Seditio SF - Quick Ban Plugin Cross-Site Request Forgery
Seditio SF - Quick Ban Plugin Cross-Site Request Forgery Vulnerability
Release Date : 2012-04-13
Criticality level : Less critical
Impact : Cross Site Scripting
Where : From remote
Solution Status : Unpatched
Software: SF - Quick Ban 1.x (plugin for Seditio)
A vulnerability has been discovered in the SF - Quick Ban plugin for Seditio, which can be exploited by malicious people to conduct cross-site request forgery attacks.
The application allows users to perform certain actions via HTTP requests without performing proper validity checks to verify the requests. This can be exploited to e.g. ban an IP address when a logged-in administrative user visits a specially crafted web page.
Successful exploitation requires knowledge of the user ID ("uid") of the respective user (e.g. "1" for the super administrator by default).
The vulnerability is confirmed in version 1.0. Other versions may also be affected.
Do not browse untrusted sites or follow untrusted links while being logged-in to the application.
Provided and/or discovered by: