oss-sec mailing list archives

CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF

From: Henri Salo <henri () nerv fi>
Date: Mon, 23 Jun 2014 15:39:34 +0300

This CSRF vulnerability in Piwigo also does not have CVE yet. Fixed in 2.6.2
version.

Piwigo contains a flaw as HTTP requests to ws.php do not require multiple steps,
explicit confirmation, or a unique token when performing certain sensitive
actions. By tricking a user into following a specially crafted link, a
context-dependent attacker can perform a Cross-Site Request Forgery (CSRF /
XSRF) attack causing the victim to create arbitrary users.

http://osvdb.org/103774
http://piwigo.org/releases/2.6.2
http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html

---
Henri Salo

Attachment: signature.asc
Description: Digital signature

Current thread:

CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF Henri Salo (Jun 23)
- Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF cve-assign (Jun 23)