Date: Tue, 01 Oct 2013 10:07:22 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi> Subject: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/01/2013 12:23 AM, Henri Salo wrote: > On Wed, Sep 25, 2013 at 12:07:32PM -0600, Kurt Seifried wrote: >> On 09/25/2013 10:45 AM, Henri Salo wrote: >>> On Wed, Sep 25, 2013 at 02:33:14PM +0000, Moritz Naumann >>> wrote: >>>> This CSRF doesn't work for me on two 2.0.4 installations I >>>> tested on. >>> >>> You are correct. >>> >>>> Both return Unable to verify referring url. Please go back >>>> and try again. >>> >>> Actual error message for me: >>> >>> "Your session timed out while posting. Please go back and try >>> again." >>> >>> I'm really sorry about this. I even tested using different >>> computer so I don't know what I previously did wrong/different. >>> Thank you for correcting this. >>> >>> --- Henri Salo >>> >> >> So to confirm: the XSS are legit, the CSRF is confirmed to not >> work? thanks. > > Can we get these assigned or do you have open questions, thanks. > > --- Henri Salo Apologies for the delay. Please use CVE-2013-4395 for the XSS vuln. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSSvM6AAoJEBYNRVNeJnmTBOkP/jqGXYbN+ZSMT1R8hGpUr1kN ZO457FI7N8nhSsikecIgY9bnuEb0rTEQ3JYzsrPOWPNXwpkyzAr95LWXQQCfY92W RgYd6kilcqY1ydJz2/wV050nOm16vcHHbq4/oZ/HtRjIchMtS/PIhdKzV1o8Pwcl DWWqyv3lDl9wcnWBHPoJHcxh7oVI0DKTgDCK1pRhX7U2Z/mJ9DTR6bgFakZOiXYb 67jYSFX8Jx3MB94u7Ol51TtbNbiurGfesJ1EgCcYcezAreV55IobJ7ynCjV1hm8u hbCVfMncTphggEX0kKb81tmPLQhnNrb8hhYeK+Q3T7gl/j9jcRDT5Z8VnwfzEBJZ mHZQNBWVplBLeFcUKaD6n8r4GaOexkZa3byqBc4pUZGtKTLAfI0ayxbfhF+b/uap 3EO5ecNTzL5Ajm0zL++tlrJhTBpuvsceBqk+NTXCFrsCjnLjmTrIFp7SBieFsXXT pU3vkdb/Oxf+i4LXKgwB4PUX90HhgXAQ4On0LmGLYHIoxIuKlW0Q2uD8fo39PrWl 9dtv2wjtZ3wTXDNE/Ovqeqgr4K7aNd64SZ3yVGMU5cQRObjTZSU19IvTnl8UCtXu ruNsNQmbwirEuo/DXJAyx8Squ67pCP731C4ZFKkqBwYD9cQH9D/iYQXf4x9e4wqB /lio2kWyNK8QBB2mrHR7 =v7nS -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.