[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

phplist: cross site request forgery (CSRF), CVE-2011-0748

To: full-disclosure@xxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: phplist: cross site request forgery (CSRF), CVE-2011-0748
From: Hanno Böck <hanno@xxxxxxxxx>
Date: Thu, 7 Apr 2011 19:49:56 +0200

phplist: cross site request forgery (CSRF), CVE-2011-0748

References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2748
http://int21.de/cve/CVE-2011-0748-phplist.html

Description

phplist is a mailing list software written in PHP.

Up to version 2.10.12, it provided no protection against cross site
request forgery (CSRF) at all, allowing a malicious attacker
controlling a webpage an admin visits at the time being logged into
phplist to gain full control over the phplist installation.

The vendor has released version 2.10.13, which fixes the vulnerability,
but somehow forgot to give any credit to the person reporting the
vulnerability to them.

Disclosure Timeline

2011-02-03: Vendor contacted
2011-02-10: Vendor releases 2.10.13 with fix
2011-04-07: Published advisory

This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de,
of schokokeks.org webhosting.

Attachment: signature.asc
Description: PGP signature

Prev by Date: O2 classic router: persistent cross site scripting (XSS) and cross site request forgery (CSRF)
Next by Date: [SECURITY] [DSA 2212-1] tmux security update
Previous by thread: O2 classic router: persistent cross site scripting (XSS) and cross site request forgery (CSRF)
Next by thread: [SECURITY] [DSA 2212-1] tmux security update
Index(es):
- Date
- Thread