Document information

Document ID: 4127
Subject: Cross-site request forgery in Syncrify
Creation date: 2/20/15 3:54 PM
Last modified on: 9/29/15 11:29 AM


Cross-site request forgery (CSRF)

Similar to any web based application, Syncrify is also vulnerable to attacks from the Internet. In many cases, such as an XSS attack, Syncrify automatically handles and prevents such intrusion. In case of CSRF attacks, however, administrators have an option to disable it completely on their Syncrify server.

It is important to understand what CSRF is and how can someone attack before disabling this feature, which is turned on by default. Rather than going into technical details this page talks about how such attacks related to Syncrify. Click here for more technical information about this type of an attack.

Conditions

Several things have to happen simultaneously for cross-site request forgery to succeed in Syncrify:

  • This attack only affects administrators, not regular users.
  • It can only be carried out if an administrator follows a link (usually sent via email) from an untrusted person, AND
  • The administrator must be logged in to Syncrify Server web interface when the untrusted link was clicked, AND
  • The attacker must know the IP address and port where Syncrify Server is running, which could be running on a LAN
In short, you will not become a victim of this attack as long as you do not click on a link sent via email while logged in to Syncrify web interface. Therefore, from a practical perspective it is very unlikely you will become a victim of such an attack.

Users on sites like Facebook.com and Twitter.com are more likely to become victims of such attach because:
  1. The URL (host and port) are publicly known on the Internet
  2. These sites have a longer session timeout
  3. Many users are novice when it comes to computer security and are more likely to click on links sent by unknown users.


Benefits of turning this feature off

Performance in Syncrify is improved when this feature is turned off. Additionally, if you stay on a screen for too long and click a button after your session has expired, you will get an error that will say the page is forbidden. An image of this error is displayed below.



When should I turn this feature on?

Consider turning this feature on if your company policy requires it or you are required by law to handle this problem.




Add a comment to this document

Do you have a helpful tip related to this document that you'd like to share with other users?

Important: This area is reserved for useful tips. Therefore, do not post any questions here. Instead, use our public forums to post questions.

Navigation

Social Media

Powered by 10MinutesWeb.com