oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: roundcube < 0.5.1 CSRF

From: Josh Bressers <bressers () redhat com>
Date: Mon, 4 Apr 2011 15:09:03 -0400 (EDT)
Thanks for sorting this Jan.


http://trac.roundcube.net/wiki/Changelog

two cross site request forgery, one additional issue fixed in 0.5.1:

"Security: add optional referer check to prevent CSRF in GET
requests


Looks this one being just security hardening with the patches:
[1] http://trac.roundcube.net/changeset/4503
[2] http://trac.roundcube.net/changeset/4504

For the CSRF flaws:


Security: protect login form submission from CSRF

Patch: [3] http://trac.roundcube.net/changeset/4490


Use CVE-2011-1491 for the above.




Security: prevent from relaying malicious requests through
modcss.inc"

Patch: [4] http://trac.roundcube.net/changeset/4488



Use CVE-2011-1492 for the above.

Thanks.

-- 
    JB
Previous By Date Next
Previous By Thread Next

Current thread: