False Cross Site Request Forgery (CSRF) issue in 1.0.14

Submitted by Anonymous on Sun, 02/05/2012 - 10:57
Written by
Dietrich

A few weeks ago, information was spread about a security vulnerability claimed to be present in UseBB 1.0.14. More specifically, it should be a Cross Site Request Forgery vulnerability in the Admin Control Panel.

I would like to be clear about this: this issue or vulnerability is NOT present in the UseBB 1.0.14 forum software package. CSRF issues were present in previous versions but were reported and fixed in 1.0.12 (April 2011). Verification and testing revealed no existing issue in the ACP in the current stable version of UseBB 1.

Next to this, I have received no message from the author of the posted exploit, before (or after) the release on several websites. Neither did I see any bug report or message on GitHub or UseBB.net. Any of the previous could have avoided or limited this kind of false information being spread.

It is not the first time this has happened, and this previously brought up the idea of having our personal database of vulnerability disclosures in UseBB products. This event only confirmed that an official and centralised place for disclosures in UseBB is a must. I hereby would also like to (again) stress the fact that information available on many "security websites" is of a very questionable quality and should be taken with a serious grain of salt.

Dietrich
UseBB project leader