| HIO-2010-0223 Web Wiz Forums CSRF Vulnerabilities |
|
|
|
|
Web Wiz Forum 9.65 and earlier contains multiple flaws that allow cross-site request forgery. The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform a variety actions, including administritve functions when users or administrative users visit a malicious web site. The following Web Wiz Forum scripts are affected: pm_add_buddy.asp, pm_buddy_list.asp, pm_delete_buddy.asp, pm_message.asp, pm_delete_message.asp, pm_inbox.asp, includes/message_form_inc.asp, pm_new_message.asp, pm_new_message_form.asp, file_manager.asp, file_delete.asp, file_upload.asp, email_notify_subscriptions.asp, email_notify_remove.asp, email_notify.asp, ajax_email_notify.asp, new_post.asp, edit_post.asp, new_reply_form.asp, new_poll_form.asp, new_reply_form.asp, new_topic_form.asp, edit_post_form.asp, forum_posts.asp The vulnerability is confirmed in version 9.65. References: CVE-2009-pending FrSIRT: N/A Nessus:N/A OSVDB: 62973 62974 62975 62976 62977 62978 62979 62980 62981 62982 62983 62984 62985 62986 62987 62988 62989 62990 62991 62992 62993 62994 62995 62996 SA: 38997 XF: Related: Vendor Solution:Upgrade to 9.66 |
| < Prev | Next > |
|---|