Bugtraq mailing list archives
Re: Security Advisory for ALL forum services with client-set images
From: Tim Jackson <lists () timj co uk>
Date: Thu, 23 Dec 2004 00:52:08 +0000
On 22 Dec 2004, James Bandara wrote: [rediscovering CSRF]
A user could copy one of these links to delete his own thread, edit it so the querystring is for another users post, and post it up as a link or avatar. In effect if an admin sees the image or the original user sees it, it will instantly delete the post as its on the same site no extra login is needed.
What you've identified is part of a general class of similar problems and was discussed quite extensively on this list back in summer 2001. Read the thread starting here: http://www.securityfocus.com/archive/1/191114 culminating in a comprehensive analysis by "Peter W" in which he names the general problem "CSRF" (Cross-Site Request Forgeries): http://www.securityfocus.com/archive/1/191390 Tim
Current thread:
- Security Advisory for ALL forum services with client-set images James Bandara (Dec 22)
- Re: Security Advisory for ALL forum services with client-set images Stefan Paletta (Dec 23)
- Re: Security Advisory for ALL forum services with client-set images Tim Jackson (Dec 23)