Received: from sog-mx-4.v43.ch3.sourceforge.com ([172.29.43.194] helo=mx.sourceforge.net) by sfs-ml-3.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1QYPx1-0001jl-P6 for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 21:54:39 +0000 X-ACL-Warn: Received: from mail-yw0-f47.google.com ([209.85.213.47]) by sog-mx-4.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-MD5:128) (Exim 4.76) id 1QYPx0-00006J-T5 for bitcoin-development@lists.sourceforge.net; Sun, 19 Jun 2011 21:54:39 +0000 Received: by ywa12 with SMTP id 12so1851365ywa.34 for ; Sun, 19 Jun 2011 14:54:33 -0700 (PDT) Received: by 10.236.67.98 with SMTP id i62mr6386156yhd.378.1308520473161; Sun, 19 Jun 2011 14:54:33 -0700 (PDT) Received: from [10.253.253.32] (cpe-70-124-63-160.austin.res.rr.com [70.124.63.160]) by mx.google.com with ESMTPS id e24sm3148998yhk.9.2011.06.19.14.54.31 (version=TLSv1/SSLv3 cipher=OTHER); Sun, 19 Jun 2011 14:54:32 -0700 (PDT) Sender: Doug From: Doug Huff Content-Type: multipart/signed; protocol="application/pgp-signature"; micalg=pgp-sha1; boundary="Apple-Mail-2--499212877" Date: Sun, 19 Jun 2011 16:54:28 -0500 Message-Id: <2B2201C1-E59F-47D4-BF67-08FDB0DDE386@jrbobdobbs.org> To: full-disclosure@lists.grok.org.uk Mime-Version: 1.0 (Apple Message framework v1084) Content-Transfer-Encoding: 7bit X-Pgp-Agent: GPGMail 1.3.3 X-Mailer: Apple Mail (2.1084) X-Spam-Score: 0.5 (/) X-Spam-Report: Spam Filtering performed by mx.sourceforge.net. See http://spamassassin.org/tag/ for more details. 0.5 AWL AWL: From: address is in the auto white-list X-Headers-End: 1QYPx0-00006J-T5 Cc: Bitcoin Dev Subject: [Bitcoin-development] Bitcoin fun day! X-BeenThere: bitcoin-development@lists.sourceforge.net X-Mailman-Version: 2.1.9 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 19 Jun 2011 21:54:39 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --Apple-Mail-2--499212877 Content-Type: multipart/signed; boundary=Apple-Mail-1--499212884; protocol="application/pkcs7-signature"; micalg=sha1 --Apple-Mail-1--499212884 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii In light of recent events in the "bitcoin community" I have decided that = private disclosure of issues is doing nothing but making them more = prevalent. In light of this decision I would like to report multiple CSRF = vulnerabilities in http://clearcoin.appspot.com . This set of CSRFs are particularly nasty since this is hosted on appspot = and uses google account auth. So long as you stay logged into your = google account you are vulnerable to this CSRF. Things tested: Changing refund address. Releasing funds. POC code (open this in any browser even from a local file): =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D test
=20 =20 (required)
=20 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Javascript auto submittal, hiding in an iframe, and other obfuscation = methods are left as an exercise to the list. This site is run and maintained by Gavin Anderson, aka, the lead bitcoin = maintainer. You should know better Gavin. --=20 Douglas Huff --Apple-Mail-1--499212884 Content-Disposition: attachment; filename=smime.p7s Content-Type: application/pkcs7-signature; name=smime.p7s Content-Transfer-Encoding: base64 MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIKXDCCBN0w ggPFoAMCAQICEHGS++YZX6xNEoV0cTSiGKcwDQYJKoZIhvcNAQEFBQAwezELMAkGA1UEBhMCR0Ix GzAZBgNVBAgMEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBwwHU2FsZm9yZDEaMBgGA1UECgwR Q29tb2RvIENBIExpbWl0ZWQxITAfBgNVBAMMGEFBQSBDZXJ0aWZpY2F0ZSBTZXJ2aWNlczAeFw0w NDAxMDEwMDAwMDBaFw0yODEyMzEyMzU5NTlaMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQx FzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsx ITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJz dC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEAsjmFpPJ9q0E7YkY3rs3BYHW8OWX5ShpHornMSMxqmNVNNRm5pELlzkniii8efNIx B8dOtINknS4p1aJkxIW9hVE1eaROaJB7HHqkkqgX8pgV8pPMyaQylbsMTzC9mKALi+VuG6JG+ni8 om+rWV6lL8/K2m2qL+usobNqqrcuZzWLeeEeaYji5kbNoKXqvgvOdjp6Dpvq/NonWz1zHyLmSGHG TPNpsaguG7bUMSAsvIKKjqQOpdeJQ/wWWq8dcdcRWdq6hw2v+vPhwvCkxWeM1tZUOt4KpLoDd7Nl yP0e03RiqhjKaJMeoYV+9Udly/hNVyh00jT/MLbu9mIwFIws6wIDAQABo4IBJzCCASMwHwYDVR0j BBgwFoAUoBEKIz6W8Qfs4q8p74Klf9AwpLQwHQYDVR0OBBYEFImCZ33EnSZwAEu0UEh83j2uBG59 MA4GA1UdDwEB/wQEAwIBBjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdJQQWMBQGCCsGAQUFBwMCBggr BgEFBQcDBDARBgNVHSAECjAIMAYGBFUdIAAwewYDVR0fBHQwcjA4oDagNIYyaHR0cDovL2NybC5j b21vZG9jYS5jb20vQUFBQ2VydGlmaWNhdGVTZXJ2aWNlcy5jcmwwNqA0oDKGMGh0dHA6Ly9jcmwu Y29tb2RvLm5ldC9BQUFDZXJ0aWZpY2F0ZVNlcnZpY2VzLmNybDARBglghkgBhvhCAQEEBAMCAQYw DQYJKoZIhvcNAQEFBQADggEBAJ2Vyzy4fqUJxB6/C8LHdo45PJTGEKpPDMngq4RdiVTgZTvzbRx8 NywlVF+WIfw3hJGdFdwUT4HPVB1rbEVgxy35l1FM+WbKPKCCjKbI8OLp1Er57D9Wyd12jMOCAU9s APMeGmF0BEcDqcZAV5G8ZSLFJ2dPV9tkWtmNH7qGL/QGrpxp7en0zykX2OBKnxogL5dMUbtGB8SK N04g4wkxaMeexIud6H4RvDJoEJYRmETYKlFgTYjrdDrfQwYyyDlWjDoRUtNBpEMD9O3vMyfbOeAU TibJ2PU54om4k123KSZB6rObroP8d3XK6Mq1/uJlSmM+RMTQw16Hc6mYHK9/FX8wggV3MIIEX6AD AgECAhEA3puo39RJhNVx/ssfdXafbjANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCVVMxCzAJ BgNVBAgTAlVUMRcwFQYDVQQHEw5TYWx0IExha2UgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVT VCBOZXR3b3JrMSEwHwYDVQQLExhodHRwOi8vd3d3LnVzZXJ0cnVzdC5jb20xNjA0BgNVBAMTLVVU Ti1VU0VSRmlyc3QtQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBFbWFpbDAeFw0xMTA1MDEwMDAw MDBaFw0xMjA0MzAyMzU5NTlaMCUxIzAhBgkqhkiG9w0BCQEWFGRodWZmQGpyYm9iZG9iYnMub3Jn MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3ZPhVmPPoaj999EiZAp6e/giHUrh0Pq2 /LjCFtVgP7clqtoStYyz7i9LojgmRqKu6cswpltUICp+rRskK6ISYRYkNf9w587D2xtqHVVjmoH8 afW/B0db4v+wC7wjzh+hFlXZ3q7sZApMqsFgAS3mdF+iEe5nNt9kGD7OhNlVimvNqcpIhJhRBhpW 7vi7/Rt8uVciDOYVARJq7Tb1zZe88wTFkVri075/nFYfikCgU3GccxvcnR9QwC7xoyGFtE/z8qjv 1h1Tn+eS7eEYQveQxMFNnEPHfoihpiSQpQUzEAJK96dwj8ED2CXtNpV6pQ9PCu2HWjXIVpZj+YNN eOSRbwIDAQABo4ICFjCCAhIwHwYDVR0jBBgwFoAUiYJnfcSdJnAAS7RQSHzePa4Ebn0wHQYDVR0O BBYEFGBmA3ruGdgBmCodBzi9QrRBvjz/MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMCAG A1UdJQQZMBcGCCsGAQUFBwMEBgsrBgEEAbIxAQMFAjARBglghkgBhvhCAQEEBAMCBSAwRgYDVR0g BD8wPTA7BgwrBgEEAbIxAQIBAQEwKzApBggrBgEFBQcCARYdaHR0cHM6Ly9zZWN1cmUuY29tb2Rv Lm5ldC9DUFMwgaUGA1UdHwSBnTCBmjBMoEqgSIZGaHR0cDovL2NybC5jb21vZG9jYS5jb20vVVRO LVVTRVJGaXJzdC1DbGllbnRBdXRoZW50aWNhdGlvbmFuZEVtYWlsLmNybDBKoEigRoZEaHR0cDov L2NybC5jb21vZG8ubmV0L1VUTi1VU0VSRmlyc3QtQ2xpZW50QXV0aGVudGljYXRpb25hbmRFbWFp bC5jcmwwbAYIKwYBBQUHAQEEYDBeMDYGCCsGAQUFBzAChipodHRwOi8vY3J0LmNvbW9kb2NhLmNv bS9VVE5BQUFDbGllbnRDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv bTAfBgNVHREEGDAWgRRkaHVmZkBqcmJvYmRvYmJzLm9yZzANBgkqhkiG9w0BAQUFAAOCAQEAj/Ck hfsc3p7aoCSIMGOTVBzBjJBtCwWTUF1d/pnJ7ynWCiEOypIGGe0im5+Y1WH8+fVNgIwlifRSoZ1R oloxXRuqiraKCevG5OC41Evkp67HmrrhlerLxUvoKLg7sDWfYtmQ24whfYEsd3Fm2u6KxoXboyyb fdDhl5BLhWy+5kHHlIaoZjUoHHXOMuOZdhreIcJI54+wehddzwtdrhF0h2KUTm3tvA0e2kTX4Kzz 3JWIzFSsCmTdTx2UdiOBJmWZ8dgdskOSKRYByvSBT+/BsbF+JbJcjCHqDiEmmXQeTNuRDYeCPfkq /HRSrEZMi/RORls1HSA79IOXjvj8RkAKyDGCA/8wggP7AgEBMIHEMIGuMQswCQYDVQQGEwJVUzEL MAkGA1UECBMCVVQxFzAVBgNVBAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRS VVNUIE5ldHdvcmsxITAfBgNVBAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMt VVROLVVTRVJGaXJzdC1DbGllbnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx /ssfdXafbjAJBgUrDgMCGgUAoIICDzAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3 DQEJBTEPFw0xMTA2MTkyMTU0MjlaMCMGCSqGSIb3DQEJBDEWBBRTgeJlgs0yICFYnbqMVlsvFVdx jTCB1QYJKwYBBAGCNxAEMYHHMIHEMIGuMQswCQYDVQQGEwJVUzELMAkGA1UECBMCVVQxFzAVBgNV BAcTDlNhbHQgTGFrZSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxITAfBgNV BAsTGGh0dHA6Ly93d3cudXNlcnRydXN0LmNvbTE2MDQGA1UEAxMtVVROLVVTRVJGaXJzdC1DbGll bnQgQXV0aGVudGljYXRpb24gYW5kIEVtYWlsAhEA3puo39RJhNVx/ssfdXafbjCB1wYLKoZIhvcN AQkQAgsxgceggcQwga4xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBM YWtlIENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMYaHR0cDov L3d3dy51c2VydHJ1c3QuY29tMTYwNAYDVQQDEy1VVE4tVVNFUkZpcnN0LUNsaWVudCBBdXRoZW50 aWNhdGlvbiBhbmQgRW1haWwCEQDem6jf1EmE1XH+yx91dp9uMA0GCSqGSIb3DQEBAQUABIIBAIa0 nEwugdoy0co/xZSmSF2FL3Q2I1QjrcwOP2svW7D6yUXl2e9xZdvxPehdGg51UJGtGDDzc5vnT5DW HWpskxWyBbwYHEM4g+Tuix0pCey7twTJ51tv4uCZljUzfNc1IrctezhdNmFJQfKIrN+Yq6b81Qnt zmK0pq+va+WVMBez9CnojZaijViQD8agyCWouZhQRPwFE7iTaARwtcuoHpN34TqvNfGpeSOAwi13 6LpFDlN9zzyVeRLgwqbiRQnd2KCzv7yWI+OlzK4bgVB5TPclErhTUvb+rAtAlZM7cDf5uFzsMk1d /ui76BOfwXTFRAZsmyKQRjz6NeTNKuOuNtkAAAAAAAA= --Apple-Mail-1--499212884-- --Apple-Mail-2--499212877 content-type: application/pgp-signature; x-mac-type=70674453; name=PGP.sig content-description: This is a digitally signed message part content-disposition: inline; filename=PGP.sig content-transfer-encoding: 7bit -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQIcBAEBAgAGBQJN/nAVAAoJEEPHkQabDWHPBRUP/RqNgPYEjbzKLNOktnBr1Ec0 VC1k+z6dFoX8FiH4lciF+CFBPHuQ6fsbR9tbVLFVSWmym1F33KVy/7dzsIWbCfGf Q255aHrFQsVFPejxmgzRRLhZ8D19vxp3l69ALMe3QKhVdfdfjykVZwnoeeUx7GnJ kcrcM9VWISp+Lr9Yc/HgsnerDPomAYEmiH4ur/CS6vC2PKayVoAbwh4Cr+5UyBUP /AdYXCRhF1Mci0K3mg3boG8FQkGn+zJJ7s3TB2FMZvK43lSzS1+f2GTfbBZRPVbq 1hyijFZJx/4P4fX6kOICudU/5/8i9X0qgRoqenXf7kJVH4+e29JCXJNOMXMMrMZN au3H6mq6KvmZKMnxZIs4e8G1NIWzO6oOQD7BhUE8A11IlaiNiUYvT+Z1PrV3lfwP PgSUnQo3FmH4dPT+fNydQusN/sLMKdrCzRLUAj6o0ZlAu2nvzHU+spDmDluzwdNo QW7BNdgcpEUVozgFx/gxi0eXUjOfxS120uyCwLbEFWbUqwmmpxMlACpliOU439P3 p4uXpISVIOLmRY2pL2mFx9PEzAc5z4Q4+g+HTZtp9cy5fJ7htZSKItuSbciLNlcS htX8F/g+Ap0W9Lnd+nnVXxZ8YxOufBvfptU9TSIaVq7uhIphluFiF+nMwqjg4PWE BNbnmnNAmUKC7+bLjSzx =e0ef -----END PGP SIGNATURE----- --Apple-Mail-2--499212877--