oss-sec mailing list archives
CSRF vulnerability in ikiwiki
From: Florian Weimer <fw () deneb enyo de>
Date: Fri, 18 Apr 2008 19:51:27 +0200
This is: <http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=475445> Steven, could we get a CVE, please? Full description follows (version 1.33.5 has not yet been released, but will follow once I've got a CVE 8-). ## Cross Site Request Forging Cross Site Request Forging could be used to constuct a link that would change a logged-in user's password or other preferences if they clicked on the link. It could also be used to construct a link that would cause a wiki page to be modified by a logged-in user. These holes were discovered on 10 April 2008 and fixed the same day with the release of ikiwiki 2.42. A fix was also backported to Debian etch, as version 1.33.5. I recommend upgrading to one of these versions.
Current thread:
- CSRF vulnerability in ikiwiki Florian Weimer (Apr 18)
- Re: CSRF vulnerability in ikiwiki Florian Weimer (Apr 20)
- Re: CSRF vulnerability in ikiwiki Steven M. Christey (Apr 20)
- Re: CSRF vulnerability in ikiwiki Florian Weimer (Apr 20)