Trac: Cross-site request forgery — GLSA 200612-14

Trac allows remote attackers to execute unauthorized actions as other users.

Affected Packages

www-apps/trac on all architectures
Affected versions < 0.10.1
Unaffected versions >= 0.10.1

Background

Trac is a wiki and issue tracking system for software development projects.

Description

Trac allows users to perform certain tasks via HTTP requests without performing correct validation on those requests.

Impact

An attacker could entice an authenticated user to browse to a specially crafted URL, allowing the attacker to execute actions in the Trac instance as if they were the user.

Workaround

There is no known workaround at this time.

Resolution

All Trac users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=www-apps/trac-0.10.1"

References

Release Date
December 12, 2006

Latest Revision
December 12, 2006: 01

Severity
low

Exploitable
remote

Bugzilla entries