Document information

Document ID: 4681
Subject: Cross-site request forgery in Xeams
Creation date: 12/14/15 4:35 PM
Last modified on: 4/12/22 11:04 AM


Cross-site request forgery (CSRF)

Similar to any web based application, Xeams is also vulnerable to attacks from the Internet. In many cases, such as an XSS attack, Xeams automatically handles and prevents such intrusion. However, in case of CSRF attacks, administrators have the option to disable it completely on their Xeams server.

It is important to understand what CSRF is and how someone can attack before disabling this feature. Rather than going into technical details, this page talks about how such an attack relate to Xeams . Click here for more technical information about this type of an attack.

Conditions

Several things have to happen simultaneously for cross-site request forgery to succeed in Xeams:

  • This attack only affects administrators, not regular users.
  • It can only be carried out if an administrator follows a link (usually sent via email) from an untrusted person, AND
  • The administrator must be logged in to Xeams Server web interface when the untrusted link was clicked, AND
  • The attacker must know the IP address and port where Xeams Server is running, which could be running on a LAN
In short, you will not become a victim of this attack as long as you do not click on a link sent via email while logged in to Xeams web interface. Therefore, from a practical perspective it is very unlikely you will become a victim of such an attack.

Such attacks are more relevant for public sites like Facebook.com, Twitter.com because:

    a) The URL (host and port) are publicly known,
    b) users stay logged in for a longer period of time and
    c) many of the users are novice and may click on links from unknown/untrusted senders.


Benefits of turning this feature off

Performance in Xeams is improved when this feature is turned off. Additionally, you get a Page is Forbidden error if you stay one on page for too long and then click a link.

When should I turn this feature on?

Consider turning this feature on if your company policy requires it or you are required by law to handle this problem.

Turning this feature on/off

  • Login as admin
  • Click Home
  • Click Change admin password under Server Options on the upper right hand side.
  • Toggle the switch for CSRF




Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users?

Important: This area is reserved for useful tips. Therefore, do not post questions here. Instead, use our public forums to post questions.