GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Tue Dec 12, 2006 11:26 pm Post subject: [ GLSA 200612-14 ] Trac: Cross-site request forgery |
|
|
Gentoo Linux Security Advisory
Title: Trac: Cross-site request forgery (GLSA 200612-14)
Severity: low
Exploitable: remote
Date: December 12, 2006
Bug(s): #154574
ID: 200612-14
Synopsis
Trac allows remote attackers to execute unauthorized actions as other users.
Background
Trac is a wiki and issue tracking system for software development projects.
Affected Packages
Package: www-apps/trac
Vulnerable: < 0.10.1
Unaffected: >= 0.10.1
Architectures: All supported architectures
Description
Trac allows users to perform certain tasks via HTTP requests without performing correct validation on those requests.
Impact
An attacker could entice an authenticated user to browse to a specially crafted URL, allowing the attacker to execute actions in the Trac instance as if they were the user.
Workaround
There is no known workaround at this time.
Resolution
All Trac users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=www-apps/trac-0.10.1" |
References
CVE-2006-5848
CVE-2006-5878 |
|