ISS X-Force Database: webapporg-net-administration-csrf(35929): web-app.org WebAPP and web-app.net WebAPP Network Edition administration cross-site request forgery

web-app.org WebAPP and web-app.net WebAPP Network Edition administration cross-site request forgery

webapporg-net-administration-csrf (35929)

Medium Risk

Description:

web-app.org WebAPP and web-app.net WebAPP Network Edition are vulnerable to cross-site request forgery, caused by a vulnerability in the administration for poll, profiles, IP bans or forums. A remote attacker could send a specially-crafted request to cause the administrator to perform arbitrary deletions, once the administrator views the malicious request. An attacker could exploit this vulnerability to perform cross-site scripting attacks, Web cache poisoning and other malicious activities.

Platforms Affected:

WebAPP, web-app.net WebAPP Network Edition 2007-20070624
WebAPP, Web-APP.org WebAPP 0.8 - 0.9.9.6

Remedy:

For web-app.org WebAPP:
Upgrade to the latest version of web-app.org WebAPP (0.9.9.7 or later), available from the web-app.org WebAPP Web site. See References.

Consequences:

Gain Access

References:

VIM Mailing List, Thu Jun 28 19:01:36 UTC 2007, Regarding Web-APP.org WebAPP CVE Entry Details at http://www.attrition.org/pipermail/vim/2007-June/001687.html.
web-app.net WebAPP Web site, web-app.net WebAPP at http://www.web-app.net/cgi-bin/index.cgi.
Web-APP.org Forums, 11/23/06 at 20:36:22 GMT, What Is New in Versions Since 0.9.9.1? at http://www.web-app.org/cgi-bin/index.cgi?action=forum&board=how_to&op=display&num=9458.
web-app.org WebAPP Web site, web-app.org WebAPP at http://www.web-app.org/.
CVE-2007-3416: Multiple cross-site request forgery (CSRF) vulnerabilities in the administration of (1) polls, (2) profiles, (3) IP bans, and (4) forums in (a) web-app.org WebAPP 0.8 through 0.9.9.6; and (b) web-app.net WebAPP 0.9.9.3.3, 0.9.9.3.4, and 2007; allow remote attackers to perform deletions as administrators.

Reported:

Aug 10, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page