Home page logo

oss-sec logo oss-sec mailing list archives

Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS
From: Hanno Böck <hanno () hboeck de>
Date: Mon, 31 Dec 2012 17:51:31 +0100

On Mon, 31 Dec 2012 15:14:26 +0100
Moritz Naumann <oss-security () moritz-naumann com> wrote:

On 31.12.2012 11:42 Henri Salo wrote:
Until someone provides a working PoC I dispute this issue. SMF
hasn't replied to my emails about this. Please note there is
several comments[1][2] in forums about this too.

It's not a security vulnerability if attacker already has
administrator access to the application. Should we REJECT

Based on the authors' description it would seem more likely that the
attack would use social engineering to trick the legitimate forum
admin into accessing this URL with a payload in it, which would then
trigger in his browser and disclose the admins' session cookie to an
attacker by means of cross site scripting. Like you, I don't see how
the value passed to the "scheduled" parameter would be echoed out,

That's pretty much what is called CSRF, isn't it? So it's a CSRF that
can trigger an XSS.

Hanno Böck              mail/jabber: hanno () hboeck de
GPG: BBB51E42           http://www.hboeck.de/

Attachment: signature.asc

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]