1 post • joined 30 Jan 2009
regarding "acting as a logged in user"
As in most CSRF bugs, the victim user must be logged-in when the attack occurs. This also applies to this GroupWise CSRF vuln. Notice that the victim user would be logged-in when the "evil" email is viewed via GroupWise WebAccess, thus this attack is practical. This is the very reason why cross-site vulnerabilities (XSS/CSRF) on webmail portals are considered serious: the victim user is *logged-in* when an email is viewed.
Hope this makes sense.
- DINO-SLAYER asteroid strike was a stroke of bad luck, say boffins
- BEST BATTERY EVER: All lithium, all the time, plus a dash of carbon nano-stuff
- Stick a 4K in them: Super high-res TVs are DONE
- Review You didn't get the MeMO? Asus Pad 7 Android tab is ... not bad
- Russia: There is a SPACECRAFT full of LIZARDS in orbit above Earth and WE control it