tracker issue : CF-4126667

select a category, or use search below
(searches all categories and all time range)
Title:

Security Analyzer - CSRF Attack detection does not work

| View in Tracker

Status/Resolution/Reason: Closed/Fixed/

Reporter/Name(from Bugbase): David Epler / David Epler (David Epler)

Created: 03/09/2016

Components: Security Analyzer

Versions: 2016

Failure Type: Enhancement Request

Found In Build/Fixed In Build: Alpha_v12 /

Priority/Frequency: Normal / Unknown

Locale/System: English / Win All

Vote Count: 0

Related Bugs:
CF-4080920 - Similar to


The CSRF Attack detection for the security analyzer does not work according to the documentation.

Attached code samples have the correct usage of CSRFGenerateToken and CSRFVerifyToken. The security analyzer flags them regardless of self-post or to action page.

----------------------------- Additional Watson Details -----------------------------

Watson Bug ID:	4126667

External Customer Info:
External Company:  
External Customer Name: David Epler
External Customer Email: dcepler@dcepler.net
External Test Config: Friendly Name: Current MBP
System Type: Laptop
Brand: Apple 
Model: Mid-2012 15"
Processor Type: Intel Core i7
Processor Speed: 2GHz to 3GHz
Memory: 8GB to 16GB
Hard Drive Storage: 500GB-1TB
Peripherals: LCD Display
Peripherals: Web-Cam
Connectivity: Ethernet
Connectivity: Wireless 802.11 N
Interfaces: Firewire
Interfaces: USB 2.x
Media: CD
Media: CD-R
Media: CD-RW
Media: DVD
Media: DVD+R
Media: DVD-R
Media: SD Card
Primary Operating System: Mac OS X 10.9 (Mavericks)
Secondary Operating System: Windows 7 64
System Location: Other
Time Owned: 2 to 3 Years


Bug File Paths:
\\sjshare.corp.adobe.com\Prereleasebugfiles\ColdFusion\12.0\Alpha_v12\4026108\csrf-examples.zip

Attachments:

Comments:

Adding BUG AUDIT TRAIL ********action: updated fieldName: Priority newValue: 2 oldValue: 0 oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2016-02-16 15:13:20.0 action: updated fieldName: State newValue: Closed oldValue: Open oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 06:21:19.0 action: updated fieldName: Date Closed newValue: 2015-10-28 23:21:18.0 oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 06:21:19.0 action: updated fieldName: Closed By newValue: preethi oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 06:21:19.0 action: updated fieldName: Owner newValue: Blank oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 06:21:19.0 action: updated fieldName: Reason newValue: Blank oldValue: Fixed oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 06:21:18.0 action: updated fieldName: Status newValue: Fixed oldValue: ToTest oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-10-29 06:21:18.0 action: updated fieldName: Reason newValue: Fixed oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-13 09:35:08.0 action: updated fieldName: Date Fixed newValue: 2015-10-13 02:35:08.0 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-13 09:35:08.0 action: updated fieldName: Changelist newValue: 295982 oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-13 09:35:08.0 action: updated fieldName: Owner newValue: preethi oldValue: uogra oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-13 09:35:08.0 action: updated fieldName: Status newValue: ToTest oldValue: ToFix oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-13 09:35:08.0 action: updated fieldName: Fixed By newValue: uogra oldValue: Blank oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-10-13 09:35:08.0 action: updated fieldName: Severity newValue: 0 oldValue: 3 oprid: uogra recordName: RQ_DEFECT timpestamp: 2015-09-25 12:26:55.0 action: updated fieldName: Dev Assigned newValue: uogra oldValue: sanniset oprid: sanniset recordName: RQ_DEFECT timpestamp: 2015-09-08 09:05:27.0 action: updated fieldName: Owner newValue: uogra oldValue: sanniset oprid: sanniset recordName: RQ_DEFECT timpestamp: 2015-09-08 09:05:27.0 action: updated fieldName: Fix By Product Milestone newValue: Beta oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:02:36.0 action: updated fieldName: Fix By Milestone newValue: Beta oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:02:36.0 action: updated fieldName: Status newValue: ToFix oldValue: NeedsReview oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:02:36.0 action: updated fieldName: Reason newValue: Blank oldValue: Blank oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:02:36.0 action: updated fieldName: Owner newValue: sanniset oldValue: rukumar oprid: vmannebo recordName: RQ_DEFECT timpestamp: 2015-09-08 09:02:36.0 action: updated fieldName: Status newValue: NeedsReview oldValue: Unverified oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 04:17:29.0 action: updated fieldName: Reason newValue: Blank oldValue: Blank oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 04:17:29.0 action: updated fieldName: Owner newValue: rukumar oldValue: preethi oprid: preethi recordName: RQ_DEFECT timpestamp: 2015-07-30 04:17:29.0
Comment by CFwatson U.
3550 | March 09, 2016 04:30:41 AM GMT
Added By:preethi Note Added: Fix is verified, will be available in the next release of ColdFusion. It has been fixed for examples 1,2,3,4,8 and for the scenarios 5,6,7,9 it would be taken up later and is being tracked as part of the bug #CF-4080920. Thanks! Date Added :2015-10-29 06:21:20.0 Added By: PreRelease User User Name:David Epler Note Added: Entered Bug. Date Added :2015-07-26 15:21:02.0
Comment by CFwatson U.
3551 | March 09, 2016 04:30:43 AM GMT