Network Security: Detailed info on Re: Security Advisory for ALL forum services with client-set images

Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.

Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.

Network Security Vuln-Dev

[Top] [All Lists]

Re: Security Advisory for ALL forum services with client-set images

from [Tim Jackson] Network Security

[Permanent Link]

Subject:	Re: Security Advisory for ALL forum services with client-set images
Date:	Thu, 23 Dec 2004 00:52:08 +0000

On 22 Dec 2004, James Bandara wrote:

[rediscovering CSRF]

A user could copy one of these links to delete his own thread, edit it
so the querystring is for another users post, and post it up as a link
or avatar.
In effect if an admin sees the image or the original user sees it, it
will instantly delete the post as its on the same site no extra login is
needed.


What you've identified is part of a general class of similar problems and
was discussed quite extensively on this list back in summer 2001. Read the
thread starting here:

http://www.securityfocus.com/archive/1/191114

culminating in a comprehensive analysis by "Peter W" in which he names the
general problem "CSRF" (Cross-Site Request Forgeries):

http://www.securityfocus.com/archive/1/191390


Tim

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Security Advisory for ALL forum services with client-set images, James Bandara Re: Security Advisory for ALL forum services with client-set images, Stefan Paletta Re: Security Advisory for ALL forum services with client-set images, Tim Jackson <=

Previous by Date:	Linux 2.6 Kernel Capability LSM Module Local Privilege Elevation, flashsky fangxing
Next by Date:	[Security Bulletin] SSRT4883 rev.3 HP-UX ftp and ftpd remote unauthorized access, Boren, Rich (SSRT)
Previous by Thread:	Re: Security Advisory for ALL forum services with client-set images, Stefan Paletta
Next by Thread:	2Bgal : 2.4 & 2.5.1 SQL injection Vulnerability, zib zib
Indexes:	[Date] [Thread] [Top] [All Lists]