phplist: cross site request forgery (CSRF), CVE-2011-0748 References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2748 http://int21.de/cve/CVE-2011-0748-phplist.html Description phplist is a mailing list software written in PHP. Up to version 2.10.12, it provided no protection against cross site request forgery (CSRF) at all, allowing a malicious attacker controlling a webpage an admin visits at the time being logged into phplist to gain full control over the phplist installation. The vendor has released version 2.10.13, which fixes the vulnerability, but somehow forgot to give any credit to the person reporting the vulnerability to them. Disclosure Timeline 2011-02-03: Vendor contacted 2011-02-10: Vendor releases 2.10.13 with fix 2011-04-07: Published advisory This vulnerability was discovered by Hanno Boeck, http://www.hboeck.de, of schokokeks.org webhosting.
Description: PGP signature