lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <20110407194956.70dc8854@laverne>
Date: Thu, 7 Apr 2011 19:49:56 +0200
From: Hanno Böck <hanno@...eck.de>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: phplist: cross site request forgery (CSRF), CVE-2011-0748

phplist: cross site request forgery (CSRF), CVE-2011-0748

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2748
http://int21.de/cve/CVE-2011-0748-phplist.html

Description

phplist is a mailing list software written in PHP.

Up to version 2.10.12, it provided no protection against cross site
request forgery (CSRF) at all, allowing a malicious attacker
controlling a webpage an admin visits at the time being logged into
phplist to gain full control over the phplist installation.

The vendor has released version 2.10.13, which fixes the vulnerability,
but somehow forgot to give any credit to the person reporting the
vulnerability to them.

Disclosure Timeline

2011-02-03: Vendor contacted
2011-02-10: Vendor releases 2.10.13 with fix
2011-04-07: Published advisory

This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de,
of schokokeks.org webhosting.

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ