* Posts by Adrian Pastor

1 post • joined 30 Jan 2009

Novell GroupWise bug threatens mass email theft

Adrian Pastor
Linux

regarding "acting as a logged in user"

As in most CSRF bugs, the victim user must be logged-in when the attack occurs. This also applies to this GroupWise CSRF vuln. Notice that the victim user would be logged-in when the "evil" email is viewed via GroupWise WebAccess, thus this attack is practical. This is the very reason why cross-site vulnerabilities (XSS/CSRF) on webmail portals are considered serious: the victim user is *logged-in* when an email is viewed.

Hope this makes sense.

Regards,

ap.

0
0

Forums