[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-help-public] [sr #107055] XSRF
|
From: |
Jann Horn |
|
Subject: |
[Savannah-help-public] [sr #107055] XSRF |
|
Date: |
Fri, 09 Oct 2009 08:12:05 +0000 |
|
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.0.14) Gecko/2009091010 Iceweasel/3.0.6 (Debian-3.0.6-3) |
URL:
<http://savannah.gnu.org/support/?107055>
Summary: XSRF
Project: Savannah Administration
Submitted by: tajh
Submitted on: Fr 09 Okt 2009 08:12:04 GMT
Category: Trackers (bugs, support, tasks...)
Priority: 5 - Normal
Severity: 6 - Security
Status: None
Assigned to: None
Originator Email:
Operating System: None
Open/Closed: Open
Discussion Lock: Any
_______________________________________________________
Details:
There seems to be a XSRF bug in the software, which allows attackers to
inject spam flaggings into savannah when savannah users visit the attackers
webpage, for example with the following code:
<img
src="https://savannah.gnu.org/support/index.php?func=flagspam&item_id=107054&comment_internal_id=0";>
Could someone please verify this and place a token into the URL, like it's
done on Wikipedia?
_______________________________________________________
Reply to this item at:
<http://savannah.gnu.org/support/?107055>
_______________________________________________
Nachricht geschickt von/durch Savannah
http://savannah.gnu.org/
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-help-public] [sr #107055] XSRF,
Jann Horn <=