Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon, 31 Dec 2012 17:51:31 +0100
From: Hanno Böck <>
Subject: Re: Dispute CVE-2012-5903 SMF index.php
 scheduled-parameter XSS

On Mon, 31 Dec 2012 15:14:26 +0100
Moritz Naumann <> wrote:

> On 31.12.2012 11:42 Henri Salo wrote:
> [..]
> > Until someone provides a working PoC I dispute this issue. SMF
> > hasn't replied to my emails about this. Please note there is
> > several comments[1][2] in forums about this too.
> > 
> [..]
> > It's not a security vulnerability if attacker already has
> > administrator access to the application. Should we REJECT
> > CVE-2012-5903?
> Based on the authors' description it would seem more likely that the
> attack would use social engineering to trick the legitimate forum
> admin into accessing this URL with a payload in it, which would then
> trigger in his browser and disclose the admins' session cookie to an
> attacker by means of cross site scripting. Like you, I don't see how
> the value passed to the "scheduled" parameter would be echoed out,
> though.

That's pretty much what is called CSRF, isn't it? So it's a CSRF that
can trigger an XSS.

Hanno Böck		mail/jabber:

Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.