[Sks-devel] CSRF attack?

sks-devel

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Sks-devel] CSRF attack?

From:	Jens Leinenbach
Subject:	[Sks-devel] CSRF attack?
Date:	Sun, 11 Sep 2011 11:12:22 +0200
User-agent:	Thunderbird/6.0

Hi,


Today, I have seen this alert for the first time:
Sep 11 03:06:52 lvps83-169-43-165 drupal:
https://www.ccc-hanau.de|1315703212|seckit|xx.xx.xx.xx|https://www.ccc-hanau.de/|http://pool.sks-keyservers.net/|0||Possible
CSRF attack was blocked. IP address: xx.xx.xx.xx, Origin:
http://pool.sks-keyservers.net.

The Apache logfile says:
xx.xx.xx.xx - - [11/Sep/2011:03:06:51 +0200] "POST / HTTP/1.1" 403 2336
"http://pool.sks-keyservers.net/"; "Mozilla/5.0 (Macintosh; Intel Mac OS
X 10_7_1) AppleWebKit/534.48.3 (KHTML, like Gecko) Version/5.1
Safari/534.48.3"
xx.xx.xx.xx - - [11/Sep/2011:03:06:52 +0200] "GET
/sites/default/files/css/css_8e82aa0bc9bb027369e3c85c68bbec48.css
HTTP/1.1" 200 6240 [same as above]
xx.xx.xx.xx - - [11/Sep/2011:03:06:56 +0200] "GET /sks HTTP/1.1" 200
4767 "http://pool.sks-keyservers.net/"; [same as above]

Although there is no log entry that the user has ever seen the SKS form
at /sks, there's a log entry that the user downloaded the home page at /
before:
xx.xx.xx.xx - - [11/Sep/2011:03:06:38 +0200] "GET / HTTP/1.1" 200 3705
"-" [same as above]

NOTES:
- The referrer is missing here with this first access, but it's always
"http://pool.sks-keyservers.net/"; afterwards! This is why I think that
the referrer is spoofed.
- The SKS index page at port 11371 is a file redirect to our drupal
webserver to /sks.

I wouldn't care if there was no pool.sks-keyservers.net referrer and
esp. no access to /sks directly after the CSRF warning for the first time.


At first, I thought it might be possible that it was uploaded here:
http://pool.sks-keyservers.net:11371/
But then you just get the following redirection to ccc-hanau.de/sks, so
this can't be the reason:
http://83.169.43.165:11371/


Second, I thought about the following scenario:
(Drupal uses completely different variables than SKS, of course.)

1. A user visited http://pool.sks-keyservers.net:80/
2. A random SKS server answered with its SKS index page on port 80 by
accident.
3. But when he sent his key to the server, the IP for the domain
pool.sks-keyservers.net changed in the meantime for him, so that he sent
(POST request) it to / at port 80 of our server instead of the formerly
available SKS server. (Shouldn't his browser cache the IP?)

But because the IP address already downloaded the home page several
seconds earlier and without giving a referrer URL at all, so I don't
believe in this IP change scenario, too.


Cheers
Jens

[Prev in Thread]

Current Thread

[Next in Thread]

[Sks-devel] CSRF attack?, Jens Leinenbach <=
- Re: [Sks-devel] CSRF attack?, Phil Pennock, 2011/09/11

Prev by Date: Re: [Sks-devel] HTML5 in index page
Next by Date: Re: [Sks-devel] CSRF attack?
Previous by thread: [Sks-devel] keyserver.wetnet.net back up
Next by thread: Re: [Sks-devel] CSRF attack?
Index(es):
- Date
- Thread