Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-4.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1QYQYT-00024d-Gl for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 22:33:21 +0000 Received-SPF: pass (sog-mx-3.v43.ch3.sourceforge.com: domain of gmail.com designates 209.85.210.47 as permitted sender) client-ip=209.85.210.47; envelope-from=gavinandresen@gmail.com; helo=mail-pz0-f47.google.com; Received: from mail-pz0-f47.google.com ([209.85.210.47]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128) (Exim 4.76) id 1QYQYS-0000wd-Iw for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 22:33:21 +0000 Received: by pzk36 with SMTP id 36so4126334pzk.34 for ; Sun, 19 Jun 2011 15:33:14 -0700 (PDT) MIME-Version: 1.0 Received: by 10.143.60.5 with SMTP id n5mr635919wfk.434.1308522794516; Sun, 19 Jun 2011 15:33:14 -0700 (PDT) Received: by 10.142.13.1 with HTTP; Sun, 19 Jun 2011 15:33:14 -0700 (PDT) In-Reply-To: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> References: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> Date: Sun, 19 Jun 2011 18:33:14 -0400 Message-ID: From: Gavin Andresen To: Doug Huff Content-Type: text/plain; charset=ISO-8859-1 X-Spam-Score: -1.6 (-) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. -1.5 SPF_CHECK_PASS SPF reports sender host as permitted sender for sender-domain 0.0 FREEMAIL_FROM Sender email is freemail (gavinandresen[at]gmail.com) -0.0 SPF_PASS SPF: sender matches SPF record -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 RFC_ABUSE_POST Both abuse and postmaster missing on sender domain 0.0 AWL AWL: From: address is in the auto white-list X-Headers-End: 1QYQYS-0000wd-Iw Cc: Bitcoin Dev , full-disclosure@lists.grok.org.uk Subject: Re: [Bitcoin-development] Bitcoin fun day! X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 22:33:21 -0000 Some of us take private disclosures of vulnerabilities very seriously. In any case, the ClearCoin CSRF vulnerability is fixed. Thank you for bringing it to my attention. On Sun, Jun 19, 2011 at 5:54 PM, Doug Huff wrote: > In light of this decision I would like to report multiple CSRF vulnerabilities in http://clearcoin.appspot.com . > > This set of CSRFs are particularly nasty since this is hosted on appspot and uses google account auth. So long as you stay logged into your google account you are vulnerable to this CSRF. -- -- Gavin Andresen http://clearcoin.com/