lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <5720D6DE.5040101@securify.nl>
Date: Wed, 27 Apr 2016 17:12:30 +0200
From: "Securify B.V." <lists@...urify.nl>
To: fulldisclosure@...lists.org
Subject: [FD] EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection

------------------------------------------------------------------------
EMC M&R (Watch4net) lacks Cross-Site Request Forgery protection
------------------------------------------------------------------------
Han Sahin, November 2014

------------------------------------------------------------------------
Abstract
------------------------------------------------------------------------
It was discovered that EMC M&R (Watch4net) does not protect against
Cross-Site Request Forgery (CSRF) attacks. A successful CSRF attack can
compromise end user data and may allow an attacker to perform an account
hijack. If the targeted end user is the administrator account, this
results in a full compromise of Watch4net.

------------------------------------------------------------------------
Affected versions
------------------------------------------------------------------------
Versions of EMC ViPR SRM prior to version 3.7 are affected by these
vulnerabilities.

------------------------------------------------------------------------
See also
------------------------------------------------------------------------
- http://seclists.org/bugtraq/2016/Apr/att-106/ESA-2016-039.txt
- CVE-2016-0891

------------------------------------------------------------------------
Fix
------------------------------------------------------------------------
EMC released 34247_ViPR-SRM to fix these vulnerabilities. Please
note that this fix is only available for registered EMC Online Support
customers.

------------------------------------------------------------------------
Details
------------------------------------------------------------------------
https://www.securify.nl/advisory/SFY20141109/emc_m_r__watch4net__lacks_cross_site_request_forgery_protection.html

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists