oss-sec mailing list archives
Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 01 Oct 2013 10:07:22 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/01/2013 12:23 AM, Henri Salo wrote:
On Wed, Sep 25, 2013 at 12:07:32PM -0600, Kurt Seifried wrote:On 09/25/2013 10:45 AM, Henri Salo wrote:On Wed, Sep 25, 2013 at 02:33:14PM +0000, Moritz Naumann wrote:This CSRF doesn't work for me on two 2.0.4 installations I tested on.You are correct.Both return Unable to verify referring url. Please go back and try again.Actual error message for me: "Your session timed out while posting. Please go back and try again." I'm really sorry about this. I even tested using different computer so I don't know what I previously did wrong/different. Thank you for correcting this. --- Henri SaloSo to confirm: the XSS are legit, the CSRF is confirmed to not work? thanks.Can we get these assigned or do you have open questions, thanks. --- Henri Salo
Apologies for the delay. Please use CVE-2013-4395 for the XSS vuln. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) iQIcBAEBAgAGBQJSSvM6AAoJEBYNRVNeJnmTBOkP/jqGXYbN+ZSMT1R8hGpUr1kN ZO457FI7N8nhSsikecIgY9bnuEb0rTEQ3JYzsrPOWPNXwpkyzAr95LWXQQCfY92W RgYd6kilcqY1ydJz2/wV050nOm16vcHHbq4/oZ/HtRjIchMtS/PIhdKzV1o8Pwcl DWWqyv3lDl9wcnWBHPoJHcxh7oVI0DKTgDCK1pRhX7U2Z/mJ9DTR6bgFakZOiXYb 67jYSFX8Jx3MB94u7Ol51TtbNbiurGfesJ1EgCcYcezAreV55IobJ7ynCjV1hm8u hbCVfMncTphggEX0kKb81tmPLQhnNrb8hhYeK+Q3T7gl/j9jcRDT5Z8VnwfzEBJZ mHZQNBWVplBLeFcUKaD6n8r4GaOexkZa3byqBc4pUZGtKTLAfI0ayxbfhF+b/uap 3EO5ecNTzL5Ajm0zL++tlrJhTBpuvsceBqk+NTXCFrsCjnLjmTrIFp7SBieFsXXT pU3vkdb/Oxf+i4LXKgwB4PUX90HhgXAQ4On0LmGLYHIoxIuKlW0Q2uD8fo39PrWl 9dtv2wjtZ3wTXDNE/Ovqeqgr4K7aNd64SZ3yVGMU5cQRObjTZSU19IvTnl8UCtXu ruNsNQmbwirEuo/DXJAyx8Squ67pCP731C4ZFKkqBwYD9cQH9D/iYQXf4x9e4wqB /lio2kWyNK8QBB2mrHR7 =v7nS -----END PGP SIGNATURE-----
Current thread:
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Henri Salo (Sep 30)
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Oct 01)
- <Possible follow-ups>
- Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities security curmudgeon (Oct 01)
- Re: Re: CVE request: Simple Machines Forum (SMF) <= 2.0.5 - multiple vulnerabilities Kurt Seifried (Oct 02)