search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Allaire Forums does not verify user information stored in hidden form fields

Vulnerability Note VU#575619

Original Release Date: 2002-09-26 | Last Revised: 2002-09-26


Allaire Forums does not verify user information submitted in hidden fields on a web form, allowing attackers to impersonate other users.


Allaire Forums is a web-based bulletin board system that runs on Cold Fusion. When a user wishes to post a message, Allaire Forums dynamically generates a web form including the user's name and email address in hidden fields. Attackers may easily change these fields to specify a different user, and Alliare Forums does not check the submission to authenticate the user. Therefore, attackers may post messages to the bulletin board signed by a different user's name and email address.


Malicious users of Allaire Forums may impersonate other users.


The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information


Allaire Corporation Affected

Updated:  September 20, 2002



Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.


The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group Score Vector



Thanks to John Cantu for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: CVE-2002-0108
Severity Metric: 0.61
Date Public: 2002-01-08
Date First Published: 2002-09-26
Date Last Updated: 2002-09-26 21:57 UTC
Document Revision: 4

Sponsored by CISA.