Allaire Forums does not verify user information stored in hidden form fields

Overview

Allaire Forums does not verify user information submitted in hidden fields on a web form, allowing attackers to impersonate other users.

Description

Allaire Forums is a web-based bulletin board system that runs on Cold Fusion. When a user wishes to post a message, Allaire Forums dynamically generates a web form including the user’s name and email address in hidden fields. Attackers may easily change these fields to specify a different user, and Alliare Forums does not check the submission to authenticate the user. Therefore, attackers may post messages to the bulletin board signed by a different user’s name and email address.

---

Impact

Malicious users of Allaire Forums may impersonate other users.

---

Solution

The CERT/CC is currently unaware of a practical solution to this problem.

---

Vendor Information

575619

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Allaire Corporation Affected

Updated: September 20, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23575619 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

<http://www.securityfocus.com/bid/3827&gt;

Acknowledgements

Thanks to John Cantu for reporting this vulnerability.

This document was written by Shawn Van Ittersum.

Other Information

CVE IDs:	CVE-2002-0108
Severity Metric:	0.61 Date Public: