CVE-2012-5903

IamTheBoy · November 28, 2012, 05:31:15 AM

I see this has cropped up on the US-CERT alerts, yet a search here is not finding anything.

Is there a patch yet?

The implication of the various vulnerability sites is that it was not a responsible disclosure, thus presumably, the vulnerability is in the underground already.

kat · November 28, 2012, 05:57:19 AM

I assume you mean this?

http://en.securitylab.ru/nvd/432586.php

I did a search, as my claivoyancy skills seem to be eluding me, today...

IamTheBoy · November 28, 2012, 01:51:21 PM

Quote from: K@ on November 28, 2012, 05:57:19 AM
I assume you mean this?

http://en.securitylab.ru/nvd/432586.php

I did a search, as my claivoyancy skills seem to be eluding me, today...

Yes - the title had the US Cert reference in, which is what most of the Western World use.

Is there a patch coming soon?

kat · November 28, 2012, 02:34:16 PM

I'll give the developers a nudge, to see if they can answer that.

Kindred · November 28, 2012, 05:03:29 PM

It's a pretty stupid report, IMO... ia assumes that the hacker already has admin access - and if anyone has full admin access, they can do anything they want to, using the package manager.

IamTheBoy · November 29, 2012, 07:50:30 AM

Quote from: K@ on November 28, 2012, 02:34:16 PM
I'll give the developers a nudge, to see if they can answer that.

Thanks, much appreciated

IamTheBoy · November 29, 2012, 07:53:00 AM

Quote from: Kindred on November 28, 2012, 05:03:29 PM
It's a pretty stupid report, IMO... ia assumes that the hacker already has admin access - and if anyone has full admin access, they can do anything they want to, using the package manager.

I was struggling to understand the scope of the problem, but doesn't sound too serious from what you say. However, as it has been given a medium rating (or even the fact it has been given a rating), I think a patch needs to be supplied, even if its for no other reason than for SMF to look professional enough to be responding professionally to such exploits.

IMHO, of course

Kindred · November 29, 2012, 09:24:38 AM

well, the developers are looking into it... However, I fail to see how this can be rated medium, since - as I said, this pre-supposes that the attacker already has admin access.

IamTheBoy · November 29, 2012, 10:51:00 AM

Thanks, I'll wait to see what devs come up with or say.

No idea why its designated as medium, I was struggling to understand the exact problem/exploit.

US Cert bulletin at http://www.us-cert.gov/cas/bulletins/SB12-331.html

Kindred · November 29, 2012, 11:04:23 AM

so, basically, what the report is saying is

-if the user had admin access and is able to run the "scheduled task" action, then that user can force an XSS into the URL of the action.

emanuele · December 06, 2012, 07:32:11 PM

This report is at least 9 months old.
Several developers have tried to think of a way to replicate it, but all of them came to the conclusion: it is simply impossible.

An example (rather representative of reality) of the code that uses the "scheduled" parameter is:

Code Select

if (isset($_GET['scheduled']))
{
    // do something
}
else
{
    // do something else
}

die();

Usually to perform an XSS attach you need that the value of the parameter is use in the HTML of the resulting page, for example:

Code Select

echo $_GET['scheduled'];
in this case an attacker could use a properly formatted link to inject a script (usually javascript) into the page and steal data.
But if the parameter is not used "in the template" (directly or indirectly) it's impossible to perform any kind of XSS attack.

News:

CVE-2012-5903

kat

kat