[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    Re: [oss-security] Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS
From:       Hanno =?ISO-8859-1?B?QvZjaw==?= <hanno () hboeck ! de>
Date:       2012-12-31 16:51:31
Message-ID: 20121231175131.2a82115c () melee
[Download RAW message or body]


On Mon, 31 Dec 2012 15:14:26 +0100
Moritz Naumann <oss-security@moritz-naumann.com> wrote:

> On 31.12.2012 11:42 Henri Salo wrote:
> [..]
> > Until someone provides a working PoC I dispute this issue. SMF
> > hasn't replied to my emails about this. Please note there is
> > several comments[1][2] in forums about this too.
> > 
> [..]
> > It's not a security vulnerability if attacker already has
> > administrator access to the application. Should we REJECT
> > CVE-2012-5903?
> 
> Based on the authors' description it would seem more likely that the
> attack would use social engineering to trick the legitimate forum
> admin into accessing this URL with a payload in it, which would then
> trigger in his browser and disclose the admins' session cookie to an
> attacker by means of cross site scripting. Like you, I don't see how
> the value passed to the "scheduled" parameter would be echoed out,
> though.

That's pretty much what is called CSRF, isn't it? So it's a CSRF that
can trigger an XSS.

-- 
Hanno Böck		mail/jabber: hanno@hboeck.de
GPG: BBB51E42		http://www.hboeck.de/

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]