1 post • joined 30 Jan 2009
regarding "acting as a logged in user"
As in most CSRF bugs, the victim user must be logged-in when the attack occurs. This also applies to this GroupWise CSRF vuln. Notice that the victim user would be logged-in when the "evil" email is viewed via GroupWise WebAccess, thus this attack is practical. This is the very reason why cross-site vulnerabilities (XSS/CSRF) on webmail portals are considered serious: the victim user is *logged-in* when an email is viewed.
Hope this makes sense.
- Hi-torque tank engines: EXTREME car hacking with The Register
- Review What's MISSING on Amazon Fire Phone... and why it WON'T set the world alight
- Product round-up Ten excellent FREE PC apps to brighten your Windows
- Product round-up Trousers down for six of the best affordable Androids
- Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...