Reported Vulnerabilities

I have reported the following vulnerabilities.

Vulnerability in CSRF-Magic


CSRF-Magic, a PHP library, is used to provide Cross-Site Request Forgery protection. During a configuration inspection of pfSense firewall, it was identified that when $GLOBALS['csrf']['secret'] was left uninitialized, the CSRF Token was predictable.

While reviewing the source code for CSRF-Magic, there was a comment that specifically called out using csrf_get_secret() instead of directly accessing the global value. The reason for this was that the accessor function would generate a random session for the server instance when the global configuration did not provide a secret.


Assigned CVE: CVE-2013-7464
Date Reported: 23/5/2013
Date Remediated: 17/7/2013