Debian Bug report logs - #475445
Cross Site Request Forging vulnerabilities

version graph

Package: ikiwiki; Maintainer for ikiwiki is Jonathan Dowland <jmtd@debian.org>; Source for ikiwiki is src:ikiwiki (PTS, buildd, popcon).

Reported by: Joey Hess <joeyh@debian.org>

Date: Thu, 10 Apr 2008 20:24:02 UTC

Severity: serious

Fixed in version ikiwiki/2.42

Done: Joey Hess <joeyh@debian.org>

Bug is archived. No further changes may be made.

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org:
Bug#475445; Package ikiwiki. (full text, mbox, link).


Acknowledgement sent to Joey Hess <joeyh@debian.org>:
New Bug report received and forwarded. (full text, mbox, link).


Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Cross Site Request Forging vulnerabilities
Date: Thu, 10 Apr 2008 16:22:01 -0400
[Message part 1 (text/plain, inline)]
Package: ikiwiki
Severity: serious

CSRF attacks can be used to construct links that change a logged-in
user's password or other preferences. Links can also be constructed
that cause a logged-in user to modify a wiki page.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Reply sent to Joey Hess <joeyh@debian.org>:
You have taken responsibility. (full text, mbox, link).


Notification sent to Joey Hess <joeyh@debian.org>:
Bug acknowledged by developer. (full text, mbox, link).


Message #10 received at 475445-close@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: 475445-close@bugs.debian.org
Subject: Bug#475445: fixed in ikiwiki 2.42
Date: Thu, 10 Apr 2008 21:32:05 +0000
Source: ikiwiki
Source-Version: 2.42

We believe that the bug you reported is fixed in the latest version of
ikiwiki, which is due to be installed in the Debian FTP archive:

ikiwiki_2.42.dsc
  to pool/main/i/ikiwiki/ikiwiki_2.42.dsc
ikiwiki_2.42.tar.gz
  to pool/main/i/ikiwiki/ikiwiki_2.42.tar.gz
ikiwiki_2.42_all.deb
  to pool/main/i/ikiwiki/ikiwiki_2.42_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 475445@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Joey Hess <joeyh@debian.org> (supplier of updated ikiwiki package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.7
Date: Thu, 03 Apr 2008 02:35:39 -0400
Source: ikiwiki
Binary: ikiwiki
Architecture: source all
Version: 2.42
Distribution: unstable
Urgency: high
Maintainer: Joey Hess <joeyh@debian.org>
Changed-By: Joey Hess <joeyh@debian.org>
Description: 
 ikiwiki    - a wiki compiler
Closes: 475445
Changes: 
 ikiwiki (2.42) unstable; urgency=high
 .
   * aggregate: Correct a mistake in the code that dummy up a guid for feeds
     lacking one.
   * inline: Correct handling of urls relative to baseurl in feeds.
   * Fix CSRF attacks against the preferences and edit forms. The fix involved
     embedding the session id in the forms, and not allowing the forms to be
     submitted if the embedded id does not match the session id. Closes: #475445
Files: 
 36eb80d0053218c923b6192f4cac3606 865 web optional ikiwiki_2.42.dsc
 036620a1781bd04d2e2fa6245fbc214b 694550 web optional ikiwiki_2.42.tar.gz
 bbf1cd705e69fa3832b7684ca6c9be8b 829166 web optional ikiwiki_2.42_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFH/oV32tp5zXiKP0wRAgmoAJ0SCvYAIWARtMQqqXGg/hqzn966kwCghs6n
y/YJtFU3YCklG/6cZVvV09s=
=vco0
-----END PGP SIGNATURE-----





Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#475445; Package ikiwiki. (full text, mbox, link).


Acknowledgement sent to Joey Hess <joeyh@debian.org>:
Extra info received and forwarded to list. (full text, mbox, link).


Message #15 received at 475445@bugs.debian.org (full text, mbox, reply):

From: Joey Hess <joeyh@debian.org>
To: 475445@bugs.debian.org
Subject: backport to stable
Date: Thu, 10 Apr 2008 18:53:19 -0400
[Message part 1 (text/plain, inline)]
I've backported the CSRF fixes to the the debian-stable branch in
ikiwiki's git repo.

-- 
see shy jo
[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Mon, 12 May 2008 09:48:34 GMT) (full text, mbox, link).


Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 09:52:41 2025; Machine Name: buxtehude

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU General Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.