I have reported the following vulnerabilities.
Vulnerability in CSRF-Magic
CSRF-Magic, a PHP library, is used to provide Cross-Site Request Forgery protection. During a configuration inspection of pfSense firewall, it was identified that when
$GLOBALS['csrf']['secret'] was left uninitialized, the CSRF Token was predictable.
While reviewing the source code for CSRF-Magic, there was a comment that specifically called out using
csrf_get_secret() instead of directly accessing the global value. The reason for this was that the accessor function would generate a random session for the server instance when the global configuration did not provide a secret.
Assigned CVE: CVE-2013-7464
Date Reported: 23/5/2013
Date Remediated: 17/7/2013