Announcement

Collapse
No announcement yet.

Protection against CRFS attacks?

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Protection against CRFS attacks?

    I'm planning on buying vBulletin soon, and I've already decided that I'm going to buy it, but I was wondering if vBulletin has any protection against CSRF attacks?

    Thanks!

  • #2
    Without actually haveing the users password (or a forged cookie) or direct access to the database I do not believe its possible to change too may options

    Comment


    • #3
      vBulletin defaults to not allowing HTML code in the various posting fields which precludes the possibility of HTML injection that could lead to a CSRF attack. You can enable HTML if you want to remove this protection.

      Comment


      • #4
        Only via Referrer header checks.

        Comment


        • #5
          Originally posted by Mike Sullivan
          Only via Referrer header checks.
          Oh, which direction is he talking about?

          If you are asking what vBulletin does to protect against being the victum of CSRF attacks (as opposed to being the initiator), then it is also worth noting that vBulletin only accepts POST submissions for the various posting forms which is a big deterrent.

          Comment


          • #6
            Thanks for the answers. I didn't think there was any real protection. It's a real pain to implement.

            I did notice you've protected the logout link though. That's pretty neat.

            Comment

            widgetinstance 262 (Related Topics) skipped due to lack of content & hide_module_if_empty option.
            Working...
            X