continuum-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Porter (JIRA)" <j...@codehaus.org>
Subject [jira] Closed: (CONTINUUM-2603) CSRF vulnerability - Continuum doesn't check which form sends credentials
Date Tue, 01 Feb 2011 11:51:22 GMT

     [ http://jira.codehaus.org/browse/CONTINUUM-2603?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Brett Porter closed CONTINUUM-2603.
-----------------------------------

    Resolution: Fixed
      Assignee: Brett Porter  (was: Maria Odea Ching)

> CSRF vulnerability - Continuum doesn't check which form sends credentials
> -------------------------------------------------------------------------
>
>                 Key: CONTINUUM-2603
>                 URL: http://jira.codehaus.org/browse/CONTINUUM-2603
>             Project: Continuum
>          Issue Type: Bug
>          Components: Security
>            Reporter: Maria Odea Ching
>            Assignee: Brett Porter
>            Priority: Critical
>             Fix For: 1.3.7, 1.4.1 (Beta)
>
>
> As reported by Anatolia Security Research Group, Apache Archiva doesn't check which form
sends credentials. An attacker can create a specially crafted page and force archiva administrators
to view it and change their credentials.
> Vulnerability reference key: [CVE-2010-3449] Apache Archiva CSRF Vulnerability

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.codehaus.org/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message