Date: Mon, 31 Dec 2012 12:42:13 +0200 From: Henri Salo <henri@...v.fi> To: oss-security@...ts.openwall.com Cc: security@...plemachines.org Subject: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Hello, I tried to reproduce CVE-2012-5903 SMF index.php scheduled-parameter XSS without luck. Does someone have a working payload for this? References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5903 http://packetstormsecurity.org/files/111356/SMF-2.0.2-Cross-Site-Scripting.html http://xforce.iss.net/xforce/xfdb/74521 http://www.securityfocus.com/bid/52822 http://osvdb.org/80766 http://en.securitylab.ru/nvd/432586.php Until someone provides a working PoC I dispute this issue. SMF hasn't replied to my emails about this. Please note there is several comments in forums about this too. 1: http://www.simplemachines.org/community/index.php?topic=491516.msg3445272#msg3445272 2: http://www.simplemachines.org/community/index.php?topic=491516.msg3449057#msg3449057 It's not a security vulnerability if attacker already has administrator access to the application. Should we REJECT CVE-2012-5903? - Henri Salo
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.