, 13 Mar 2020 19:22:29 +1100
Message-id: <[🔎] 87imj8wtoa.fsf@silverfish.pri>
In-reply-to: <[🔎] CABY6=0mcg6UBuisUxSN1UJSctcmon=QE0O4g3whYuit7UNQ++w@mail.gmail.com>
References: <CABY6=0=y_=tF9QUydiCvL5MU0y+8Y77nToZrcTgr_mDaTBD4HQ@mail.gmail.com> <[🔎] 87lfo5waln.fsf@silverfish.pri> <[🔎] CABY6=0mcg6UBuisUxSN1UJSctcmon=QE0O4g3whYuit7UNQ++w@mail.gmail.com>

Ola Lundqvist <ola@inguza.com> writes:

> I do not see how SameSite attribute would help in this case. Or how do you
> mean that it would protect against this?

This is what the SameSite attribute was designed for. To protect against
CSRF attacks.

If a user clicks a link that creates post request to another site, then
the cookie won't be transmitted from the browser and the user will not
have any login session, so damaging stuff using the user's credentials
is not possible.
-- 
Brian May <bam@debian.org>

Reply to:

References:
- Re: phppgadmin / CVE-2019-10784
  - From: Brian May <bam@debian.org>
- Re: phppgadmin / CVE-2019-10784
  - From: Ola Lundqvist <ola@inguza.com>

Prev by Date: Re: phppgadmin / CVE-2019-10784
Next by Date: Re: amd64-microcode, test
Previous by thread: Re: phppgadmin / CVE-2019-10784
Next by thread: Re: phppgadmin / CVE-2019-10784
Index(es):
- Date
- Thread