Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS

[Hanno Böck <hanno () hboeck de>]

On Mon, 31 Dec 2012 15:14:26 +0100
Moritz Naumann <oss-security () moritz-naumann com> wrote:

> On 31.12.2012 11:42 Henri Salo wrote:
> [..]
> > Until someone provides a working PoC I dispute this issue. SMF
> > hasn't replied to my emails about this. Please note there is
> > several comments[1][2] in forums about this too.
> [..]
> > It's not a security vulnerability if attacker already has
> > administrator access to the application. Should we REJECT
> > CVE-2012-5903?
>
> Based on the authors' description it would seem more likely that the
> attack would use social engineering to trick the legitimate forum
> admin into accessing this URL with a payload in it, which would then
> trigger in his browser and disclose the admins' session cookie to an
> attacker by means of cross site scripting. Like you, I don't see how
> the value passed to the "scheduled" parameter would be echoed out,
> though.

That's pretty much what is called CSRF, isn't it? So it's a CSRF that
can trigger an XSS.

-- 
Hanno Böck              mail/jabber: hanno () hboeck de
GPG: BBB51E42           http://www.hboeck.de/

Attachment: signature.asc
Description: