-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================== eBox Security Notice ESN-1-1 June 10, 2010 libebox, ebox, ebox-remoteservices vulnerabilities Secunia Advisory SA40015 ===========================================================
A security issue affects the following eBox Platform releases: eBox Platform 1.4 The problem can be corrected by upgrading your system to the following package versions: eBox Platform 1.4: ebox 1.4.7-0ubuntu1~ppa1~hardy1 libebox 1.4.5-0ubuntu1~ppa1~hardy1 ebox-remoteservices 1.4.7-0ubuntu1~ppa1~hardy1 In general, a standard system update will make all the necessary changes. Details follow: We have received a report from Secunia on behalf a third-party researcher (Russ McRee) regarding a CSRF vulnerability in eBox Platform. Cross-Site Request Forgery (CSRF) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. Attacker's website could redirect user petitions to eBox administration page and execute malicious actions if he is authenticated. HTTP Referer checking has been added in order to avoid this vulnerability. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwRCb0ACgkQ+f71LBmtMbhWzgCggNRZjI9FJtSrqpT8w9L3tRrs R7YAoNY96xEsv3+vvXbFaaI74D5wPxLG =rZjz -----END PGP SIGNATURE----- _______________________________________________ ebox-user mailing list [email protected] http://lists.ebox-platform.com/cgi-bin/mailman/listinfo/ebox-user
