search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Allaire Forums does not verify user information stored in hidden form fields

Vulnerability Note VU#575619

Original Release Date: 2002-09-26 | Last Revised: 2002-09-26

Overview

Allaire Forums does not verify user information submitted in hidden fields on a web form, allowing attackers to impersonate other users.

Description

Allaire Forums is a web-based bulletin board system that runs on Cold Fusion. When a user wishes to post a message, Allaire Forums dynamically generates a web form including the user's name and email address in hidden fields. Attackers may easily change these fields to specify a different user, and Alliare Forums does not check the submission to authenticate the user. Therefore, attackers may post messages to the bulletin board signed by a different user's name and email address.

Impact

Malicious users of Allaire Forums may impersonate other users.

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

Vendor Information

575619
 
Affected   Unknown   Unaffected

Allaire Corporation

Updated:  September 20, 2002

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Acknowledgements

Thanks to John Cantu for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs: None
Severity Metric: 0.61
Date Public: 2002-01-08
Date First Published: 2002-09-26
Date Last Updated: 2002-09-26 21:57 UTC
Document Revision: 4

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.