oss-security - Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5

Follow @Openwall on Twitter for new release announcements and other news

[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]

Date: Tue, 1 Oct 2013 09:23:23 +0300
From: Henri Salo <henri@...v.fi>
To: Kurt Seifried <kseifried@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: CVE request: Simple Machines Forum (SMF) <=
 2.0.5 - multiple vulnerabilities

On Wed, Sep 25, 2013 at 12:07:32PM -0600, Kurt Seifried wrote:
> On 09/25/2013 10:45 AM, Henri Salo wrote:
> > On Wed, Sep 25, 2013 at 02:33:14PM +0000, Moritz Naumann wrote:
> >> This CSRF doesn't work for me on two 2.0.4 installations I tested
> >> on.
> > 
> > You are correct.
> > 
> >> Both return Unable to verify referring url. Please go back and
> >> try again.
> > 
> > Actual error message for me:
> > 
> > "Your session timed out while posting. Please go back and try
> > again."
> > 
> > I'm really sorry about this. I even tested using different computer
> > so I don't know what I previously did wrong/different. Thank you
> > for correcting this.
> > 
> > --- Henri Salo
> > 
> 
> So to confirm: the XSS are legit, the CSRF is confirmed to not work?
> thanks.

Can we get these assigned or do you have open questions, thanks.

---
Henri Salo

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.