Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <20121231104213.GA5226@kludge.henri.nerv.fi>
Date: Mon, 31 Dec 2012 12:42:13 +0200
From: Henri Salo <henri@...v.fi>
To: oss-security@...ts.openwall.com
Cc: security@...plemachines.org
Subject: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS

Hello,

I tried to reproduce CVE-2012-5903 SMF index.php scheduled-parameter XSS without luck. Does someone have a working payload for this? References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2012-5903
http://packetstormsecurity.org/files/111356/SMF-2.0.2-Cross-Site-Scripting.html
http://xforce.iss.net/xforce/xfdb/74521
http://www.securityfocus.com/bid/52822
http://osvdb.org/80766
http://en.securitylab.ru/nvd/432586.php

Until someone provides a working PoC I dispute this issue. SMF hasn't replied to my emails about this. Please note there is several comments[1][2] in forums about this too.

1: http://www.simplemachines.org/community/index.php?topic=491516.msg3445272#msg3445272
2: http://www.simplemachines.org/community/index.php?topic=491516.msg3449057#msg3449057

It's not a security vulnerability if attacker already has administrator access to the application. Should we REJECT CVE-2012-5903?

- Henri Salo

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.