[UseBB-Development] False Cross Site Request Forgery (CSRF) issue in 1.0.14
Dietrich Moerman
claimed to be present in UseBB 1.0.14. More specifically, it should be
a Cross Site Request Forgery vulnerability in the Admin Control Panel.
I would like to be clear about this: this issue or vulnerability is
NOT present in the UseBB 1.0.14 forum software package. CSRF issues
were present in previous versions but were reported and fixed in
1.0.12 (April 2011). Verification and testing revealed no existing
issue in the ACP in the current stable version of UseBB 1.
Next to this, I have received no message from the author of the posted
exploit, before (or after) the release on several websites. Neither
did I see any bug report or message on GitHub or UseBB.net. Any of the
previous could have avoided or limited this kind of false information
being spread.
It is not the first time this has happened, and this previously
brought up the idea of having our personal database of vulnerability
disclosures in UseBB products. This event only confirmed that an
official and centralised place for disclosures in UseBB is a must. I
hereby would also like to (again) stress the fact that information
available on many "security websites" is of a very questionable
quality and should be taken with a serious grain of salt.
Dietrich
UseBB project leader
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
UseBB-Development mailing list
https://lists.sourceforge.net/lists/listinfo/usebb-development