- **status**: open --> duplicate - **Comment**: This was ticketed at [#7685] and fixed recently. Thanks.
--- ** [tickets:#7944] Apache Allura Security Vulnerability** **Status:** duplicate **Milestone:** unreleased **Labels:** CSRF **Created:** Thu Jul 30, 2015 10:33 PM UTC by Mohamed A. Baset **Last Updated:** Thu Jul 30, 2015 10:33 PM UTC **Owner:** nobody Hi, My name is Mohamed Abdelbaset Elnoby a Senior Information Security Analyst and Web Application Penetration Tester at Seekurity Inc. I would like to report a Security Vulnerability in the Apache Allura Wiki Script fetailed as follow: Vulnerability: Cross Site Request Forgery - (CSRF) Info: http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) Affected URL(s)/Forms Code: /wiki/subscribe?subscribe=True /wiki/subscribe?unsubscribe=True More Details/Impact: Force users to subscribe/unsubscribe to any other user's wiki, the vulnerable links shows a PoC links to do so to my wiki account. Waiting for your reply Best Regards, Mohamed Abdelbaset Elnoby Guru Programmer, Senior Information Security Consultant & Web Application Penetration Tester at Seekurity Inc. --- Sent from forge-allura.apache.org because [email protected] is subscribed to https://forge-allura.apache.org/p/allura/tickets/ To unsubscribe from further messages, a project admin can change settings at https://forge-allura.apache.org/p/allura/admin/tickets/options. Or, if this is a mailing list, you can unsubscribe from the mailing list.
