Dear PKP staffs and Forum members,
I am currently operating OPS3.3.0.8 (PHP8.1).
I conducted a dynamic scan with a vulnerability assessment tool (OWASP ZAP) on the search form of OPS, and the diagnostic report identified the following vulnerability:
Risk Level: Low (Medium) Absence of Anti-CSRF Tokens
Description:
No Anti-CSRF tokens were found in an HTML submission form.
CSRF has primarily been used to perform an action against a target site using the victim’s privileges, but recent techniques have been discovered that allow information disclosure by gaining access to the response. The risk of information disclosure increases significantly when the target site is vulnerable to XSS because XSS can serve as a platform for CSRF, enabling the attack to operate within the bounds of the same-origin policy.
Target URL: https://my-ops-server.com/index.php/ops/search/search?csrfToken=0b9924d24c4a5c4e30f7888a7dd9305c&query=
※The domain part is a dummy.
While the risk level is noted as Low, I’m concerned and would appreciate confirmation.
The term “Absence of Anti-CSRF Tokens” indicates that the scanned HTML form does not contain Anti-CSRF tokens, which are generally recognized as a protective measure against Cross-Site Request Forgery (CSRF) attacks.
As can be seen from the URL above, it seems that an csrfToken is generated when the search button is pressed in OPS, but it appears that this token is not being correctly transmitted or validated.
To resolve this issue, it is recommended to include an appropriate Anti-CSRF token in the respective form, and to ensure this token is validated on the server-side when the form is submitted. This approach is expected to verify that the form submission originates from a legitimate session, thereby reducing the risk of CSRF attacks.
Could you please confirm if my understanding of the behavior of OPS’s CSRF tokens is correct and advise on a solution?
Best regards,
Minoru Tanabe.