Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
	helo=mx.sourceforge.net)
	by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
	(envelope-from <gavinandresen@gmail.com>) id 1QYQYT-00024d-Gl
	for bitcoin-development@lists.sourceforge.net;
	Sun, 19 Jun 2011 22:33:21 +0000
Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com
	designates 209.85.210.47 as permitted sender)
	client-ip=209.85.210.47; envelope-from=gavinandresen@gmail.com;
	helo=mail-pz0-f47.google.com; 
Received: from mail-pz0-f47.google.com ([209.85.210.47])
	by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
	(Exim 4.76) id 1QYQYS-0000wd-Iw
	for bitcoin-development@lists.sourceforge.net;
	Sun, 19 Jun 2011 22:33:21 +0000
Received: by pzk36 with SMTP id 36so4126334pzk.34
	for <bitcoin-development@lists.sourceforge.net>;
	Sun, 19 Jun 2011 15:33:14 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.143.60.5 with SMTP id n5mr635919wfk.434.1308522794516; Sun, 19
	Jun 2011 15:33:14 -0700 (PDT)
Received: by 10.142.13.1 with HTTP; Sun, 19 Jun 2011 15:33:14 -0700 (PDT)
In-Reply-To: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org>
References: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org>
Date: Sun, 19 Jun 2011 18:33:14 -0400
Message-ID: <BANLkTikiBz52hVreTVJM4Q15rtfGLVE2sQ@mail.gmail.com>
From: Gavin Andresen <gavinandresen@gmail.com>
To: Doug Huff <dhuff@jrbobdobbs.org>
Content-Type: text/plain; charset=ISO-8859-1
X-Spam-Score: -1.6 (-)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
	See http://spamassassin.org/tag/ for more details.
	-1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for
	sender-domain
	0.0 FREEMAIL_FROM Sender email is freemail (gavinandresen[at]gmail.com)
	-0.0 SPF_PASS               SPF: sender matches SPF record
	-0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from
	author's domain
	0.1 DKIM_SIGNED            Message has a DKIM or DK signature,
	not necessarily valid
	-0.1 DKIM_VALID Message has at least one valid DKIM or DK signature
	0.0 RFC_ABUSE_POST Both abuse and postmaster missing on sender domain
	0.0 AWL AWL: From: address is in the auto white-list
X-Headers-End: 1QYQYS-0000wd-Iw
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>,
	full-disclosure@lists.grok.org.uk
Subject: Re: [Bitcoin-development] Bitcoin fun day!
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
	<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sun, 19 Jun 2011 22:33:21 -0000

Some of us take private disclosures of vulnerabilities very seriously.

In any case, the ClearCoin CSRF vulnerability is fixed.  Thank you for
bringing it to my attention.

On Sun, Jun 19, 2011 at 5:54 PM, Doug Huff <dhuff@jrbobdobbs.org> wrote:
> In light of this decision I would like to report multiple CSRF vulnerabilities in http://clearcoin.appspot.com .
>
> This set of CSRFs are particularly nasty since this is hosted on appspot and uses google account auth. So long as you stay logged into your google account you are vulnerable to this CSRF.


-- 
--
Gavin Andresen
http://clearcoin.com/