Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 23 Jun 2014 15:39:34 +0300
From: Henri Salo <>
Subject: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF

This CSRF vulnerability in Piwigo also does not have CVE yet. Fixed in 2.6.2

Piwigo contains a flaw as HTTP requests to ws.php do not require multiple steps,
explicit confirmation, or a unique token when performing certain sensitive
actions. By tricking a user into following a specially crafted link, a
context-dependent attacker can perform a Cross-Site Request Forgery (CSRF /
XSRF) attack causing the victim to create arbitrary users.

Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ