Google FeedBurner FeedSmith Cross-Site Request Forgery Vulnerability

Bugtraq ID:	25921
Class:	Design Error
CVE:	CVE-2007-5229
Remote:	Yes
Local:	No
Published:	Oct 04 2007 12:00AM
Updated:	May 07 2015 05:35PM
Credit:	David Kierznowski is credited with the discovery of this vulnerability.
Vulnerable:	Google FeedBurner FeedSmith 2.2
Not Vulnerable:	Google FeedBurner FeedSmith 2.3

Google FeedBurner FeedSmith Cross-Site Request Forgery Vulnerability

FeedBurner FeedSmith is prone to a cross-site request-forgery vulnerability.

Exploiting this issue may allow a remote attacker to use a victim's currently active session to perform actions with the application.

This issue affects FeedBurner FeedSmith 2.2; other versions may also be affected.

Google FeedBurner FeedSmith Cross-Site Request Forgery Vulnerability

To exploit this issue, an attacker must entice an unsuspecting victim into following a malicious URI.

The following exploit code is available:

• /data/vulnerabilities/exploits/25921.js

Google FeedBurner FeedSmith Cross-Site Request Forgery Vulnerability

Solution:
The vendor has released FeedSmith 2.3 to address this issue; please see the references for details.


Google FeedBurner FeedSmith 2.2

• Google feedburner_feedsmith_plugin_2.3.zip
  http://www.feedburner.com/fb/products/feedburner_feedsmith_plugin_2.3. zip

Google FeedBurner FeedSmith Cross-Site Request Forgery Vulnerability

References:

• FeedBurner Homepage (FeedBurner)
  
• FeedBurner Upgrade Release Notes (FeedBurner)