Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 01 Oct 2013 10:07:22 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5
 - multiple vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/01/2013 12:23 AM, Henri Salo wrote:
> On Wed, Sep 25, 2013 at 12:07:32PM -0600, Kurt Seifried wrote:
>> On 09/25/2013 10:45 AM, Henri Salo wrote:
>>> On Wed, Sep 25, 2013 at 02:33:14PM +0000, Moritz Naumann
>>> wrote:
>>>> This CSRF doesn't work for me on two 2.0.4 installations I
>>>> tested on.
>>> 
>>> You are correct.
>>> 
>>>> Both return Unable to verify referring url. Please go back
>>>> and try again.
>>> 
>>> Actual error message for me:
>>> 
>>> "Your session timed out while posting. Please go back and try 
>>> again."
>>> 
>>> I'm really sorry about this. I even tested using different
>>> computer so I don't know what I previously did wrong/different.
>>> Thank you for correcting this.
>>> 
>>> --- Henri Salo
>>> 
>> 
>> So to confirm: the XSS are legit, the CSRF is confirmed to not
>> work? thanks.
> 
> Can we get these assigned or do you have open questions, thanks.
> 
> --- Henri Salo

Apologies for the delay. Please use CVE-2013-4395 for the XSS vuln.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSSvM6AAoJEBYNRVNeJnmTBOkP/jqGXYbN+ZSMT1R8hGpUr1kN
ZO457FI7N8nhSsikecIgY9bnuEb0rTEQ3JYzsrPOWPNXwpkyzAr95LWXQQCfY92W
RgYd6kilcqY1ydJz2/wV050nOm16vcHHbq4/oZ/HtRjIchMtS/PIhdKzV1o8Pwcl
DWWqyv3lDl9wcnWBHPoJHcxh7oVI0DKTgDCK1pRhX7U2Z/mJ9DTR6bgFakZOiXYb
67jYSFX8Jx3MB94u7Ol51TtbNbiurGfesJ1EgCcYcezAreV55IobJ7ynCjV1hm8u
hbCVfMncTphggEX0kKb81tmPLQhnNrb8hhYeK+Q3T7gl/j9jcRDT5Z8VnwfzEBJZ
mHZQNBWVplBLeFcUKaD6n8r4GaOexkZa3byqBc4pUZGtKTLAfI0ayxbfhF+b/uap
3EO5ecNTzL5Ajm0zL++tlrJhTBpuvsceBqk+NTXCFrsCjnLjmTrIFp7SBieFsXXT
pU3vkdb/Oxf+i4LXKgwB4PUX90HhgXAQ4On0LmGLYHIoxIuKlW0Q2uD8fo39PrWl
9dtv2wjtZ3wTXDNE/Ovqeqgr4K7aNd64SZ3yVGMU5cQRObjTZSU19IvTnl8UCtXu
ruNsNQmbwirEuo/DXJAyx8Squ67pCP731C4ZFKkqBwYD9cQH9D/iYQXf4x9e4wqB
/lio2kWyNK8QBB2mrHR7
=v7nS
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.