Bugtraq mailing list archives

Re: Security Advisory for ALL forum services with client-set images

From: Tim Jackson <lists () timj co uk>
Date: Thu, 23 Dec 2004 00:52:08 +0000

On 22 Dec 2004, James Bandara wrote:

[rediscovering CSRF]

A user could copy one of these links to delete his own thread, edit it
so the querystring is for another users post, and post it up as a link
or avatar.
In effect if an admin sees the image or the original user sees it, it
will instantly delete the post as its on the same site no extra login is
needed.


What you've identified is part of a general class of similar problems and
was discussed quite extensively on this list back in summer 2001. Read the
thread starting here:

http://www.securityfocus.com/archive/1/191114

culminating in a comprehensive analysis by "Peter W" in which he names the
general problem "CSRF" (Cross-Site Request Forgeries):

http://www.securityfocus.com/archive/1/191390


Tim

Current thread:

Security Advisory for ALL forum services with client-set images James Bandara (Dec 22)
- Re: Security Advisory for ALL forum services with client-set images Stefan Paletta (Dec 23)
- Re: Security Advisory for ALL forum services with client-set images Tim Jackson (Dec 23)