oss-sec mailing list archives

Re: CVE request: roundcube < 0.5.1 CSRF

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Thu, 24 Mar 2011 13:09:54 +0100


Thanks, Hanno.

Hanno Böck wrote:

http://trac.roundcube.net/wiki/Changelog

two cross site request forgery, one additional issue fixed in 0.5.1:

"Security: add optional referer check to prevent CSRF in GET requests


Looks this one being just security hardening with the patches:
[1] http://trac.roundcube.net/changeset/4503
[2] http://trac.roundcube.net/changeset/4504

For the CSRF flaws:

Security: protect login form submission from CSRF

Patch: [3] http://trac.roundcube.net/changeset/4490

Security: prevent from relaying malicious requests through modcss.inc"

Patch: [4] http://trac.roundcube.net/changeset/4488

Thanks && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

Current thread:

CVE request: roundcube < 0.5.1 CSRF Hanno Böck (Mar 24)
- Re: CVE request: roundcube < 0.5.1 CSRF Jan Lieskovsky (Mar 24)