Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 30 Dec 2013 02:19:55 +0200
From: Henri Salo <>
Cc: Jakob Lell <>
Subject: CVE request: SMF 1.1.19, 2.0.6

Can I get two CVEs for following SMF issues, thanks.

Advisory: "Unspecified Clickjacking Arbitrary Code Execution" "Unicode Homoglyph Username Spoofing Weakness"

Fixed in 1.1.19 and 2.0.6 versions.
Credit: Jakob Lell


October 2013
 ! Added some headers to help protect against clickjacking (thanks Jakob Lell for the report)
 ! Invalid avatars were not always properly cleaned up (thanks chaoztc for the report)
 ! Added protection against usernames being impersonated with Unicode space characters (thanks Jakob Lell for the report)
 ! Sessions weren't always cleaned up properly on logout (thanks creepernex for the report)
 ! Certain fields were accepted during registration even when they shouldn't be (thanks tomreyn for the report)
 ! Certain errors were unnecessarily shown during a failed registration and some of those were inappropriate anyway (thanks Labradoodle-360 for the report)
 ! Approving an account from a member's profile was not logged (thanks emanuele for the report)
 ! Approving an account from a member's profile did not always properly enforce security rules (thanks emanuele for the report)
 ! The PHPSESSID injector would also add it to the canonical link, breaking it (thanks to all who reported it)
 ! An invalid character was indicated in legacy attachment handling
 ! Under some circumstances the admin panel would not accept the number of verification questions you had entered (thanks BurkeKnight for the report)
 ! The help pages could sometimes accidentally direct users to non-existing pages (thanks AngelinaBelle for the report and Illori for the fix)


Henri Salo

Download attachment "signature.asc" of type "application/pgp-signature" (199 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ