1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
|
Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193]
helo=mx.sourceforge.net)
by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76)
(envelope-from <mith@jrbobdobbs.org>) id 1QYQba-0001m1-5D
for bitcoin-development@lists.sourceforge.net;
Sun, 19 Jun 2011 22:36:34 +0000
X-ACL-Warn:
Received: from mail-pv0-f175.google.com ([74.125.83.175])
by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-SHA:128)
(Exim 4.76) id 1QYQbZ-00011K-4M
for bitcoin-development@lists.sourceforge.net;
Sun, 19 Jun 2011 22:36:34 +0000
Received: by pvf24 with SMTP id 24so708143pvf.34
for <bitcoin-development@lists.sourceforge.net>;
Sun, 19 Jun 2011 15:36:27 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.68.22.100 with SMTP id c4mr1870079pbf.270.1308522987149; Sun,
19 Jun 2011 15:36:27 -0700 (PDT)
Sender: mith@jrbobdobbs.org
Received: by 10.68.40.5 with HTTP; Sun, 19 Jun 2011 15:36:27 -0700 (PDT)
Received: by 10.68.40.5 with HTTP; Sun, 19 Jun 2011 15:36:27 -0700 (PDT)
In-Reply-To: <BANLkTikiBz52hVreTVJM4Q15rtfGLVE2sQ@mail.gmail.com>
References: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org>
<BANLkTikiBz52hVreTVJM4Q15rtfGLVE2sQ@mail.gmail.com>
Date: Sun, 19 Jun 2011 17:36:27 -0500
X-Google-Sender-Auth: c7exuRZqC8WO_zkDj0Mp5Za52ds
Message-ID: <BANLkTin8YrrgcRC7MQBo0grcMME-nfW=GA@mail.gmail.com>
From: Douglas Huff <dhuff@jrbobdobbs.org>
To: Gavin Andresen <gavinandresen@gmail.com>
Content-Type: multipart/alternative; boundary=bcaec5215e25d458cb04a6183f1c
X-Spam-Score: 1.0 (+)
X-Spam-Report: Spam Filtering performed by mx.sourceforge.net.
See http://spamassassin.org/tag/ for more details.
1.0 HTML_MESSAGE BODY: HTML included in message
X-Headers-End: 1QYQbZ-00011K-4M
Cc: Bitcoin Dev <bitcoin-development@lists.sourceforge.net>,
full-disclosure@lists.grok.org.uk
Subject: Re: [Bitcoin-development] Bitcoin fun day!
X-BeenThere: bitcoin-development@lists.sourceforge.net
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: <bitcoin-development.lists.sourceforge.net>
List-Unsubscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=unsubscribe>
List-Archive: <http://sourceforge.net/mailarchive/forum.php?forum_name=bitcoin-development>
List-Post: <mailto:bitcoin-development@lists.sourceforge.net>
List-Help: <mailto:bitcoin-development-request@lists.sourceforge.net?subject=help>
List-Subscribe: <https://lists.sourceforge.net/lists/listinfo/bitcoin-development>,
<mailto:bitcoin-development-request@lists.sourceforge.net?subject=subscribe>
X-List-Received-Date: Sun, 19 Jun 2011 22:36:34 -0000
--bcaec5215e25d458cb04a6183f1c
Content-Type: text/plain; charset=ISO-8859-1
I know. Please do not take this as a personal attack. Blame MagicalTux's
irresponsible behaviour as of late. :(
On Jun 19, 2011 5:34 PM, "Gavin Andresen" <gavinandresen@gmail.com> wrote:
> Some of us take private disclosures of vulnerabilities very seriously.
>
> In any case, the ClearCoin CSRF vulnerability is fixed. Thank you for
> bringing it to my attention.
>
> On Sun, Jun 19, 2011 at 5:54 PM, Doug Huff <dhuff@jrbobdobbs.org> wrote:
>> In light of this decision I would like to report multiple CSRF
vulnerabilities in http://clearcoin.appspot.com .
>>
>> This set of CSRFs are particularly nasty since this is hosted on appspot
and uses google account auth. So long as you stay logged into your google
account you are vulnerable to this CSRF.
>
>
> --
> --
> Gavin Andresen
> http://clearcoin.com/
--bcaec5215e25d458cb04a6183f1c
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
<p>I know. Please do not take this as a personal attack. Blame MagicalTux&#=
39;s irresponsible behaviour as of late. :(</p>
<div class=3D"gmail_quote">On Jun 19, 2011 5:34 PM, "Gavin Andresen&qu=
ot; <<a href=3D"mailto:gavinandresen@gmail.com">gavinandresen@gmail.com<=
/a>> wrote:<br type=3D"attribution">> Some of us take private disclos=
ures of vulnerabilities very seriously.<br>
> <br>> In any case, the ClearCoin CSRF vulnerability is fixed. Than=
k you for<br>> bringing it to my attention.<br>> <br>> On Sun, Jun=
19, 2011 at 5:54 PM, Doug Huff <<a href=3D"mailto:dhuff@jrbobdobbs.org"=
>dhuff@jrbobdobbs.org</a>> wrote:<br>
>> In light of this decision I would like to report multiple CSRF vul=
nerabilities in <a href=3D"http://clearcoin.appspot.com">http://clearcoin.a=
ppspot.com</a> .<br>>><br>>> This set of CSRFs are particularly=
nasty since this is hosted on appspot and uses google account auth. So lon=
g as you stay logged into your google account you are vulnerable to this CS=
RF.<br>
> <br>> <br>> -- <br>> --<br>> Gavin Andresen<br>> <a hre=
f=3D"http://clearcoin.com/">http://clearcoin.com/</a><br></div>
--bcaec5215e25d458cb04a6183f1c--
|
