diff options
author | Gavin Andresen <gavinandresen@gmail.com> | 2011-06-19 18:33:14 -0400 |
---|---|---|
committer | bitcoindev <bitcoindev@gnusha.org> | 2011-06-19 22:33:21 +0000 |
commit | 34988dae9335ec39804985c9b36960c81e0ca748 (patch) | |
tree | 83145c9e1757e0531086f5514064ff1045b32d72 /17 | |
parent | a421a0c18dd6defda4d839b626e923a01c40880e (diff) | |
download | pi-bitcoindev-34988dae9335ec39804985c9b36960c81e0ca748.tar.gz pi-bitcoindev-34988dae9335ec39804985c9b36960c81e0ca748.zip |
Re: [Bitcoin-development] Bitcoin fun day!
Diffstat (limited to '17')
-rw-r--r-- | 17/b895723e41db336a9a1f20c6179643e1cf443c | 77 |
1 files changed, 77 insertions, 0 deletions
diff --git a/17/b895723e41db336a9a1f20c6179643e1cf443c b/17/b895723e41db336a9a1f20c6179643e1cf443c new file mode 100644 index 000000000..a19407ec5 --- /dev/null +++ b/17/b895723e41db336a9a1f20c6179643e1cf443c @@ -0,0 +1,77 @@ +Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] + helo=mx.sourceforge.net) + by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) + (envelope-from <gavinandresen@gmail.com>) id 1QYQYT-00024d-Gl + for bitcoin-development@lists.sourceforge.net; + Sun, 19 Jun 2011 22:33:21 +0000 +Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com + designates 209.85.210.47 as permitted sender) + client-ip=209.85.210.47; envelope-from=gavinandresen@gmail.com; + helo=mail-pz0-f47.google.com; +Received: from mail-pz0-f47.google.com ([209.85.210.47]) + by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) + (Exim 4.76) id 1QYQYS-0000wd-Iw + for bitcoin-development@lists.sourceforge.net; + Sun, 19 Jun 2011 22:33:21 +0000 +Received: by pzk36 with SMTP id 36so4126334pzk.34 + for <bitcoin-development@lists.sourceforge.net>; + Sun, 19 Jun 2011 15:33:14 -0700 (PDT) +MIME-Version: 1.0 +Received: by 10.143.60.5 with SMTP id n5mr635919wfk.434.1308522794516; Sun, 19 + Jun 2011 15:33:14 -0700 (PDT) +Received: by 10.142.13.1 with HTTP; Sun, 19 Jun 2011 15:33:14 -0700 (PDT) +In-Reply-To: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> +References: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> +Date: Sun, 19 Jun 2011 18:33:14 -0400 +Message-ID: <BANLkTikiBz52hVreTVJM4Q15rtfGLVE2sQ@mail.gmail.com> +From: Gavin Andresen <gavinandresen@gmail.com> +To: Doug Huff <dhuff@jrbobdobbs.org> +Content-Type: text/plain; charset=ISO-8859-1 +X-Spam-Score: -1.6 (-) +X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. + See http://spamassassin.org/tag/ for more details. + -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for + sender-domain + 0.0 FREEMAIL_FROM Sender email is freemail (gavinandresen[at]gmail.com) + -0.0 SPF_PASS SPF: sender matches SPF record + -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from + author's domain + 0.1 DKIM_SIGNED Message has a DKIM or DK signature, + not necessarily valid + -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature + 0.0 RFC_ABUSE_POST Both abuse and postmaster missing on sender domain + 0.0 AWL AWL: From: address is in the auto white-list +X-Headers-End: 1QYQYS-0000wd-Iw +Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>, + full-disclosure@lists.grok.org.uk +Subject: Re: [Bitcoin-development] Bitcoin fun day! +X-BeenThere: bitcoin-development@lists.sourceforge.net +X-Mailman-Version: 2.1.9 +Precedence: list +List-Id: <bitcoin-development.lists.sourceforge.net> +List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, + <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> +List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> +List-Post: <mailto:bitcoin-development@lists.sourceforge.net> +List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> +List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, + <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> +X-List-Received-Date: Sun, 19 Jun 2011 22:33:21 -0000 + +Some of us take private disclosures of vulnerabilities very seriously. + +In any case, the ClearCoin CSRF vulnerability is fixed. Thank you for +bringing it to my attention. + +On Sun, Jun 19, 2011 at 5:54 PM, Doug Huff <dhuff@jrbobdobbs.org> wrote: +> In light of this decision I would like to report multiple CSRF vulnerabilities in http://clearcoin.appspot.com . +> +> This set of CSRFs are particularly nasty since this is hosted on appspot and uses google account auth. So long as you stay logged into your google account you are vulnerable to this CSRF. + + +-- +-- +Gavin Andresen +http://clearcoin.com/ + + |