Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Jun 2014 15:39:34 +0300
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Subject: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF

This CSRF vulnerability in Piwigo also does not have CVE yet. Fixed in 2.6.2
version.

Piwigo contains a flaw as HTTP requests to ws.php do not require multiple steps,
explicit confirmation, or a unique token when performing certain sensitive
actions. By tricking a user into following a specially crafted link, a
context-dependent attacker can perform a Cross-Site Request Forgery (CSRF /
XSRF) attack causing the victim to create arbitrary users.

http://osvdb.org/103774
http://piwigo.org/releases/2.6.2
http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html

---
Henri Salo

[ CONTENT OF TYPE application/pgp-signature SKIPPED ]

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ