On Tue, Dec 09, 2014 at 08:56:21PM -0600, Gunnar Wolf wrote:
> Moritz Mühlenhoff dijo [Tue, Dec 09, 2014 at 10:17:14PM +0100]:
> > > > I'm getting in touch with the authors right now. Thanks!
> > >
> > > http://collabtive.o-dyn.de/forum/viewtopic.php?f=11&t=8479
> >
> > Gunnar,
> > is this fixed in the version in jessie?
>
> Sorry for the delay for this reply!
>
> I can confirm you that, from the three attacks mentioned in
> exploit-db¹, attacks 1 and 3 do not work. As for attack 2 (the CSRF),
> the description just reads:
>
> Technically, attacker can create a specially crafted page and
> force collabtive administrators to visit it and can gain
> administrative privilege. For prevention from CSRF
> vulnerabilities, application needs anti-csrf token, captcha and
> asking old password for critical actions.
>
> The refered site for the POC exploit² no longer exists, so I cannot
> confirm whether it has been fixed or not. I can see from the forum
> post you linked to that the author does not believe it to be a
> realistic, important enough issue to worry about.
I've updated the security tracker, I suggest we go ahead and close this
bug, no need to keep this open.
Cheers,
Moritz
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
