This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit

Talk:PHP CSRF Guard

Jump to: navigation, search

Flaws and Updates


Thanks very much.


On 8 December 2012 00:54, Abbas Naderi <[email protected]> wrote:
Yes but then I assumed you don't have edit permissions on the wiki. I'll do this and mention you on the bottom and discussion page.
On ۱۸ آذر ۱۳۹۱, at ۳:۱۷, Jakub Kałużny <[email protected]> wrote:

You probably meant changing wiki, sorry :)

On 8 December 2012 00:47, Jakub Kałużny <[email protected]> wrote:
just change
              if (!isset($_POST['CSRFName']))
              if (!isset($_POST['CSRFName']) || !isset($_POST['CSRFToken']))
this should work.


On 8 December 2012 00:43, Abbas Naderi <[email protected]> wrote:
Hi Jakub,
You are right and we are aware of this. Would you like to fix it or I shall do so?
On ۱۸ آذر ۱۳۹۱, at ۳:۱۱, Jakub Kałużny <[email protected]> wrote:

Hi Abbas,

I found a note about a bug in PHP CSRF Guard
The code was patched so that a NULL $token cannot be validated with
empty ("") CSRFToken parameter.
Isn't the code still vulnerable by passing a non existing CSRFName and
not passing CSRFToken ?
Only the CSRFName is checked - if(!isset($_POST['CSRFName']))
but later then there is $token=$_POST['CSRFToken'] which still can be
null if no CSRFToken parameter is passed.



Hi Krzysztof,
Thanks for the tip. 
Actually I did the code on the fly and never got to test it! And never had a chance to review it.
Thanks for fixing the flaw.
Would be a good idea to post this email on discussion page of the wiki so that people know the flow and update it.
Also add a version on top of the code.
On ۱۶ آذر ۱۳۹۱, at ۱۷:۴۴, Krzysztof Kotowicz <[email protected]> wrote:


PHP CSRFGuard that you posted at OWASP wiki is vulnerable to a simple
bypass method:

When you submit a non-existing form id as CSRFName and empty CSRFToken
csrf_validate_token() function will return true.

function csrfguard_validate_token($unique_form_name,$token_value)

      // non existing form name, $token = null;

	if ($token===false)
		return true;
	elseif ($token==$token_value) // type insensitive comparison!!
              // $token_value = "", $token = null, both are equivalent to == operator
	return $result;

I've been able to exploit it already on a live site for a client that
used PHP CSRFGuard. I've fixed the code on wiki by using === operator.
This is just to notify you of the change, if you use this project elsewhere.

Best regards,
Krzysztof Kotowicz