Welcome Guest. Please Login or Register  


You are here: Index > Advanced Electron Forums > Bugs > Bugs Fixed > Topic : Security Issue: Cross Site Request Forgery (CSRF) Vulnerability

A2 Hosting

News:

Group Message
Hello Guest,

Welcome to the AEF Board. AEF is getting better and better and is also becoming more popular.
Take a few seconds to Register, its free, and it inspires us to work harder and improve on whatever we can improve on.
Give us some feedback, and tell your buddies about AEF!

Thanks,
The AEF Team



Threaded Mode | Print  

 Security Issue: Cross Site Request Forgery (CSRF) Vulnerability (3 Replies, Read 5678 times)
yehgdotnet
Group: Member
Post Group: Newbie
Posts: 1
Status:
VULNERABILITY DESCRIPTION

Advanced Electron Forums (AEF) 1.0.x versions contain a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions for majority of administrator functions such as adding new user, assigning user to administrative privilege. By using a crafted URL, an attacker may trick the victim into visiting to his web page to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into executing arbitrary commands in the context of their session with the application, without further prompting or verification.


VERSIONS AFFECTED

Tested on 1.0.8, 1.0.9 (current as of 2011-07-01)



To get the detail, write to advisory at yehg.net


Provided by
YGN Ethical Hacker Group
http://yehg.net/
IP: --   

Security Issue: Cross Site Request Forgery (CSRF) Vulnerability
SAFAD
Group: Administrator
Post Group: Elite Member
Posts: 279
Status:
interesting, i knew that the bug isn't fully fixed since the CSRF check needs to be added to all the forms, not only profile edit,
i'll add the check to all forms, 1.0.10 should be released sooner now, thank you
i'll try to get advisory from your group soon if possible


-----------------------
Best Regards
Sadaoui "SAFAD" Abderrahim - Lead Developer
My Blog
IP: --   

Security Issue: Cross Site Request Forgery (CSRF) Vulnerability
SAFAD
Group: Administrator
Post Group: Elite Member
Posts: 279
Status:
This bug is fixed, and it will not appear in the next versions.
Thank you for your time to report the exploit.


-----------------------
Best Regards
Sadaoui "SAFAD" Abderrahim - Lead Developer
My Blog
IP: --   

« Previous    Next »

Threaded Mode | Print  



Jump To :


Members who read this topic
alkutob, Buster, VasiliyRS, lbpd719, SAFAD, ShaunY, cristrixy, yehgdotnet, haylau, GamingChitChat, CruzBishop, Kaistar, scamsurvivors


Users viewing this topic
1 guests, 0 users.

A2 Hosting

All times are GMT. The time now is September 15, 2019, 12:31 pm.

  Powered By AEF 1.1.0 Preview © 2007-2011 AEF Group. All rights reservedQueries: 13  |  Page Created In:0.143