zyphnet.no vulnerable to cross site request forgery

Submitted by xqus on Tue, 12/21/2010 - 16:02

Tags

vulnerabilities, csrf

                      ___  ___________ __  ______
                      \  \/  / ____/  |  \/  ___/
                       >    < <_|  |  |  /\___ \ 
                      /__/\_ \__   |____//____  >
                            \/  |__|          \/ 
------------------------------------------------------------------------
         zyphnet.no vulnerable to cross site request forgery
------------------------------------------------------------------------
Author: Audun Larsen (larsen at xqus dot com)
Date:   Dec 21, 2010
URL:    http://lsec.no/vuln/2010-07

--AFFECTED SOFTWARE--------------------------

Name: zyphnet.no
Zyphnet.no is a norwegian social community site highly inspired by
Facebook.

--DISCUSSION---------------------------------
Zyphnet.no is vulnerable to cross site request forgery attacks [1].
This enables an attacker to "trick" the user to make requests he didn't
want to make. this may for instance be adding or deleting friends.

--PROOF OF CONCEPT---------------------------
None available

--REFERENCES---------------------------------
[1] http://en.wikipedia.org/wiki/Cross-site_request_forgery

--TIMELINE-----------------------------------
Dec 21, 2010: Bug found
Dec 26, 2010: Reported and released

--DISCLAIMER---------------------------------

The information in this advisory and any of its demonstrations is provided
"as is" without warranty of any kind.

Copyright (c) 2010 Audun Larsen, some rights reserved:
http://creativecommons.org/licenses/by-sa/3.0/

larsen.security

I couldn't help but overhear, probably because I was eavesdropping

Main menu

zyphnet.no vulnerable to cross site request forgery

Tags

You are here

zyphnet.no vulnerable to cross site request forgery

User login

You are here