Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: Dispute CVE-2012-5903 SMF index.php scheduled-parameter XSS
From: Hanno Böck <hanno () hboeck de>
Date: Mon, 31 Dec 2012 17:51:31 +0100

On Mon, 31 Dec 2012 15:14:26 +0100
Moritz Naumann <oss-security () moritz-naumann com> wrote:

On 31.12.2012 11:42 Henri Salo wrote:
[..]
Until someone provides a working PoC I dispute this issue. SMF
hasn't replied to my emails about this. Please note there is
several comments[1][2] in forums about this too.

[..]
It's not a security vulnerability if attacker already has
administrator access to the application. Should we REJECT
CVE-2012-5903?

Based on the authors' description it would seem more likely that the
attack would use social engineering to trick the legitimate forum
admin into accessing this URL with a payload in it, which would then
trigger in his browser and disclose the admins' session cookie to an
attacker by means of cross site scripting. Like you, I don't see how
the value passed to the "scheduled" parameter would be echoed out,
though.

That's pretty much what is called CSRF, isn't it? So it's a CSRF that
can trigger an XSS.

-- 
Hanno Böck              mail/jabber: hanno () hboeck de
GPG: BBB51E42           http://www.hboeck.de/

Attachment: signature.asc
Description:


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault