oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities

From: Kurt Seifried <kseifried () redhat com>
Date: Wed, 25 Sep 2013 12:07:32 -0600
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/25/2013 10:45 AM, Henri Salo wrote:

On Wed, Sep 25, 2013 at 02:33:14PM +0000, Moritz Naumann wrote:

This CSRF doesn't work for me on two 2.0.4 installations I tested
on.


You are correct.


Both return Unable to verify referring url. Please go back and
try again.


Actual error message for me:

"Your session timed out while posting. Please go back and try
again."

I'm really sorry about this. I even tested using different computer
so I don't know what I previously did wrong/different. Thank you
for correcting this.

--- Henri Salo



So to confirm: the XSS are legit, the CSRF is confirmed to not work?
thanks.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSQyZkAAoJEBYNRVNeJnmT8bYP/3yOts16Cnj16c3tSBU8VIkM
5SnB5xdCijsJ46m8X6CcsdHE78jYI+3hc+8OCqnUim+ukyN1wlRDBwNvmSkj4bjG
JneJowablkQ3nS44rOjh/mRV1U9HLfZYttKUfhc3O3SMcMxBVx6QEO811dTAN8r7
TZ90lR1Qgr/g5H6Ka74LlFaNH+8iPF7kjxTWWowp1Un45ptxnNtVORHr9/BVA5yG
DHd8SlG+aSyZsEdbN2F8MlCyt1SmrG90OQ22Bg2P/M8U1gASo84vvgheBhHqoyEm
P2fPAdpzqKi7XZGtxVXChttRVqxbS2OW2GxsbbFcFLJXeYQJDiJqyENxlO8TAh52
UV+MOdRhMaBCAaciEcmCGck0SyN7/ySGQ+k9oHSOJLVa2vykJFuoVY0EBUSb8aZv
G7Aev6pewx/T4ryc75MvVxstkc8QaRxgLUJ44DHQN50AhDyfNgjotEaVd2tQ7YvV
Jnr7BexNiWRdGFGmDBTp7Ggqc17dTUyyIFr4FFBpUehp5Ot+DI69ANFwYwIiSQxl
4tjg7gCy9OzkVwtnA+3JtrZYfBa4Kws3EHHAz1b1zYWx3do5pOcG9994e/WFArBc
0zy/7JE5JPdypoCrsbE24hLiAW4V3x8MWONzECMWX+Lkzp2yLHrFLbREi5wCMXhk
ErLr2YveBZT70qikdnlv
=dUD4
-----END PGP SIGNATURE-----
Previous By Date Next
Previous By Thread Next

Current thread: