---
** [tickets:#7944] Apache Allura Security Vulnerability**
**Status:** open
**Milestone:** unreleased
**Labels:** CSRF
**Created:** Thu Jul 30, 2015 10:33 PM UTC by Mohamed A. Baset
**Last Updated:** Thu Jul 30, 2015 10:33 PM UTC
**Owner:** nobody
Hi,
My name is Mohamed Abdelbaset Elnoby a Senior Information Security Analyst and
Web Application Penetration Tester at Seekurity Inc.
I would like to report a Security Vulnerability in the Apache Allura Wiki
Script fetailed as follow:
Vulnerability:
Cross Site Request Forgery - (CSRF)
Info:
http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
Affected URL(s)/Forms Code:
/wiki/subscribe?subscribe=True
/wiki/subscribe?unsubscribe=True
More Details/Impact:
Force users to subscribe/unsubscribe to any other user's wiki, the vulnerable
links shows a PoC links to do so to my wiki account.
Waiting for your reply
Best Regards,
Mohamed Abdelbaset Elnoby
Guru Programmer, Senior Information Security Consultant & Web Application
Penetration Tester at Seekurity Inc.
---
Sent from forge-allura.apache.org because [email protected] is subscribed
to https://forge-allura.apache.org/p/allura/tickets/
To unsubscribe from further messages, a project admin can change settings at
https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is
a mailing list, you can unsubscribe from the mailing list.
