Info

Disclosure

Aug 08, 2005

Discovery

Unknown

Dates

Exploit

Unknown

Solution

Unknown

Description

tDiary contains a flaw that allows a Cross-Side Request Forgery (CSRF). This flaw exists because the application does not verify that requests to privileged URLs come from appropriate tDiary web pages. This could allow a user to create a malicious URL (within or outside the tDiary application) which if followed by an authenticated tDiary user, causes privileged actions to happen on behalf of the tDiary user or web server. This flaw can be used to delete tDiary entries, change tDiary configurations, and execute privileged commands on behalf of the web server.

Classification

Location: Remote / Network Access
Attack Type: Input Manipulation
Impact: Loss of Integrity
Exploit: Exploit Unknown
Disclosure: OSVDB Verified
OSVDB: Web Related

Solution

Upgrade to stable release 2.0.2 or higher, or development release 2.1.2 or higher as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds or patches.

Products

tDiary.org	tDiary	2.0.1
		2.1.1
		2.0.2
		2.1.2

References

Secunia Advisory ID: 16329 16787
CVE ID: 2005-2411 (see also: NVD)
Vendor Specific Advisory URL: http://sourceforge.net/forum/forum.php?forum_id=482743
http://www.tdiary.org/20050720.html
Vendor Specific Solution URL: http://sourceforge.net/project/showfiles.php?group_id=47123&package_id=40044

Credit

Yutaka Oiwa - Research Center for Information Security, National Institute of Advanced Industrial Science and Technology (AIST)
Hiromitsu Takagi - Research Center for Information Security, National Institute of Advanced Industrial Science and Technology (AIST)

Direct URL: http://osvdb.org/18604

Info

Disclosure

Discovery

Dates

Exploit

Solution

Description

Classification

Solution

Products

tDiary.org

tDiary

References

Credit