Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Web Server/CGI)  >   Apache Continuum Vendors:   Apache Software Foundation
Apache Continuum Input Validation Flaw Permits Cross-Site Request Forgery Attacks
SecurityTracker Alert ID:  1025066
SecurityTracker URL:
CVE Reference:   CVE-2010-3449   (Links to External Site)
Date:  Feb 10 2011
Impact:   Disclosure of authentication information, Disclosure of user information, Execution of arbitrary code via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 1.3.6 and prior versions, 1.4.0 (Beta)
Description:   A vulnerability was reported in Apache Continuum. A remote user can conduct cross-site request forgery attacks.

The administrative function to change user passwords does not properly validate the source of the request. A remote user can take actions on the site running the Apache Continuum acting as the target user.

Anatolia Security Research Group reported this vulnerability.

Impact:   A remote user can take actions on the site running the Apache Continuum software acting as the target user.
Solution:   The vendor has issued a fix (1.3.7).

A patch for version 1.4.0 (Beta) is also available at:

Vendor URL: (Links to External Site)
Cause:   Input validation error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.

 Source Message Contents

Subject:  [SECURITY] CVE-2010-3449: Apache Continuum CSRF vulnerability

CVE-2010-3449: Apache Continuum CSRF vulnerability

Severity: Important

The Apache Software Foundation

Versions Affected:
Continuum 1.3.6
Continuum 1.4.0 (Beta)
The unsupported versions Continuum 1.1 - are also affected.

Administrators are able to change any user's password, but the
source of the request is not verified, making the behaviour
susceptible to CSRF.

Continuum 1.3.6 and earlier users should upgrade to 1.3.7

Continuum 1.4.0 (Beta) users should apply the following patch:

This issue was discovered by Anatolia Security Research Group


Brett Porter


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC