Forum OpenACS Q&A: Wiki Search

Request notifications

Collapse
Posted by Claudio Pasolini on
Searching anything on OpenACS site Wiki produces the following error:

Invalid request token (potential Cross-Site Request Forgery)

Collapse
2: Re: Wiki Search (response to 1)
Posted by Gustaf Neumann on
Dear Claudio,

thanks for the hint, i did not notice, since CSRF blocking checking is deactivated for SWAs. Background: the CSRF is a feature supported by the forthcoming OpenACS 5.9.1. The basic idea is that values for HTML forms are only accepted from users, to which actually the form was actually sent (see e.g. [1]). We have done substantial work with (also commercial) vulnerability scanners, that detected several problems of different severities (CSRF is of a medium severity). A full vulnerability scan of OpenACS.org takes more than a week when fireing between 50 and 200 requests per second.

As a consequence, openacs.org and the next release of OpenACS will be both, faster and much more secure.

Concerning the posted problem: it should be fixed by now, the customized templates on openacs.org were not jet adapted.

-gn

[1] https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)