[vlc-devel] [PATCH 0/2] mitigate CSRF and DNS rebinding attacks on httpd server.

Rémi Denis-Courmont remi at remlab.net
Thu Feb 1 18:30:47 CET 2018

Le jeudi 1 février 2018, 11:16:06 EET Pierre Lamot a écrit :
> > First, enforce POST for all non-indempotent requests. Then, you can think
> > about "newer" attacks like CSRF.
> I agree, though enforcing POST requests is breaking the API. I think this
> should be done in the long run, but as we start breaking the API we should
> also add CSRF token and other things (TBD)

Enforcing POST is *fixing* the API. Using GET for nonidemportent requests is 
not so much insecure as it is unsafe.

> > It is true that session tokens or cookies would break the API. But so
> > would
> > Origin and Referer header checks:
> > - A control app using hand-written code for HTTP will break.
> > - A control app using a non-web framework for HTTP will also break.
> Browsers provide Referer and/or Origin header in their requests (even GET).
> Control/Other app will unlikely provides theses header, my patch accept the
> requests when none of theses header are provided.

It is trivial for an attacker to prevent the Referer line from being informed, 
given that the VLC HTTP interface always runs in non-secure mode: it just has 
to supply the attacking page over a secure channel.

Your patch is vain since it relies on the user configuring the permitted 
hostnames - which realistically will almost never happen. And it puts the 
validation in the server code when it belongs in the UI backend.

Rémi Denis-Courmont

More information about the vlc-devel mailing list