Date: Mon, 23 Jun 2014 15:39:34 +0300 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Subject: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF This CSRF vulnerability in Piwigo also does not have CVE yet. Fixed in 2.6.2 version. Piwigo contains a flaw as HTTP requests to ws.php do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to create arbitrary users. http://osvdb.org/103774 http://piwigo.org/releases/2.6.2 http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html --- Henri Salo [ CONTENT OF TYPE application/pgp-signature SKIPPED ]
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ