oss-sec mailing list archives
Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS
From: Hanno Böck <hanno () hboeck de>
Date: Mon, 31 Dec 2012 17:51:31 +0100
On Mon, 31 Dec 2012 15:14:26 +0100 Moritz Naumann <oss-security () moritz-naumann com> wrote:
On 31.12.2012 11:42 Henri Salo wrote: [..]Until someone provides a working PoC I dispute this issue. SMF hasn't replied to my emails about this. Please note there is several comments[1][2] in forums about this too.[..]It's not a security vulnerability if attacker already has administrator access to the application. Should we REJECT CVE-2012-5903?Based on the authors' description it would seem more likely that the attack would use social engineering to trick the legitimate forum admin into accessing this URL with a payload in it, which would then trigger in his browser and disclose the admins' session cookie to an attacker by means of cross site scripting. Like you, I don't see how the value passed to the "scheduled" parameter would be echoed out, though.
That's pretty much what is called CSRF, isn't it? So it's a CSRF that can trigger an XSS. -- Hanno Böck mail/jabber: hanno () hboeck de GPG: BBB51E42 http://www.hboeck.de/
Attachment:
signature.asc
Description:
Current thread:
- Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Henri Salo (Dec 31)
- Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Moritz Naumann (Dec 31)
- Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Hanno Böck (Dec 31)
- Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Emanuele (Dec 31)
- Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS Moritz Naumann (Dec 31)