https://wiki.owasp.org/index.php?action=history&feed=atom&title=Talk%3APHP_CSRF_GuardTalk:PHP CSRF Guard - Revision history2026-05-05T04:49:52ZRevision history for this page on the wikiMediaWiki 1.27.2https://wiki.owasp.org/index.php?title=Talk:PHP_CSRF_Guard&diff=140889&oldid=prevAbbas Naderi: added discussions on flaws2012-12-08T00:07:32Z<p>added discussions on flaws</p>
<p><b>New page</b></p><div>==Flaws and Updates==<br />
<br />
===2012/12/08===<br />
<pre><br />
Thanks very much.<br />
<br />
<br />
---<br />
Jakub<br />
<br />
On 8 December 2012 00:54, Abbas Naderi <abbas.naderi@owasp.org> wrote:<br />
Yes but then I assumed you don't have edit permissions on the wiki. I'll do this and mention you on the bottom and discussion page.<br />
-Abbas<br />
On ۱۸ آذر ۱۳۹۱, at ۳:۱۷, Jakub Kałużny <jakub.artur.kaluzny@gmail.com> wrote:<br />
<br />
You probably meant changing wiki, sorry :)<br />
<br />
On 8 December 2012 00:47, Jakub Kałużny <jakub.artur.kaluzny@gmail.com> wrote:<br />
Hi,<br />
just change<br />
if (!isset($_POST['CSRFName']))<br />
to<br />
if (!isset($_POST['CSRFName']) || !isset($_POST['CSRFToken']))<br />
this should work.<br />
<br />
<br />
Jakub<br />
<br />
On 8 December 2012 00:43, Abbas Naderi <abbas.naderi@owasp.org> wrote:<br />
Hi Jakub,<br />
You are right and we are aware of this. Would you like to fix it or I shall do so?<br />
-Abbas<br />
On ۱۸ آذر ۱۳۹۱, at ۳:۱۱, Jakub Kałużny <jakub.artur.kaluzny@gmail.com> wrote:<br />
<br />
Hi Abbas,<br />
<br />
I found a note about a bug in PHP CSRF Guard<br />
(http://blog.kotowicz.net/2012/12/on-handling-your-pets-and-csrf.html)<br />
The code was patched so that a NULL $token cannot be validated with<br />
empty ("") CSRFToken parameter.<br />
Isn't the code still vulnerable by passing a non existing CSRFName and<br />
not passing CSRFToken ?<br />
Only the CSRFName is checked - if(!isset($_POST['CSRFName']))<br />
but later then there is $token=$_POST['CSRFToken'] which still can be<br />
null if no CSRFToken parameter is passed.<br />
<br />
<br />
Regards,<br />
Jakub<br />
</pre><br />
===2012/12/06===<br />
<pre><br />
Hi Krzysztof,<br />
Thanks for the tip. <br />
Actually I did the code on the fly and never got to test it! And never had a chance to review it.<br />
Thanks for fixing the flaw.<br />
Would be a good idea to post this email on discussion page of the wiki so that people know the flow and update it.<br />
Also add a version on top of the code.<br />
Regards<br />
-Abbas<br />
On ۱۶ آذر ۱۳۹۱, at ۱۷:۴۴, Krzysztof Kotowicz <krzysztof.kotowicz@securing.pl> wrote:<br />
<br />
Hi!<br />
<br />
PHP CSRFGuard that you posted at OWASP wiki<br />
https://www.owasp.org/index.php/PHP_CSRF_Guard is vulnerable to a simple<br />
bypass method:<br />
<br />
When you submit a non-existing form id as CSRFName and empty CSRFToken<br />
csrf_validate_token() function will return true.<br />
<br />
function csrfguard_validate_token($unique_form_name,$token_value)<br />
{<br />
$token=get_from_session($unique_form_name); <br />
<br />
// non existing form name, $token = null;<br />
<br />
if ($token===false)<br />
{<br />
return true;<br />
}<br />
elseif ($token==$token_value) // type insensitive comparison!!<br />
{<br />
// $token_value = "", $token = null, both are equivalent to == operator<br />
$result=true;<br />
}<br />
else<br />
{ <br />
$result=false;<br />
} <br />
unset_session($unique_form_name);<br />
return $result;<br />
}<br />
<br />
I've been able to exploit it already on a live site for a client that<br />
used PHP CSRFGuard. I've fixed the code on wiki by using === operator.<br />
This is just to notify you of the change, if you use this project elsewhere.<br />
<br />
-- <br />
Best regards,<br />
Krzysztof Kotowicz<br />
SecuRing<br />
</pre></div>Abbas Naderi