Products Openwall GNU/*/Linux   server OS John the Ripper   password cracker Free & Open Source for any platform Pro for Linux (RPM package) Pro for Mac OS X (dmg package) Wordlists   for password cracking passwdqc   policy enforcement phpass   password hashing in PHP crypt_blowfish   ditto in C/C++ tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login Linux kernel security hardening Services Publications Articles Presentations Community Mailing lists Community wiki Donations Resources Source code repository (CVSweb) File archive & mirrors How to verify digital signatures Password recovery resources Recommended books What's new

Date: Fri, 18 Apr 2008 19:51:27 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: coley@...us.mitre.org, oss-security@...ts.openwall.com
Subject: CSRF vulnerability in ikiwiki

This is:

<http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475445>

Steven, could we get a CVE, please?  Full description follows (version
1.33.5 has not yet been released, but will follow once I've got a CVE 8-).

## Cross Site Request Forging

Cross Site Request Forging could be used to constuct a link that would
change a logged-in user's password or other preferences if they clicked on
the link. It could also be used to construct a link that would cause a wiki
page to be modified by a logged-in user.

These holes were discovered on 10 April 2008 and fixed the same day with
the release of ikiwiki 2.42. A fix was also backported to Debian etch, as
version 1.33.5. I recommend upgrading to one of these versions.

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ