Cross-site Request Forgery

CP99

Fuck you, Orange Pants.

Join Date: Apr 2005

Posts: 331
Share

Tweet
#1

Cross-site Request Forgery

September 4, 2008, 15:23

I noticed a cross site request forgery vulnerability in the pics.defcon.org system, nothing too serious at the moment.

http://dc949.org/dc_pics_csrf.php
Don't click unless you want a new favorite photo, and a new buddy.

There also appears to be a problem with the persistent authentication, you can view and add-to the favorite pictures list while logged out, though the added favorites are only viewable when logged out, go figure.

Last edited by CP99; September 4, 2008, 20:22.
Tags: None
TheCotMan

*****Retired *****

Join Date: May 2004

Posts: 8857
Share

Tweet
#2

September 4, 2008, 18:53

Re: Cross-site Request Forgery

Originally posted by CP99

I noticed a cross site request forgery vulnerability in the pics.defcon.org system, nothing too serious at the moment.

http://dc949.org/dc_pics_csrf.php
Don't click unless you want a new favorite photo, and a new buddy.

There also appears to be a problem with the persistent authentication, you can view and add-to the favorite pictures list, though the added favorites are only viewable when logged out, go figure.

Thanks for the report. We'll look into this too. :-)

-Cot
Comment

Comment