Harmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and Security Bypass Vulnerabilities
BID:30706
Info
Harmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and Security Bypass Vulnerabilities
| Bugtraq ID: | 30706 |
| Class: | Design Error |
| CVE: |
CVE-2008-3717 CVE-2008-3716 |
| Remote: | Yes |
| Local: | No |
| Published: | Aug 15 2008 12:00AM |
| Updated: | Jul 05 2016 10:01PM |
| Credit: | Josh Abraham and Rapid7 |
| Vulnerable: |
Harmoni Harmoni 1.5.9 Harmoni Harmoni 1.5.8 Harmoni Harmoni 1.5.5 Harmoni Harmoni 1.5 Harmoni Harmoni 1.4.7 Harmoni Harmoni 1.4.6 |
| Not Vulnerable: |
Harmoni Harmoni 1.6 |
Discussion
Harmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and Security Bypass Vulnerabilities
Harmoni is prone to a cross-site request-forgery vulnerability and a security-bypass vulnerability.
An attacker can exploit these issues to gain unauthorized accsss to the affected application, create new user accounts, and delete arbitrary content within the context of the affected application. Other attacks are also possible.
Versions prior to Harmoni 1.6.0 are vulnerable.
Harmoni is prone to a cross-site request-forgery vulnerability and a security-bypass vulnerability.
An attacker can exploit these issues to gain unauthorized accsss to the affected application, create new user accounts, and delete arbitrary content within the context of the affected application. Other attacks are also possible.
Versions prior to Harmoni 1.6.0 are vulnerable.
Exploit / POC
Harmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and Security Bypass Vulnerabilities
An attacker can exploit these issues through a browser. To exploit the cross-site request-forgery issue, the attacker must entice an unsuspecting victim into following a malicious URI.
An attacker can exploit these issues through a browser. To exploit the cross-site request-forgery issue, the attacker must entice an unsuspecting victim into following a malicious URI.
Solution / Fix
Harmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and Security Bypass Vulnerabilities
Solution:
The vendor has released updates to address these issues. Please see the references for more information.
Harmoni Harmoni 1.4.6
Harmoni Harmoni 1.4.7
Harmoni Harmoni 1.5
Harmoni Harmoni 1.5.5
Harmoni Harmoni 1.5.8
Harmoni Harmoni 1.5.9
Solution:
The vendor has released updates to address these issues. Please see the references for more information.
Harmoni Harmoni 1.4.6
-
Harmoni harmoni-1.6.0.zip
http://downloads.sourceforge.net/harmoni/harmoni-1.6.0.zip?modtime=121 8734320&big_mirror=0
Harmoni Harmoni 1.4.7
-
Harmoni harmoni-1.6.0.zip
http://downloads.sourceforge.net/harmoni/harmoni-1.6.0.zip?modtime=121 8734320&big_mirror=0
Harmoni Harmoni 1.5
-
Harmoni harmoni-1.6.0.zip
http://downloads.sourceforge.net/harmoni/harmoni-1.6.0.zip?modtime=121 8734320&big_mirror=0
Harmoni Harmoni 1.5.5
-
Harmoni harmoni-1.6.0.zip
http://downloads.sourceforge.net/harmoni/harmoni-1.6.0.zip?modtime=121 8734320&big_mirror=0
Harmoni Harmoni 1.5.8
-
Harmoni harmoni-1.6.0.zip
http://downloads.sourceforge.net/harmoni/harmoni-1.6.0.zip?modtime=121 8734320&big_mirror=0
Harmoni Harmoni 1.5.9
-
Harmoni harmoni-1.6.0.zip
http://downloads.sourceforge.net/harmoni/harmoni-1.6.0.zip?modtime=121 8734320&big_mirror=0
References
Harmoni Versions Prior to 1.6.0 Cross-Site Request Forgery and Security Bypass Vulnerabilities
References:
References:
- Harmoni 1.6.0 Release Notes (Harmoni)
- Harmoni Homepage (Harmoni)