[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20110407194956.70dc8854@laverne>
Date: Thu, 7 Apr 2011 19:49:56 +0200
From: Hanno Böck <hanno@...eck.de>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: phplist: cross site request forgery (CSRF),
CVE-2011-0748
phplist: cross site request forgery (CSRF), CVE-2011-0748
References
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2748
http://int21.de/cve/CVE-2011-0748-phplist.html
Description
phplist is a mailing list software written in PHP.
Up to version 2.10.12, it provided no protection against cross site
request forgery (CSRF) at all, allowing a malicious attacker
controlling a webpage an admin visits at the time being logged into
phplist to gain full control over the phplist installation.
The vendor has released version 2.10.13, which fixes the vulnerability,
but somehow forgot to give any credit to the person reporting the
vulnerability to them.
Disclosure Timeline
2011-02-03: Vendor contacted
2011-02-10: Vendor releases 2.10.13 with fix
2011-04-07: Published advisory
This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de,
of schokokeks.org webhosting.
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists