diff options
| author | Douglas Huff <dhuff@jrbobdobbs.org> | 2011-06-19 17:36:27 -0500 |
|---|---|---|
| committer | bitcoindev <bitcoindev@gnusha.org> | 2011-06-19 22:36:34 +0000 |
| commit | 91d249bff5537554e514ccf49ed6a564a6ccbb2a (patch) | |
| tree | cf4119ac0bbb5d5e0f482dd9559a0d5db46ece60 | |
| parent | 34988dae9335ec39804985c9b36960c81e0ca748 (diff) | |
| download | pi-bitcoindev-91d249bff5537554e514ccf49ed6a564a6ccbb2a.tar.gz pi-bitcoindev-91d249bff5537554e514ccf49ed6a564a6ccbb2a.zip | |
Re: [Bitcoin-development] Bitcoin fun day!
| -rw-r--r-- | 1a/8fc463d8051b4b2c9e0c91bc07ec828d006ca2 | 102 |
1 files changed, 102 insertions, 0 deletions
diff --git a/1a/8fc463d8051b4b2c9e0c91bc07ec828d006ca2 b/1a/8fc463d8051b4b2c9e0c91bc07ec828d006ca2 new file mode 100644 index 000000000..f9a63fb26 --- /dev/null +++ b/1a/8fc463d8051b4b2c9e0c91bc07ec828d006ca2 @@ -0,0 +1,102 @@ +Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] + helo=mx.sourceforge.net) + by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) + (envelope-from <mith@jrbobdobbs.org>) id 1QYQba-0001m1-5D + for bitcoin-development@lists.sourceforge.net; + Sun, 19 Jun 2011 22:36:34 +0000 +X-ACL-Warn: +Received: from mail-pv0-f175.google.com ([74.125.83.175]) + by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) + (Exim 4.76) id 1QYQbZ-00011K-4M + for bitcoin-development@lists.sourceforge.net; + Sun, 19 Jun 2011 22:36:34 +0000 +Received: by pvf24 with SMTP id 24so708143pvf.34 + for <bitcoin-development@lists.sourceforge.net>; + Sun, 19 Jun 2011 15:36:27 -0700 (PDT) +MIME-Version: 1.0 +Received: by 10.68.22.100 with SMTP id c4mr1870079pbf.270.1308522987149; Sun, + 19 Jun 2011 15:36:27 -0700 (PDT) +Sender: mith@jrbobdobbs.org +Received: by 10.68.40.5 with HTTP; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) +Received: by 10.68.40.5 with HTTP; Sun, 19 Jun 2011 15:36:27 -0700 (PDT) +In-Reply-To: <BANLkTikiBz52hVreTVJM4Q15rtfGLVE2sQ@mail.gmail.com> +References: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> + <BANLkTikiBz52hVreTVJM4Q15rtfGLVE2sQ@mail.gmail.com> +Date: Sun, 19 Jun 2011 17:36:27 -0500 +X-Google-Sender-Auth: c7exuRZqC8WO_zkDj0Mp5Za52ds +Message-ID: <BANLkTin8YrrgcRC7MQBo0grcMME-nfW=GA@mail.gmail.com> +From: Douglas Huff <dhuff@jrbobdobbs.org> +To: Gavin Andresen <gavinandresen@gmail.com> +Content-Type: multipart/alternative; boundary=bcaec5215e25d458cb04a6183f1c +X-Spam-Score: 1.0 (+) +X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. + See http://spamassassin.org/tag/ for more details. + 1.0 HTML_MESSAGE BODY: HTML included in message +X-Headers-End: 1QYQbZ-00011K-4M +Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>, + full-disclosure@lists.grok.org.uk +Subject: Re: [Bitcoin-development] Bitcoin fun day! +X-BeenThere: bitcoin-development@lists.sourceforge.net +X-Mailman-Version: 2.1.9 +Precedence: list +List-Id: <bitcoin-development.lists.sourceforge.net> +List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, + <mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe> +List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development> +List-Post: <mailto:bitcoin-development@lists.sourceforge.net> +List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help> +List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>, + <mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe> +X-List-Received-Date: Sun, 19 Jun 2011 22:36:34 -0000 + +--bcaec5215e25d458cb04a6183f1c +Content-Type: text/plain; charset=ISO-8859-1 + +I know. Please do not take this as a personal attack. Blame MagicalTux's +irresponsible behaviour as of late. :( +On Jun 19, 2011 5:34 PM, "Gavin Andresen" <gavinandresen@gmail.com> wrote: +> Some of us take private disclosures of vulnerabilities very seriously. +> +> In any case, the ClearCoin CSRF vulnerability is fixed. Thank you for +> bringing it to my attention. +> +> On Sun, Jun 19, 2011 at 5:54 PM, Doug Huff <dhuff@jrbobdobbs.org> wrote: +>> In light of this decision I would like to report multiple CSRF +vulnerabilities in http://clearcoin.appspot.com . +>> +>> This set of CSRFs are particularly nasty since this is hosted on appspot +and uses google account auth. So long as you stay logged into your google +account you are vulnerable to this CSRF. +> +> +> -- +> -- +> Gavin Andresen +> http://clearcoin.com/ + +--bcaec5215e25d458cb04a6183f1c +Content-Type: text/html; charset=ISO-8859-1 +Content-Transfer-Encoding: quoted-printable + +<p>I know. Please do not take this as a personal attack. Blame MagicalTux&#= +39;s irresponsible behaviour as of late. :(</p> +<div class=3D"gmail_quote">On Jun 19, 2011 5:34 PM, "Gavin Andresen&qu= +ot; <<a href=3D"mailto:gavinandresen@gmail.com">gavinandresen@gmail.com<= +/a>> wrote:<br type=3D"attribution">> Some of us take private disclos= +ures of vulnerabilities very seriously.<br> +> <br>> In any case, the ClearCoin CSRF vulnerability is fixed. Than= +k you for<br>> bringing it to my attention.<br>> <br>> On Sun, Jun= + 19, 2011 at 5:54 PM, Doug Huff <<a href=3D"mailto:dhuff@jrbobdobbs.org"= +>dhuff@jrbobdobbs.org</a>> wrote:<br> +>> In light of this decision I would like to report multiple CSRF vul= +nerabilities in <a href=3D"http://clearcoin.appspot.com">http://clearcoin.a= +ppspot.com</a> .<br>>><br>>> This set of CSRFs are particularly= + nasty since this is hosted on appspot and uses google account auth. So lon= +g as you stay logged into your google account you are vulnerable to this CS= +RF.<br> +> <br>> <br>> -- <br>> --<br>> Gavin Andresen<br>> <a hre= +f=3D"http://clearcoin.com/">http://clearcoin.com/</a><br></div> + +--bcaec5215e25d458cb04a6183f1c-- + + |