A new feature of version 4.5 of TYPO3 is protection against CSRF. In the best case, you will not realize that this feature exists…
CSRF can be used to execute certain commands without having the required privileges. It is sufficient if the attacked person has the rights and clicks on a particular link. It actually works quite simple: For example, the command (or link) domain.com/delete.php?id=123 is meant to delete a database-record with the ID 123. Since the attacker does not have sufficient rights to carry out this operation, he needs to trick the right person to click on a link, which includes the command. Some examples how to do this:
A link in an email, like this <a href="domain.com/delete.php?id=123">Photos of my new girlfriend</a>
A hacked page where the link is loaded automatically in the background via JavaScript
CSRF not only works with simple links, but also with forms, since the procedure is similar: The attacker directs a user to a separate page where the form is prepared with the necessary fields and sends the form automatically (e.g. with JavaScript) .
How can you protect yourself?
One approach, which is used by TYPO3, is to transfer a generated token with each form. Each time the form is invoked, this token is newly created and it will work with this form only. The server checks the token and devalues it at the same time. Thus, each token is valid only one time.
Special for TYPO3
In the user settings and the install tool of TYPO3, CSRF protection is present for a couple of weeks. With the release of RC1 of TYPO3 version 4.5, it will also be present in the TYPO3 Page- and List module. Possibly not the whole back-end is covered yet, but this will be made up.
The important thing is: If you test the new TYPO3 version and get an error message that reads “Invalid security token (ExtDirect)” or “Validating the security token of this form has failed”, you must reload the form and submit it again.
