Howto:Protection against "Cross-Site-Request-Forgery"
This information applies to
- all innovaphone devices with advanced UI prior to V13r2
If you use the devices App to access the advanced UI you are not affected by that problem.
A common attack against web-based systems is known as Cross-Site-Request-Forgery. The idea here is that a malicious web site has the user's web browser send requests on behalf of the user (using his credentials) without the user's consent.
In our case, the attacker creates a web site that sends an administration command to one of the innovaphone devices and arranges in some way that an administrator opens the site (e.g. by sending an email with a link that the administrator clicks). If the administrator in this moment already has an authenticated session to the target innovaphone device, the browser will use the user's credentials to send this malicious command. The scheme is also known as session riding thus.
This way, attackers could for example effect arbitrary configuration changes in any innovaphone device.
In order to create a meaningful attack, the attacking site needs to have some decent knowledge of the details of the targeted innovaphone device (such as e.g. the ip-address). It is thus much more likely hat a successful attack origins from a site internal to your network.
In order to avoid such session riding, there are a few approaches:
- use a separate browser for administration only
- the administrator can make sure that a single type of browser is always used for innovaphone device administration but for nothing else. All other web sites must be accessed using a different browser. This way, session riding is not possible, as the browser used by the potential malicious site would never have an authenticated session to an innovaphone device. You should make sure that the browser that is used to open web links by default (e.g. in emails) is not the one you use for innovaphone device administration. For example, you could use Chrome for innovaphone device administration only when InternetExplorer is your standard browser
- make sure you close all browser instances when administration is done
- to avoid session riding, make sure that you close all browser instances sharing the authenticated session before you do anything else. Browser will close the authenticated session when the last browser instance is closed. While this avoids the problem, it is slightly error prone, as if the administrator inadvertently opens a malicious site (e.g. by clicking on a link received in an email) while the session is still active, the system may still get compromised. Also, the browser you use may be configured to re-use authentication data even across restarts