Vulnerability in tDiary

On 20 July 2005, a 'Cross-Site Request Forgeries (CSRF)' vulnerability has been discovered in tDiary. tDiary development team fixed this and released fixed versions.

Affected versions

* tDiary 2.0.1 and older (Stable releases)
* tDiary 2.1.1 (Development release)

Fixed in

* tDiary 2.0.2 (Stable release)
* tDiary 2.1.2 (Development release)

More information

Remote attackers could exploit the trust of a logged-on user by letting him/her click their URIs or web sites, and edit and/or delete entries or configurations of his/her tDiary. The vulnerability could also allow any commands or scripts to run
with the privilege of the web server which serves tDiary CGI.

See for CSRF.

The fixed versions implement some new filtering functionarities for updating an entry or configuration. Now tDiary only accepts requests with:

* POST method, and
* a valid referer, and
* a key embedded in a form, which attackers can not guess.


* Yutaka OIWA and Hiromitsu TAKAGI (Research Center for Information Security, National Institute of Advanced Industrial Science and Technology (AIST))

Posted by TADA Tadashi 2005-07-21

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks