Is Oxwall corrected for this problem?
« The vulnerability exists due to failure in the
"/admin/pages/maintenance" script to properly verify the source of the
HTTP request. A remote attacker can trick a logged-in administrator to
visit a page with CSRF exploit and put the entire website under
maintenance. Additionally, the attacker is able to inject arbitrary HTML
and JavaScript code into maintenance message and execute it in browsers
of any website visitor. Successful exploitation of this vulnerability
may allow an attacker to steal other users ?? cookies, spread malware to
website visitors, and even obtain full control over vulnerable website.
»
http://www.securiteam.com/securitynews/5YP382KHQG.html