Mojolicious::Plugin::CSRF Weak Random Number Source for CSRF Token Generation Vulnerability

A vulnerability exists in Mojolicious::Plugin::CSRF version 1.03 for Perl, where the plugin uses a weak random number generator to create Cross-Site Request Forgery (CSRF) tokens. The vulnerable version generates tokens by applying the MD5 hash to the process ID, the current time, and a single invocation of the built-in rand() function. This approach to token generation can lead to predictable and easily guessable tokens, undermining the effectiveness of CSRF protection.

Impact

Exploitation of this vulnerability allows for the generation of predictable CSRF tokens, potentially leading to successful CSRF attacks by allowing unauthorized actions to be performed on behalf of a user.

Remediation

Users can upgrade to Mojolicious::Plugin::CSRF version 1.04, which addresses this vulnerability by using Crypt::URandom for cryptographic randomness in token generation.