oss-sec mailing list archives

Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities

From: Henri Salo <henri () nerv fi>
Date: Tue, 1 Oct 2013 09:23:23 +0300

On Wed, Sep 25, 2013 at 12:07:32PM -0600, Kurt Seifried wrote:

On 09/25/2013 10:45 AM, Henri Salo wrote:

On Wed, Sep 25, 2013 at 02:33:14PM +0000, Moritz Naumann wrote:

This CSRF doesn't work for me on two 2.0.4 installations I tested
on.


You are correct.

Both return Unable to verify referring url. Please go back and
try again.


Actual error message for me:

"Your session timed out while posting. Please go back and try
again."

I'm really sorry about this. I even tested using different computer
so I don't know what I previously did wrong/different. Thank you
for correcting this.

--- Henri Salo


So to confirm: the XSS are legit, the CSRF is confirmed to not work?
thanks.


Can we get these assigned or do you have open questions, thanks.

---
Henri Salo

Current thread:

Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Henri Salo (Sep 30)
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Oct 01)
- <Possible follow-ups>
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities security curmudgeon (Oct 01)
  - Re: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Oct 02)