#7944 Apache Allura Security Vulnerability

v1.3.1
duplicate
nobody
CSRF (1)
General
nobody
2015-07-30
2015-07-30
Mohamed A. Baset
No

Hi,

My name is Mohamed Abdelbaset Elnoby a Senior Information Security Analyst and Web Application Penetration Tester at Seekurity Inc.

I would like to report a Security Vulnerability in the Apache Allura Wiki Script fetailed as follow:

Vulnerability:
Cross Site Request Forgery - (CSRF)

Info:
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

Affected URL(s)/Forms Code:
/wiki/subscribe?subscribe=True
/wiki/subscribe?unsubscribe=True

More Details/Impact:
Force users to subscribe/unsubscribe to any other user's wiki, the vulnerable links shows a PoC links to do so to my wiki account.

Waiting for your reply

Best Regards,
Mohamed Abdelbaset Elnoby
Guru Programmer, Senior Information Security Consultant & Web Application Penetration Tester at Seekurity Inc.

Discussion

  • Dave Brondsema

    Dave Brondsema - 2015-07-30

    This was ticketed at [#7685] and fixed recently. Thanks.

     

    Related

    Tickets: #7685

  • Dave Brondsema

    Dave Brondsema - 2015-07-30
    • status: open --> duplicate
     

  • Dave Brondsema

    Dave Brondsema - 2015-08-10
    • Milestone: unreleased --> v1.3.1
     

Log in to post a comment.