Re: CVE request: Simple Machines Forum Cross-Site Request Forgery

[Josh Bressers <bressers () redhat com>]

Hi Steve,

Another 2009 ID needed (lots of these today).

Thanks.

-- 
    JB


----- "Henri Salo" <henri () nerv fi> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Can I get 2009 CVE-identifier for this issue: 
>
> http://secunia.com/advisories/37557
>
> Description: "Some vulnerabilities have been discovered in Simple
> Machines Forum, which can be exploited by malicious users and
> malicious
> people to conduct cross-site request forgery attacks.
>
> The application allows users to perform certain actions via HTTP
> requests without performing any validity checks to verify the
> request.
> This can be exploited to e.g. perform certain administrative actions
> when a logged-in user visits a malicious site.
>
> Successful exploitation allows e.g. to delete package servers,
> conduct
> script insertion attacks via censor lists and package manager, and
> execute arbitrary PHP code by uploading arbitrary modules, but
> requires
> a valid user account."
>
> Versions affected: "The vulnerabilities are confirmed in version
> 1.1.10.
> Other versions may also be affected."
>
> Solution: "Update to version 1.1.11", which is the newest at the
> moment.
>
> References:
> http://code.google.com/p/smf2-review/issues/detail?id=10
> http://code.google.com/p/smf2-review/issues/detail?id=11
> http://code.google.com/p/smf2-review/issues/detail?id=17
> http://code.google.com/p/smf2-review/issues/detail?id=42
>
> http://osvdb.org/show/osvdb/60651
> http://secunia.com/advisories/37557
> http://download.simplemachines.org/
> http://download.simplemachines.org/index.php?thanks;filename=smf_1-1-11_changelog.txt
>
> Best regards,
> Henri Salo
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (GNU/Linux)
>
> iEYEARECAAYFAkyzVXQACgkQXf6hBi6kbk/t5wCgu+5VkF5RTQQGSUTKjWzMNL/w
> 918AoMneBE8hy/KJvGonlFpgUwvQ0K0v
> =ds0s
> -----END PGP SIGNATURE-----