Users of tuenti.com please be advised of an Insecure Direct Object Reference allow to read of any message user vulnerability that has been identified.
To view this vulnerability, possible remedies, and others please check out the Security Advisories at Critical Watch (http://criticalwatch.com/support/security-advisories.aspx)
Amplify’d from www.criticalwatch.com
INTERNET SECURITY AUDITORS ALERT 2010-008: Insecure Direct Object Reference in tuenti.com allow to read of any message user
DESCRIPTION
-------------------------
Has been detected a insecure direct object reference vulnerability in
Tuenti.com, that allows the reading of any blog entry of any user,
thus accessing to private messages of Tuenti.com users.
The "blog_entry_id" parameter directly refer to a blog entry, so if a
user change the value of this parameter can access to arbitrary blog
entries.
Read more at www.criticalwatch.com
See this Amp at http://bit.ly/akyuka
No comments:
Post a Comment