Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Q and A on cross site request forgeries and breaking into sessions. It's one of the attacks that XSS enables and the attack of the future. For Session, fixations, hijacking, lockout, replay, session riding etc.... 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
csrf in many torrent trackers
Date: July 01, 2007 12:17PM

Well I posted this on some other forum but noone seemed interested or wanted to talk about it so here I am and I would really get some feedback about it!

I found a (my first) csrf in

tracker.com/takeprofedit.php?email=....

I haven't seen any tracker needing the password or a sid to change the email in the profile. So you can very simple abuse this with a csrf to change the email and then hijacking the account through the "forgot pwd dialog".

What do you think about it?

greets

Options: ReplyQuote
Re: csrf in many torrent trackers
Posted by: Anonymous User
Date: July 01, 2007 12:31PM

Yep - them trackers mostly are spiced with vulnerabilities

http://sla.ckers.org/forum/read.php?3,5571,5625

Anyway - nice primer!

Greetings,
.mario

Options: ReplyQuote
Re: csrf in many torrent trackers
Posted by: hackathology
Date: August 21, 2007 04:29AM

greaT!!

http://hackathology.blogspot.com

Options: ReplyQuote


Sorry, only registered users may post in this forum.