oss-sec mailing list archives
CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF
From: Henri Salo <henri () nerv fi>
Date: Mon, 23 Jun 2014 15:39:34 +0300
This CSRF vulnerability in Piwigo also does not have CVE yet. Fixed in 2.6.2 version. Piwigo contains a flaw as HTTP requests to ws.php do not require multiple steps, explicit confirmation, or a unique token when performing certain sensitive actions. By tricking a user into following a specially crafted link, a context-dependent attacker can perform a Cross-Site Request Forgery (CSRF / XSRF) attack causing the victim to create arbitrary users. http://osvdb.org/103774 http://piwigo.org/releases/2.6.2 http://packetstormsecurity.com/files/125438/Piwigo-2.6.1-Cross-Site-Request-Forgery.html --- Henri Salo
Attachment:
signature.asc
Description: Digital signature
Current thread:
- CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF Henri Salo (Jun 23)
- Re: CVE request: Piwigo before 2.6.2 ws.php Arbitrary User Creation CSRF cve-assign (Jun 23)