Date: Mon, 31 Dec 2012 17:51:31 +0100 From: Hanno Böck <hanno@...eck.de> To: oss-security@...ts.openwall.com Subject: Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS On Mon, 31 Dec 2012 15:14:26 +0100 Moritz Naumann <oss-security@...itz-naumann.com> wrote: > On 31.12.2012 11:42 Henri Salo wrote: > [..] > > Until someone provides a working PoC I dispute this issue. SMF > > hasn't replied to my emails about this. Please note there is > > several comments in forums about this too. > > > [..] > > It's not a security vulnerability if attacker already has > > administrator access to the application. Should we REJECT > > CVE-2012-5903? > > Based on the authors' description it would seem more likely that the > attack would use social engineering to trick the legitimate forum > admin into accessing this URL with a payload in it, which would then > trigger in his browser and disclose the admins' session cookie to an > attacker by means of cross site scripting. Like you, I don't see how > the value passed to the "scheduled" parameter would be echoed out, > though. That's pretty much what is called CSRF, isn't it? So it's a CSRF that can trigger an XSS. -- Hanno Böck mail/jabber: hanno@...eck.de GPG: BBB51E42 http://www.hboeck.de/ Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.