From smoore at securityglobal.net Mon Aug 1 23:44:24 2005 From: smoore at securityglobal.net (Stuart Moore) Date: Mon Aug 1 23:48:09 2005 Subject: [VIM] Regarding Dragonfly Commerce CAN-2005-2220 Message-ID: <42EEEC18.405@securityglobal.net> Hi to the VIM list! Regarding the price modification vulnerability discovered by Diabolic Crab and documented in CVE number CAN-2005-2220, we have confirmed via testing that the flaw actually did exist, despite the vendor's initial denials. We provided additional evidence to the vendor on July 25th. The vendor silently issued a fix on or about July 27, 2005. If you inspect the affected scripts, you will see that the product no longer accepts pricing data from HTML forms. Our alert is posted at: http://securitytracker.com/alerts/2005/Jul/1014451.html We were not able to confirm or refute the other reported vulnerability (the SQL injection one, CVE number CAN-2005-2221) because we didn't try to. The vendor was quite nasty about the whole thing, so I'm not going any further with it. It would be nice to peek at the code (which Secunia offerred to, but the vendor declined) to determine conclusively why it would be or wouldn't be an issue. What is disturbing about this whole process (other than the vendor's near-bizarre behavior) is that several web sites removed all references to this vulnerability when the vendor disputed the flaw and threatened legal action, including FrSIRT and US-CERT. Stuart -- SecurityTracker.com From smoore at securityglobal.net Mon Aug 1 23:54:05 2005 From: smoore at securityglobal.net (Stuart Moore) Date: Mon Aug 1 23:57:39 2005 Subject: [VIM] Re: Vendor dispute for CAN-2005-1181 (Ariadne PHP file include) Message-ID: <42EEEE5D.30002@securityglobal.net> Hi, > http://securitytracker.com/alerts/2005/Apr/1013721.html Regarding the Ariandne file include report, we just sent mail to the author of the original report (Fidel Costa) to ask for clarification, just to be certain. But it occurred to me that the problem may have been a site-specific configuration issue. The 2.4 distribution comes with two separate include files: "ariadne.inc-unix" and "ariadne.inc-win". The administrator needs to manually rename one of these to "ariadne.inc", as the installation process is largely manual. The installation RTF doc explains this in a generic way, so it may not be clear to some (especially those that don't read the docs!). You would think that the system would barf if the include file was missing (i.e., not properly renamed), but perhaps not. We'll be deleting our Alert on this, unless Fidel Costa has some interesting additional info. Stuart -- Stuart Moore SecurityTracker.com From jericho at attrition.org Tue Aug 2 06:51:19 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Aug 2 06:51:29 2005 Subject: [VIM] Re: Trillian Ver 3.1 saves password's in plain Text In-Reply-To: <42EAF909.3060600@suramya.com> References: <42EAF909.3060600@suramya.com> Message-ID: Hi Suramya, : I was playing around with Trillian Pro 3.1 Build 121 and noticed a very : disturbing behavior when using it to check my yahoo mail. : : When you choose the option to check your yahoo email from Trillian (The : little connection ball -> Check Yahoo Mail) it creates a temp file in : the \users\default\cache with a random name that : contains the yahoo password in *clear text* and this file is world : readable. This would be somewhat ok if the file was deleted as soon as : the login was done but the file just sits there till you exit out of : trillian. Logging out doesn't erase the file. I have watched the file : exist on my system for over two weeks. : : I have duplicated this with Trillian 3.0 Basic and Pro also. Tested on : Windows XP Pro and Windows 2000. I have Trillian Pro 3.1 Build 121 on Windows XP and can't duplicate this behavior. I have a YIM, ICQ, AIM and several Jabber accounts. My cache directory has several files in it; buddy type icon files for various AIM/YIM users, graphics for plugins, etc. In fact, every single file in there is JPEG, GIF or PNG. Doing a case insensitive grep through all the files, I can't find any trace of any of my passwords in any file in this directory. All of the files are dated 08/01/2005 shortly after I started Trillian up after returning from out of town. Could this occur the first time you set up a specific protocol/account, and that cache file is erased upon Trillian restart? If so, that would still be an issue, although considerably less severe. If not that, is there anything else being done differently here? : I have attempted to contact Cerulean Studios multiple times before : releasing this using their webform, email and forums over the past month : but havn't heard anything back from them. My last attempt to contact : them was on 06/13/2005. Since I havn't heard anything from them I am : sending this to Bugtraq. Before 3.x (i think), Trillian had a way to submit bugs/feedback from within the program, and all of my reports were responded to within 24 hours. Since 3.x I believe that feature is gone. Doesn't help you, just a side comment =) Would be nice to see Cerulean bring this back. From jericho at attrition.org Tue Aug 2 07:47:41 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Aug 2 07:47:44 2005 Subject: [VIM] Regarding Dragonfly Commerce CAN-2005-2220 In-Reply-To: <42EEEC18.405@securityglobal.net> References: <42EEEC18.405@securityglobal.net> Message-ID: : Hi to the VIM list! Hey Stuart, welcome to VIM =) : Regarding the price modification vulnerability discovered by Diabolic : Crab and documented in CVE number CAN-2005-2220, we have confirmed via : testing that the flaw actually did exist, despite the vendor's initial : denials. We provided additional evidence to the vendor on July 25th. : The vendor silently issued a fix on or about July 27, 2005. If you : inspect the affected scripts, you will see that the product no longer : accepts pricing data from HTML forms. Very interesting. I still have this in the OSVDB NDM queue (where stuff lives until we say "this is legit"), with a 'disputed' tag next to it. Based on your findings I will work on this later today. I'll probably push the SQL injection to new, despite the vendor response given they were wrong on one account and Dcrab has a ~ 50% record on being right. : What is disturbing about this whole process (other than the vendor's : near-bizarre behavior) is that several web sites removed all references : to this vulnerability when the vendor disputed the flaw and threatened : legal action, including FrSIRT and US-CERT. Is there any public reference (or private) of them threatening legal action? I think I read the initial denial but it was not public and didn't include a threat. If they sent one to you, could you share it off list? VIM is archived publicly as an FYI =) .b From jericho at attrition.org Wed Aug 3 06:32:36 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Aug 3 06:32:39 2005 Subject: [VIM] Errors and oddities in Phorum 5.0.11 XSS/SQl injection In-Reply-To: <200507152125.j6FLP6Pu015037@linus.mitre.org> References: <200507152125.j6FLP6Pu015037@linus.mitre.org> Message-ID: Good catch here.. : OSVDB:11129 read.php SQL injection : : SECUNIA:12980 - generic XSS and SQL injection My internal note from 2004-10-24: jericho: not sure where secunia gets the XSS, the original advisory just mentions one sql injection : - Positive Technologies releases report on SQL injection in read.php : query string for Phorum 5.0.11 : : MISC:http://www.maxpatrol.com/advdetails.asp?id=15 : MISC:http://www.maxpatrol.com/mp_advisory.asp Which is what I read that lead to above comment. Back then, I wasn't digging into changelogs as heavily as I do now. : - Phorum releases 5.0.12. Changelog says "XSS really gone now" and : "two instances of "fixed sql-injection issue" : : http://phorum.org/changelog-5.txt : : Not enough detail for me to be sure they fixed the SQL injection : issue. Release: phorum.5.0.12 * XSS really gone now - ts77 (10/27/2004) * fixed sql-injection issue - ts77 (10/25/2004) * fixed sql-injection issue - ts77 (10/24/2004) : http://phorum.org/cvs-changelog-5.txt : * shows SQL injection in read.php *AND* file.php : * lists XSS is in search.php * XSS really gone now - ts77 (10/27/2004) - /search.php - /search.php * fixed sql-injection issue - ts77 (10/25/2004) - /read.php - /read.php * fixed sql-injection issue - ts77 (10/24/2004) - /file.php - /file.php : - VDB's linked the XSS to Positive Technologies - but they never : report XSS I'd guess Secunia originally mentioned both vulns in their advisory, credited a single source instead of breaking it up. : - some VDB's only had the vendor changelog and so didn't know it was : readphp : : - all/most VDB's missed that there are 2 SQL injections, one for : read.php and one for file.php At the time the ptsecurity.ru site had almost no details, mentioned one SQL injection and I didn't dig into the changelog. So I was blindly following the information in front of me (not so bad in this case, as it was accurate at least), but I should have dug further. : - some VDB's said the XSS was for read.php but there's no evidence : of it. Right, I think they were mixing up the 2nd SQL Injection with the search.php XSS issue. Off to make two more entries! Again, very good catch here. .b From jericho at attrition.org Wed Aug 3 07:09:21 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Aug 3 07:09:23 2005 Subject: [VIM] Naxtor Shopping Cart and lost_passowrd.php In-Reply-To: References: Message-ID: via bugtraq: : Authors Site: http://www.naxtor.com.au/ : : XSS: : : http://www.victim.com/lost_passowrd.php?&email=&reset=reset The demo linked off the vendor page has this as lost_passowrd.php, so this is *not* a typo =) From coley at mitre.org Wed Aug 3 14:07:31 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed Aug 3 14:11:10 2005 Subject: [VIM] Combined Zen Cart issues Message-ID: <200508031807.j73I7VRK026495@linus.mitre.org> References: CAN-2004-2023, CAN-2004-2024, CAN-2004-2025 While I was training a new person yesterday, I ran across some incorrect references to vendor patches for 3 separate vulns in Zen Cart. It appears that there are 3 distinct issues, at least from CVE's perspective. Some DB's, at least Secunia and OSVDB, have included references to the wrong vendor fix, and/or appear to have mixed two issues together. This caused a bit of confusion before I realized what was going on, but it was a good demonstration to the trainee of one of the tenets of the Tao of CVE - "someone somewhere got something wrong" ;-) CVE's reads on the correct vendor links are below. - Steve ====================================================== Candidate: CAN-2004-2023 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2023 Reference: BUGTRAQ:20040518 Zen Cart login.php SQL Injection Vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108489697219781&w=2 Reference: CONFIRM:http://www.zen-cart.com/modules/ipb/index.php?showtopic=4835 Reference: CONFIRM:http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD Reference: BID:10378 Reference: URL:http://www.securityfocus.com/bid/10378 Reference: SECTRACK:1010172 Reference: URL:http://securitytracker.com/id?1010172 Reference: SECUNIA:11649 Reference: URL:http://secunia.com/advisories/11649 Reference: XF:zencart-login-sql-injection(16176) Reference: URL:http://xforce.iss.net/xforce/xfdb/16176 SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 before patch 1, and possibly other versions allows remote attackers to execute arbitrary SQL via the (1) admin_name or (2) admin_pass parameters. ====================================================== Candidate: CAN-2004-2024 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2024 Reference: CONFIRM:http://www.zen-cart.com/modules/ipb/index.php?showtopic=4873 Reference: CONFIRM:http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD The distribution of Zen Cart 1.1.4 before patch 2 includes certain debugging code in the Admin password retrieval functionality, which allows attackers to gain administrative privileges via password_forgotten.php. ====================================================== Candidate: CAN-2004-2025 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2025 Reference: CONFIRM:http://www.zen-cart.com/modules/ipb/index.php?showtopic=3731 Reference: CONFIRM:http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 before patch 2 may allow remote attackers to execute arbitrary SQL commands via the products_id parameter. From smoore at securityglobal.net Thu Aug 4 07:33:51 2005 From: smoore at securityglobal.net (Stuart Moore) Date: Thu Aug 4 07:37:38 2005 Subject: [VIM] Regarding Dragonfly Commerce CAN-2005-2220 In-Reply-To: References: <42EEEC18.405@securityglobal.net> Message-ID: <42F1FD1F.5050301@securityglobal.net> Hi. The public threats have been removed from the vendor's web site, but we've got copies. I can send it if you'd like. But I don't really want to publicly take this vendor to task, as I believe they are very small and that it was just one person who went overboard. It might someday make a nice story (with the vendor's name removed) of a "how not to respond" guide. Stuart security curmudgeon wrote: > : Hi to the VIM list! > > Hey Stuart, welcome to VIM =) > > : Regarding the price modification vulnerability discovered by Diabolic > : Crab and documented in CVE number CAN-2005-2220, we have confirmed via > : testing that the flaw actually did exist, despite the vendor's initial > : denials. We provided additional evidence to the vendor on July 25th. > : The vendor silently issued a fix on or about July 27, 2005. If you > : inspect the affected scripts, you will see that the product no longer > : accepts pricing data from HTML forms. > > Very interesting. I still have this in the OSVDB NDM queue (where stuff > lives until we say "this is legit"), with a 'disputed' tag next to it. > Based on your findings I will work on this later today. I'll probably push > the SQL injection to new, despite the vendor response given they were > wrong on one account and Dcrab has a ~ 50% record on being right. > > : What is disturbing about this whole process (other than the vendor's > : near-bizarre behavior) is that several web sites removed all references > : to this vulnerability when the vendor disputed the flaw and threatened > : legal action, including FrSIRT and US-CERT. > > Is there any public reference (or private) of them threatening legal > action? I think I read the initial denial but it was not public and didn't > include a threat. > > If they sent one to you, could you share it off list? VIM is archived > publicly as an FYI =) > > .b > -- Stuart Moore SecurityTracker.com SecurityGlobal.net LLC smoore@securityglobal.net +1 301 495 5930 voice +1 413 691 4346 fax From jericho at attrition.org Thu Aug 4 07:40:38 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu Aug 4 07:40:40 2005 Subject: [VIM] Regarding Dragonfly Commerce CAN-2005-2220 In-Reply-To: <42F1FD1F.5050301@securityglobal.net> References: <42EEEC18.405@securityglobal.net> <42F1FD1F.5050301@securityglobal.net> Message-ID: : Hi. The public threats have been removed from the vendor's web site, : but we've got copies. I can send it if you'd like. But I don't really : want to publicly take this vendor to task, as I believe they are very : small and that it was just one person who went overboard. It might : someday make a nice story (with the vendor's name removed) of a "how not : to respond" guide. I'd love to see them off list. On top of curiosity, it is exactly the kind of thing I would reference in an article or comments on such things (without naming the vendor if the material wasn't public). .b From coley at mitre.org Fri Aug 5 01:58:08 2005 From: coley at mitre.org (Steven M. Christey) Date: Fri Aug 5 02:01:53 2005 Subject: [VIM] Vendor ACK for PHPList issues Message-ID: <200508050558.j755w8fK028702@linus.mitre.org> The PhpList vendor appears to have posted an advisory on some recently reported issues (CAN-2005-2432, CAN-2005-2433) http://tincan.co.uk/?lid=851 I can't find a date on it, but it looks pretty close. I have an e-mail into the vendor just to be sure. - Steve ====================================================== Candidate: CAN-2005-2432 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2432 Reference: BUGTRAQ:20050728 PhpList Sql Injection and Path Disclosure Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112258115325054&w=2 Reference: BUGTRAQ:20050731 PHPList Vunerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112291396731712&w=2 Reference: CONFIRM:http://tincan.co.uk/?lid=851 Reference: OSVDB:18316 Reference: URL:http://www.osvdb.org/18316 Reference: SECUNIA:16274 Reference: URL:http://secunia.com/advisories/16274 SQL injection vulnerability in PhpList allows remote attackers to modify SQL statements via the id argument to admin pages such as (1) members or (2) admin. ====================================================== Candidate: CAN-2005-2433 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2433 Reference: BUGTRAQ:20050728 PhpList Sql Injection and Path Disclosure Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112258115325054&w=2 Reference: CONFIRM:http://tincan.co.uk/?lid=851 PhpList allows remote attackers to obtain sensitive information via a direct request to (1) about.php, (2) connect.php, (3) domainstats.php or (4) usercheck.php in public_html/lists/admin directory, (5) attributes.php, (6) dbcheck.php, (7) importcsv.php, (8) user.php, (9) usermgt.php, or (10) users.php in admin/commonlib/pages directory, (11) helloworld.php, or (12) sidebar.php in public_html/lists/admin/plugins directory, or (13) main.php in public_html/lists/admin/plugsins/defaultplugin directory, which reveal the path in an error message. From jericho at attrition.org Fri Aug 5 06:14:17 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Aug 5 06:14:25 2005 Subject: [VIM] Re: uguestbook exploit In-Reply-To: <20050728153101.31233.qmail@securityfocus.com> References: <20050728153101.31233.qmail@securityfocus.com> Message-ID: : pro ...... http://www.uapplication.com/ : : My web site : http://3asfh.net/vb : : My Email : l--s@hotmail.com : : exploit : : : http://xxx.com/guestbook/mdb-database/guestbook.mdb This was disclosed on 2005-04-28 by "rida rida" via SecurityTracker. http://securitytracker.com/alerts/2005/Apr/1013830.html From coley at linus.mitre.org Fri Aug 5 14:06:57 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri Aug 5 14:10:41 2005 Subject: [VIM] PHPList - *not* vendor ACK for recent issue Message-ID: from the vendor... (1) the security announcement was for older issues and (2) the vendor can't reproduce the issues in the current stable version. - Steve ---------- Forwarded message ---------- Date: Fri, 05 Aug 2005 09:27:41 -0300 To: Steven M. Christey Subject: Re: Clarification requested on security announcement Hi No, that announcement is quite old, it was around November 2003 and it affects version prior to 2.6.4 I have updated the page to reflect this information. The vulnerability you mention was unknown to me, but I'm trying to reproduce it and I'm not managing. The post does not actually mention versions and if I try this on the latest stable version (2.8.12 released October 2004) I don't get any disclosures eg (the demo site) http://www.phplist.com/lists/admin/?page=members&id=1%20union%20select%20null,password,null,null%20from%20phplist_admin%20where%20superuser=1/*sp_password or the latest development version: http://cvs.phplist.com/lists/admin/?page=members&id=1%20union%20select%20null,password,null,null%20from%20phplist_admin%20where%20superuser=1/*sp_password the fact that the page mentions username and password is fine, because that is in "demo mode only". Regards Michiel Steven M. Christey wrote: >Hello, > >I noticed your security announcement at: > > http://tincan.co.uk/?lid=851 > >Is this in response to the following Bugtraq post? > > "PhpList Sql Injection and Path Disclosure" > http://marc.theaimsgroup.com/?l=bugtraq&m=112258115325054&w=2 > >If so, then what are the affected versions? The announcement has no >date and no versions listed. > > >Thank you, >Steve Christey >CVE Editor > > -- least likely to say "it can't be done" most likely to say "if it's not in mantis, it won't be done" t | i | n | c | a | n || l | t | d Buenos Aires | London | Machynlleth t | i | n | c | a | n || l | t | d From jericho at attrition.org Sat Aug 6 00:28:44 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat Aug 6 00:28:51 2005 Subject: [VIM] Re: Kent's Guestbook database exploit In-Reply-To: <20050729151248.28545.qmail@securityfocus.com> References: <20050729151248.28545.qmail@securityfocus.com> Message-ID: : hello , : : site : http://kentldyer.com/guestbook/default.asp The site runs a guestbook but.. follow: http://kentldyer.com/ 'guestbook' on upper right bar http://kentldyer.com/guestbook/ (open directory) http://kentldyer.com/guestbook/readme.txt Guestbook by Kathi O'Shea http://www.attitude.com/users/kathi/asp (ASP Tutorial Site) http://www.web-savant.com (business site) kathi@attitude.com (support & comments) info@web-savant.com (design and customization) Guestbook Instructions IMPORTANT!! This guestbook will only work on an ASP-enabled site, and you must have script permissions on the directory where the ASP scripts are located. This script will not work on GeoCities, AOL, or most (if not all) of the free homepage sites. If you're not sure if your site is ASP-enabled, contact your system administrator. 1. Files contained in this distribution README.TXT (this file) Guestbook.mdb sign.asp administration.asp default.asp [..] That open directory has Guestbook.mdb *and* Guestbook1.mdb for some reason. Either way, this doesn't look like "Kent's Guestbook" as a product/vendor, rather probably Kathi O'Shea Guestbook. From jericho at attrition.org Sat Aug 6 01:07:22 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat Aug 6 01:07:24 2005 Subject: [VIM] new vuln trend? Message-ID: 18484 Microsoft Office Shared Section Permission Weakness Information Disclosure Jul 27, 2005 18480 IBM Access Connections QCONDB Shared Section Permission Weakness Jul 26, 2005 and this one.. ---------- Forwarded message ---------- From: sylvain.roger@solucom.fr To: bugtraq@securityfocus.com Date: 28 Jul 2005 19:18:10 -0000 Subject: Vulnerability in Trendmicro Officescan I found a weakness in Trendmicro Office scan product which can be used by malicious people to fake a virus description. The vulnerability has been tested with Officescan 5.58, VSApINT : 7.510-1002, TmFilter 7.510.0.1002, Pattern 2.749 The vulnerability is the shared section weaknesses. The Pop3Trap.Exe process has a shared section called "\BaseNamedObjects\Pop3trap_Info" which has bad security rights : everyone can execute, delete, write this section. This allows to change what is displayed to the user when an infected mail arrives. This may lead to "phishing" action, not sure how at the present time. To reproduce the vulnerability 1. Launch Trendmicro officescan with pop3 module activated 2. Just use TestSS tool written by A. Cerrudo to write on shared section called \BaseNamedObjects\Pop3trap_Info 3. when writing to this section, receive an infected mail and look at what it displays 4. Just imagine what you can display ;-) Other products may be vulnerable From jericho at attrition.org Sun Aug 7 01:20:46 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun Aug 7 01:20:48 2005 Subject: [VIM] what is "responsibly disclosed" to you? Message-ID: We're all (overly) familiar with the full disclosure debate. Moving past that, assuming that a researcher warns a vendor before publishing, what exactly makes it responsibly disclosed? Notifying the vendor? Is a timeframe part of this? (ie: not 2 hours before release) Not publishing exploit code? Providing a work around, interim solution, or vendor solution? If you had to mark each vulnerability in a database as responsibly disclosed or not, what criteria would you use? From coley at mitre.org Sun Aug 7 17:13:43 2005 From: coley at mitre.org (Steven M. Christey) Date: Sun Aug 7 17:17:36 2005 Subject: [VIM] PortailPHP id parameter mess Message-ID: <200508072113.j77LDhA5002033@linus.mitre.org> Regarding: CAN-2005-2486 ================ Reference: BUGTRAQ:20050804 SQL IN PortailPHP Reference: URL:http://msgs.securepoint.com/cgi-bin/get/bugtraq0508/53.html Reference: BID:14474 Reference: URL:http://www.securityfocus.com/bid/14474 SQL injection vulnerability in mod_forum/read_message.php in PortailPHP allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php with the affiche parameter set to "Forum-read_mess", a different vulnerability than CAN-2005-1701. ================ Two points: 1) http://www.safari-msi.com/portailphp/index.php appears to be the main page for PortailPHP, and 1.3 is the latest version (Oct 2004), so the original poster's claim of 2.4 is probably wrong. 2) The id parameter is reported affected, which would seem to overlap earlier reports of the id parameter in CAN-2005-1701, but source code inspection shows that the affected files are all different. The older CAN is for other modules. A single script maps the "affiche" parameter to the appropriate include file. Oh, and a third: 3) There is some evidence of many other SQL injection issues involving "id" and other parameters. And a fourth: 4) There is lots of evidence of more significant issues through direct request. - Steve From coley at linus.mitre.org Sun Aug 7 17:51:51 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Sun Aug 7 17:55:42 2005 Subject: [VIM] new vuln trend? In-Reply-To: References: Message-ID: Makes sense to me, alas. Quite likely there are Unix equivalents, but I don't recall seeing any reported vulns, so if there have been some in the past, they were probably reported years ago. Sounds like Cesar Cerrudo discussed shared sections during CanSecWest: http://blog.ncircle.com/archives/2005/05/cansec_west_sec_2.htm To my evolving way of thinking, this is basically the use of a "new" alternate channel for exploitation beyond regular old files, command line arguments, CGI query strings, etc. An alternate channel does not pose a vulnerability in and of itself; but if it's trusted or improperly validated, it becomes a new vector for an attacker, even when the traditional channels are protected. Buffer overflows, SQL injection, any type of vuln you already have, is then potentially exploitable through the alternate channel; but such vulnerabilities would likely be resultant from the primary vulnerability, i.e. bad permissions or privileges. - Steve From jericho at attrition.org Fri Aug 12 19:07:52 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Aug 12 19:07:55 2005 Subject: [VIM] HP lingo or one hell of a hack? Message-ID: http://archives.neohapsis.com/archives/bugtraq/2005-08/0144.html HP SECURITY BULLETIN HPSBMA01220 REVISION: 0 SSRT051005 rev.0 - HP ProLiant DL585 Servers Unauthorized Remote Access [..] VULNERABILITY SUMMARY: A potential vulnerability has been identified with the HP ProLiant DL585 server, where a remote unauthorized user may gain access to the server controls, when the server is powered down. -- When the server is powered down? Is this HP lingo for "server controls are disabled" or something? If not, hacking machines with no power is neat! From jericho at attrition.org Fri Aug 12 19:09:06 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Aug 12 19:09:07 2005 Subject: [VIM] HP lingo or one hell of a hack? In-Reply-To: References: Message-ID: Sorry to reply to own, should have quoted one more bit: : VULNERABILITY SUMMARY: : A potential vulnerability has been identified with the HP ProLiant : DL585 server, where a remote unauthorized user may gain access to : the server controls, when the server is powered down. RESOLUTION: Until a new version of the Integrated Lights-Out firmware (version 1.81) for ProLiant DL585 servers is available, HP is providing the following workaround: To eliminate this vulnerability until ILO version 1.81 becomes available, unplug the power cord whenever the server is powered down. This will prohibit the remote access exploit. --- From coley at linus.mitre.org Fri Aug 12 19:19:19 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri Aug 12 19:23:32 2005 Subject: [VIM] HP lingo or one hell of a hack? In-Reply-To: References: Message-ID: > VULNERABILITY SUMMARY: > A potential vulnerability has been identified with the HP ProLiant > DL585 server, where a remote unauthorized user may gain access to > the server controls, when the server is powered down. Yeah, I noticed this too :) My guess is that the server has some sort of "wakeup" functionality. Or do they mean "after it has been injected, the exploit's payload is only activated when the server powers itself down." I also don't understand what a "remote unauthorized user" is. Are they authenticated to the powered-off system in some way? Or could it be just anybody with a network connection to the server? I wonder how somebody could go about assigning a CVSS score for this ;-) - Steve From jericho at attrition.org Fri Aug 12 19:26:31 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Aug 12 19:26:34 2005 Subject: [VIM] HP lingo or one hell of a hack? In-Reply-To: References: Message-ID: : My guess is that the server has some sort of "wakeup" functionality. Yep! : I also don't understand what a "remote unauthorized user" is. Are they : authenticated to the powered-off system in some way? Or could it be : just anybody with a network connection to the server? I assume remote unauthorized attacker, not 'user' (bad choice of words). From coley at mitre.org Sat Aug 13 16:13:32 2005 From: coley at mitre.org (Steven M. Christey) Date: Sat Aug 13 16:17:54 2005 Subject: [VIM] Possible bogus old vuln notification - PunkBuster Message-ID: <200508132013.j7DKDWH2006880@linus.mitre.org> Refs: BUGTRAQ:20040219 PunkBuster SQL Injection Attack URL:http://www.securityfocus.com/archive/1/354453 BID:9697 URL:http://www.securityfocus.com/bid/9697 SECTRACK:1009145 URL:http://securitytracker.com/id?1009145 XF:punkbuster-login-sql-injection(15267) URL:http://xforce.iss.net/xforce/xfdb/15267 (heavily annotated CVE forthcoming) The researcher, "Just1n T1mberlake," makes several questionable claims in this report: 1) the reference to http://pbdb.sourceforge.net is actually for "PB-DB", which is the PunkBuster Screenshot Database, apparently a different product than "PunkBuster" 2) The download of Alpha 6 shows no reference to "Punky Brewster", based on a case-insensitive grep of "punky" in the download, and a Google search does not suggest any relationship between "punkbuster" and "punky brewster" 3) The discloser claimed notification of a particular e-mail address in 2004, but (a) the PB-DB home page does not have this address, and (b) the last release was in October 2001, suggesting an abandoned project. 4) The following source code is claimed to be affected: query = "select count(*) from users where menuboy = 'weaklikepr4wn' & userName='" & userName & "' and userPass='" & password & "' & cumquat = 1" However, I searched the source for "query", "select", "menuboy", and "username" but did not find this source code. In short, it is highly likely that this post was bogus. - Steve From coley at mitre.org Thu Aug 18 22:57:57 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu Aug 18 23:02:35 2005 Subject: [VIM] "external user-complicit attackers" Message-ID: <200508190257.j7J2vvdu016829@linus.mitre.org> This isn't exactly an official announcement, and it's subject to change, but I figured I'd let people know that I've started to use the phrase "external user-complicit attackers" to describe attack scenarios where an attacker who's external to an application needs to convince a user - generally through social engineering - to access a file and load it into a vulnerable application to trigger a vulnerability. This is one small step in addressing part of the long-standing "local vs. remote" terminology problem. The term is clunky but I'll probably stick to it until something better comes along. All ideas are welcome :-) Some CVE examples are below. - Steve ====================================================== Candidate: CAN-2005-2471 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2471 Reference: MISC:http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=319757 Reference: SECUNIA:16184 Reference: URL:http://secunia.com/advisories/16184 Reference: TRUSTIX:2005-0038 Reference: URL:http://www.trustix.org/errata/2005/0038/ pstopnm in netpbm does not properly use the "-dSAFER" option when calling Ghostscript to convert convert a PostScript file into a (1) PBM, (2) PGM, or (3) PNM file, which allows external user-complicit attackers to execute arbitrary commands. ====================================================== Candidate: CAN-2005-2501 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2501 Reference: APPLE:APPLE-SA-2005-08-15 Reference: URL:http://lists.apple.com/archives/security-announce/2005//Aug/msg00000.html Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2, as used in applications such as TextEdit, allow external user-complicit attackers to execute arbitrary code via a crafted Microsoft Word file. From coley at mitre.org Sun Aug 21 16:28:11 2005 From: coley at mitre.org (Steven M. Christey) Date: Sun Aug 21 16:33:05 2005 Subject: [VIM] Security Vulnerability reported in W-Agora 4.2 Message-ID: <200508212028.j7LKSBVG002504@linus.mitre.org> Hello, I am a computer security professional and the editor for the Common Vulnerabilities and Exposures (CVE) project. CVE is a list of software vulnerabilities, and it is widely used in the computer security industry. Recently, a vulnerability in W-Agora 4.2 was publicly reported to a well-known security mailing list: http://www.securityfocus.com/archive/1/408522 Additional information is at: http://www.securityfocus.com/bid/14597 http://secunia.com/advisories/16497 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2648 Is this vulnerability report accurate? If so, then is the problem fixed, and in which versions? Thank you, Steve Christey Principal Information Security Engineer CVE Editor The MITRE Corporation From coley at mitre.org Sun Aug 21 16:37:45 2005 From: coley at mitre.org (Steven M. Christey) Date: Sun Aug 21 16:42:35 2005 Subject: [VIM] Vendor ACK for Emefa Guestbook 1.2 XSS Message-ID: <200508212037.j7LKbjnY002657@linus.mitre.org> Ref: CAN-2005-2650 (forthcoming; see below) The vendor's front page for the guestbook includes the item "Emefa Guestbook News! Recent Bug fix to script. 08/18/2005". It links to the original advisory and says "A recent bug that caused html and javascript injection into 'sign.asp' has been fixed." http://www.emefa.myserver.org/comp/guestview.php - Steve ====================================================== Candidate: CAN-2005-2650 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2650 Reference: MISC:http://packetstormsecurity.org/0508-advisories/emefaGuest.txt Reference: MISC:http://systemsecure.org/ssforum/viewtopic.php?t=91 Reference: CONFIRM:http://www.emefa.myserver.org/comp/guestview.php Reference: SECUNIA:16489 Reference: URL:http://secunia.com/advisories/16489 Cross-site scripting (XSS) vulnerability in sign.asp in Emefa Guestbook 1.2 allows remote attackers to inject arbitrary web script or HTML via the (1) name, (2) location, and (3) email parameters. From jericho at attrition.org Mon Aug 22 06:13:09 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Aug 22 06:13:12 2005 Subject: [VIM] Combined Zen Cart issues In-Reply-To: <200508031807.j73I7VRK026495@linus.mitre.org> References: <200508031807.j73I7VRK026495@linus.mitre.org> Message-ID: On Wed, 3 Aug 2005, Steven M. Christey wrote: ^^^^^^^^^^^^^^^ jeez i'm behind =) : While I was training a new person yesterday, I ran across some incorrect : references to vendor patches for 3 separate vulns in Zen Cart. It : appears that there are 3 distinct issues, at least from CVE's : perspective. : : Some DB's, at least Secunia and OSVDB, have included references to the : wrong vendor fix, and/or appear to have mixed two issues together. : ====================================================== : Candidate: CAN-2004-2023 : URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2023 : : SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 : before patch 1, and possibly other versions allows remote attackers to : execute arbitrary SQL via the (1) admin_name or (2) admin_pass : parameters. hrm. i don't see this in our DB at all and we didn't even have the CVE in the incoming pool. will have to add this shortly. : ====================================================== : Candidate: CAN-2004-2024 : URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2024 : Reference: CONFIRM:http://www.zen-cart.com/modules/ipb/index.php?showtopic=4873 : Reference: CONFIRM:http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD : : The distribution of Zen Cart 1.1.4 before patch 2 includes certain : debugging code in the Admin password retrieval functionality, which : allows attackers to gain administrative privileges via : password_forgotten.php. exactly the refs we have and a title that doesn't mention 2 issues, but it isn't mangled yet. : ====================================================== : Candidate: CAN-2004-2025 : URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2025 : Reference: CONFIRM:http://www.zen-cart.com/modules/ipb/index.php?showtopic=3731 : Reference: CONFIRM:http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD : : SQL injection vulnerability in application_top.php for Zen Cart 1.1.3 : before patch 2 may allow remote attackers to execute arbitrary SQL : commands via the products_id parameter. had this as the SQL injection, had 2 of the refs, missed the '3731' post. can you specify where we mixed up issues or included the wrong solution? http://osvdb.org/16892 = CVE 2004-2025 = stable http://osvdb.org/16891 = CVE 2004-2024 = new but has the same refs as CVE .b From jericho at attrition.org Mon Aug 22 06:16:44 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Aug 22 06:16:47 2005 Subject: [VIM] Combined Zen Cart issues In-Reply-To: <200508031807.j73I7VRK026495@linus.mitre.org> References: <200508031807.j73I7VRK026495@linus.mitre.org> Message-ID: : ====================================================== : Candidate: CAN-2004-2023 : URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-2023 : Reference: BUGTRAQ:20040518 Zen Cart login.php SQL Injection Vulnerability : Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=108489697219781&w=2 : Reference: CONFIRM:http://www.zen-cart.com/modules/ipb/index.php?showtopic=4835 : Reference: CONFIRM:http://www.zen-cart.com/modules/mydownloads/viewcat.php?cid=31&orderby=dateD : Reference: BID:10378 : Reference: URL:http://www.securityfocus.com/bid/10378 : Reference: SECTRACK:1010172 : Reference: URL:http://securitytracker.com/id?1010172 : Reference: SECUNIA:11649 : Reference: URL:http://secunia.com/advisories/11649 : Reference: XF:zencart-login-sql-injection(16176) : Reference: URL:http://xforce.iss.net/xforce/xfdb/16176 : : SQL injection vulnerability in login.php in Zen Cart 1.1.2d, 1.1.4 : before patch 1, and possibly other versions allows remote attackers to : execute arbitrary SQL via the (1) admin_name or (2) admin_pass : parameters. Oops, we did have: http://osvdb.org/6298 Zen Cart login.php Multiple Variable SQL Injection We did link to '3731' which is the wrong issue, fixing that! thanks =) .b From coley at linus.mitre.org Mon Aug 22 14:41:22 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon Aug 22 14:46:22 2005 Subject: [VIM] Combined Zen Cart issues In-Reply-To: References: <200508031807.j73I7VRK026495@linus.mitre.org> Message-ID: On Mon, 22 Aug 2005, security curmudgeon wrote: > : Some DB's, at least Secunia and OSVDB, have included references to the > : wrong vendor fix, and/or appear to have mixed two issues together. > > can you specify where we mixed up issues or included the wrong solution? Hmmm, I'm not sure now. Maybe it was just bad writing on my part :-/ Maybe I meant that it seemed like OSVDB only covered 2 issues when there were 3... and/or at the time I looked at it, I might have only had the OSVDB subject lines, because back then I don't think you were using references for non-mangled entries yet. - Steve From coley at mitre.org Mon Aug 22 14:42:03 2005 From: coley at mitre.org (Steven M. Christey) Date: Mon Aug 22 14:47:07 2005 Subject: [VIM] Vendor ACK for W-Agora directory traversal Message-ID: <200508221842.j7MIg3rU022233@linus.mitre.org> Reference: CAN-2005-2648 An e-mail inquiry to the vendor resulted in an acknowledgement. See below. - Steve ====================================================== >Thank you for your email. >Yes, I've been recently informed of this vulnerability. >After several tests on various platforms and PHP versions, it seems >that this >vulnerability can only be successfully exploited on windows systems >and only if >magic_quote_gpc is set to off. I couldn't reproduce the problem on >unix >systems. > >The fix consists in replacing line #132 in init.inc and line #25 in >index.php : >$site = empty($site) ? 'agora' : $site; >with: >$site = empty($site) ? 'agora' : trim(basename($site)); > >I will release a patch and a new release in the next few days. > >Best regards, >Marc Druilhe >w-agora editor ====================================================== Candidate: CAN-2005-2648 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2648 Reference: BUGTRAQ:20050818 w-agora 4.2.0 and prior Remote Directory Travel Vulnerability Reference: URL:http://www.securityfocus.com/archive/1/408522 Reference: FULLDISC:20050818 w-agora 4.2.0 and prior Remote Directory Travel Vulnerability Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0599.html Reference: MISC:http://h4cky0u.org/viewtopic.php?t=2097 Reference: BID:14597 Reference: URL:http://www.securityfocus.com/bid/14597 Reference: SECUNIA:16497 Reference: URL:http://secunia.com/advisories/16497 Directory traversal vulnerability in index.php in W-Agora 4.2.0 and earlier allows remote attackers to read arbitrary files via the site parameter. From coley at mitre.org Tue Aug 23 14:59:38 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Aug 23 15:04:40 2005 Subject: [VIM] Vendor dispute of Land Down Under issues Message-ID: <200508231859.j7NIxcbC025498@linus.mitre.org> The front page of the Land Down Under site includes a news item "Regarding LDU at SecurityFocus.com" that disputes the original claims of SQL injection/XSS issues in LDU: Regarding LDU at SecurityFocus.com 21-08-2005 05:25 Since yesterday there's 2 new items about LDU at http://www.securityfocus.com, about "security exploits" that may affect LDU build 800. None of the tricks written there are working, the variables are properly sanitized and no LDU version is affected. This morning I notified the moderators of the site. The 2 articles are here : http://securityfocus.com/bid/14618/exploit http://securityfocus.com/bid/14619/exploit I'll post here as soon as possible if there's updates regarding this topic. *UPDATE* A little "Hello!" to all the people trying the non-working URLs here at Neocrome.net, you will be forever famous in the log :] - Steve From coley at mitre.org Tue Aug 23 16:06:39 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Aug 23 16:11:38 2005 Subject: [VIM] Dana Epp on responsible disclosure and VDB's Message-ID: <200508232006.j7NK6diT002826@linus.mitre.org> A recent blog entry by Dana Epp calls SecurityFocus to task for publishing a BID on a third party researcher's report of a buffer overflow that had not been coordinated with the vendor: Please act more responsibly "AT ma CA". And you too Symantec (the owners of Security Focus). You aren't helping the industry when you do this. You hurt it. http://silverstr.ufies.org/blog/archives/000849.html Given the growing frequency of these kinds of complaints, it feels like vuln DB's are going to be visibly targeted one of these days. - Steve From jericho at attrition.org Tue Aug 23 17:36:46 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Aug 23 17:36:48 2005 Subject: [VIM] Dana Epp on responsible disclosure and VDB's In-Reply-To: <200508232006.j7NK6diT002826@linus.mitre.org> References: <200508232006.j7NK6diT002826@linus.mitre.org> Message-ID: : A recent blog entry by Dana Epp calls SecurityFocus to task for : publishing a BID on a third party researcher's report of a buffer : overflow that had not been coordinated with the vendor: : : Please act more responsibly "AT ma CA". And you too Symantec (the : owners of Security Focus). You aren't helping the industry when you : do this. You hurt it. : : http://silverstr.ufies.org/blog/archives/000849.html : : Given the growing frequency of these kinds of complaints, it feels like : vuln DB's are going to be visibly targeted one of these days. Interesting! I noticed you posted after I submitted my own: "It took me less than a minute to see that v2.93 just came out and that there was no way that responsible disclosure was used in relation to this advisory." Ok, how long did it take you to check the disclosure for the other dozen vulnerabilities released that day? How about the days when we see as many as 100 vulnerabilities released? Does it matter that SecurityFocus posted it 24 hours after other security sites did, and posted it likely knowing that it was already public? You should also correct the version number above, as 9.23 was affected, not 2.93. If you ran a database, some folks may complain about the inaccurate information you provide as well. Posted by: security curmudgeon at August 23, 2005 02:30 PM From smoore at securityglobal.net Tue Aug 23 17:55:59 2005 From: smoore at securityglobal.net (Stuart Moore) Date: Tue Aug 23 18:01:18 2005 Subject: [VIM] Dana Epp on responsible disclosure and VDB's In-Reply-To: <200508232006.j7NK6diT002826@linus.mitre.org> References: <200508232006.j7NK6diT002826@linus.mitre.org> Message-ID: <430B9B6F.301@securityglobal.net> Ah, the view from the comfort of your own blog! Stuart Steven M. Christey wrote: > A recent blog entry by Dana Epp calls SecurityFocus to task for > publishing a BID on a third party researcher's report of a buffer > overflow that had not been coordinated with the vendor: > > Please act more responsibly "AT ma CA". And you too Symantec (the > owners of Security Focus). You aren't helping the industry when you > do this. You hurt it. > > http://silverstr.ufies.org/blog/archives/000849.html > > > Given the growing frequency of these kinds of complaints, it feels > like vuln DB's are going to be visibly targeted one of these days. > > - Steve > From coley at linus.mitre.org Tue Aug 23 18:07:04 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Aug 23 18:12:03 2005 Subject: [VIM] Dana Epp on responsible disclosure and VDB's In-Reply-To: <430B9B6F.301@securityglobal.net> References: <200508232006.j7NK6diT002826@linus.mitre.org> <430B9B6F.301@securityglobal.net> Message-ID: On Tue, 23 Aug 2005, Stuart Moore wrote: > Ah, the view from the comfort of your own blog! True, but I find Dana to be pretty thoughtful. In that context, the blog represents a misunderstanding of the role that VDB's *currently* perform, and a growing awareness and disillusionment with VDB's. We know what challenges we face, but vuln. info consumers either (1) don't know or (2) don't care. We're kind of stuck in the middle and someday we might get squished. OK, enough prognosticating and pontificating for now ;-) - Steve From smoore at securityglobal.net Tue Aug 23 18:07:39 2005 From: smoore at securityglobal.net (Stuart Moore) Date: Tue Aug 23 18:12:47 2005 Subject: [VIM] Dana Epp on responsible disclosure and VDB's In-Reply-To: <430B9B6F.301@securityglobal.net> References: <200508232006.j7NK6diT002826@linus.mitre.org> <430B9B6F.301@securityglobal.net> Message-ID: <430B9E2B.60102@securityglobal.net> Curiously, I cannot find disclosure ("responsible" or not) of this vulnerability on the vendor's product page ... Stuart Stuart Moore wrote: > Ah, the view from the comfort of your own blog! > > Stuart > > > Steven M. Christey wrote: > >> A recent blog entry by Dana Epp calls SecurityFocus to task for >> publishing a BID on a third party researcher's report of a buffer >> overflow that had not been coordinated with the vendor: >> >> Please act more responsibly "AT ma CA". And you too Symantec (the >> owners of Security Focus). You aren't helping the industry when you >> do this. You hurt it. >> >> http://silverstr.ufies.org/blog/archives/000849.html >> >> >> Given the growing frequency of these kinds of complaints, it feels >> like vuln DB's are going to be visibly targeted one of these days. >> >> - Steve >> > From jericho at attrition.org Tue Aug 23 18:14:25 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Aug 23 18:14:27 2005 Subject: [VIM] Dana Epp on responsible disclosure and VDB's In-Reply-To: References: <200508232006.j7NK6diT002826@linus.mitre.org> <430B9B6F.301@securityglobal.net> Message-ID: : > Ah, the view from the comfort of your own blog! : : True, but I find Dana to be pretty thoughtful. In that context, the : blog represents a misunderstanding of the role that VDB's *currently* : perform, and a growing awareness and disillusionment with VDB's. We : know what challenges we face, but vuln. info consumers either (1) don't : know or (2) don't care. We're kind of stuck in the middle and someday : we might get squished. Very true. As small as it seems, having folks from the VDBs respond to such material is important I think. A few well placed comments here and there, the next article may only focus on the researcher and leave VDBs out. From coley at linus.mitre.org Tue Aug 23 18:18:21 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Aug 23 18:23:19 2005 Subject: [VIM] Dana Epp on responsible disclosure and VDB's In-Reply-To: <430B9E2B.60102@securityglobal.net> References: <200508232006.j7NK6diT002826@linus.mitre.org> <430B9B6F.301@securityglobal.net> <430B9E2B.60102@securityglobal.net> Message-ID: On Tue, 23 Aug 2005, Stuart Moore wrote: > Curiously, I cannot find disclosure ("responsible" or not) of this > vulnerability on the vendor's product page ... Yeah, I had to hunt for it a little bit. But it's covered in a forum post: http://www.sysinternals.com/Forum/forum_posts.asp?TID=957&PN=1 This was how I found out about Dana's blog post. - Steve From jericho at attrition.org Wed Aug 24 05:25:17 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Aug 24 05:25:20 2005 Subject: [VIM] vendor ack/fix: Pinnacle Cart XSS cross site scripting (fwd) Message-ID: ---------- Forwarded message ---------- From: Mike Auger To: webmaster@osvdb.org Date: Tue, 16 Aug 2005 17:43:51 -0700 Subject: Pinnacle Cart XSS cross site scripting Hello, you have an advisory report on our software are www.pinnaclecart.com for XSS cross site scripting. We are happy to announce that the issue has been resolved in the release of 3.3. You can view our demo with this fixed on our site or we would be happy to provide you with access to verify for yourself. We would appreciate it if you would update this reference when you have thoroughly investigated the correction. Thanks Mike 800-506-0398 x701 From jericho at attrition.org Wed Aug 24 06:56:17 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Aug 24 06:56:19 2005 Subject: [VIM] Dana Epp on responsible disclosure and VDB's In-Reply-To: References: <200508232006.j7NK6diT002826@linus.mitre.org> <430B9B6F.301@securityglobal.net> <430B9E2B.60102@securityglobal.net> Message-ID: : > Curiously, I cannot find disclosure ("responsible" or not) of this : > vulnerability on the vendor's product page ... : : Yeah, I had to hunt for it a little bit. : : But it's covered in a forum post: : : http://www.sysinternals.com/Forum/forum_posts.asp?TID=957&PN=1 : : This was how I found out about Dana's blog post. http://www.sysinternals.com/Utilities/ProcessExplorer.html What's new in Version 9.2: Buffer overflow bugfix in v9.25 and higher From jericho at attrition.org Wed Aug 24 06:58:52 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Aug 24 06:59:01 2005 Subject: [VIM] Re: Interspire ArticleLive 2005 (php version) is vulnerable to XSS In-Reply-To: <20050823004444.24864.qmail@securityfocus.com> References: <20050823004444.24864.qmail@securityfocus.com> Message-ID: On Mon, 23 Aug 2005, eddie@interspire.com wrote: : This has been patched. In what version? Is there reference to this on your web site? Thanks Brian From jericho at attrition.org Wed Aug 24 09:34:00 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Aug 24 09:34:02 2005 Subject: [VIM] Re: FW: BEA05-84.00 question [#16867] (fwd) Message-ID: *sigh* ---------- Forwarded message ---------- From: BEA Customer Support To: jericho@attrition.org Date: Wed, 24 Aug 2005 13:28:08 +0000 (GMT) Subject: Re: FW: BEA05-84.00 question [#16867] Not to sure, it may have been within the last two days? --Original Message-- From: jericho@attrition.org Date: 8/23/2005 9:12:25 PM To: support@ems00451.egain.net Subject: FW: BEA05-84.00 question -----Original Message----- From: security curmudgeon [mailto:jericho@attrition.org] Sent: Tuesday, August 23, 2005 9:16 PM To: support@bea.com Subject: BEA05-84.00 question What day was this released? I don't see a date for the advisory. Thanks Brian From coley at linus.mitre.org Wed Aug 24 10:23:01 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Aug 24 10:28:05 2005 Subject: [VIM] Re: FW: BEA05-84.00 question [#16867] (fwd) In-Reply-To: References: Message-ID: On Wed, 24 Aug 2005, security curmudgeon wrote: > > > What day was this released? I don't see a date for the advisory. Yeah, I *HATE*when vendors do that. They have dates of release on their main advisory page, though: http://dev2dev.bea.com/advisoriesnotifications/ which lists 2005-08-22 for BEA05-84.00 - Steve From coley at linus.mitre.org Wed Aug 24 10:58:37 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Aug 24 11:03:43 2005 Subject: [VIM] Dana Epp on responsible disclosure and VDB's In-Reply-To: References: <200508232006.j7NK6diT002826@linus.mitre.org> <430B9B6F.301@securityglobal.net> <430B9E2B.60102@securityglobal.net> Message-ID: On Wed, 24 Aug 2005, security curmudgeon wrote: > http://www.sysinternals.com/Utilities/ProcessExplorer.html > What's new in Version 9.2: > Buffer overflow bugfix in v9.25 and higher I'm not 100% sure, but I don't think that was there a couple days ago. It's good to see, though :) - Steve From coley at mitre.org Wed Aug 24 13:47:36 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed Aug 24 13:52:51 2005 Subject: [VIM] SaveWebPortal issues Message-ID: <200508241747.j7OHlapi007222@linus.mitre.org> Reference: http://rgod.altervista.org/save_yourself_from_savewebportal34.html The "remote code execution" issue appears to be for PhpMyExplorer, which appears to be bundled with SaveWebPortal. I can't find a download package for PhpMyExplorer - the main vendor's page is down - but the demonstration URL in rgod's advisory includes PhpMyExplorer, and a source code extract of SaveWebPortal appears to include a full install, complete with readme file under SaveWebPortal/admin/PhpMyExplorer/doc/readme.txt The other issues appear to be specific to SaveWebPortal. - Steve From coley at mitre.org Wed Aug 24 17:49:08 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed Aug 24 17:54:15 2005 Subject: [VIM] Bitten by Mantis? Message-ID: <200508242149.j7OLn8KB006563@linus.mitre.org> For those who operate at a low level of detail for your vuln reports, watch out for the recent Mantis bugs. The Mantis changelog at http://www.mantisbt.org/changelog.php and Debian's "diff" file have inconsistencies regarding what was, or was not, fixed. Only 1 out of 4 separate bugs seems to be covered by both Debian and the original Mantis developers. I have an inquiry into Debian for clarification, since it's not clear which issues CAN-2005-2557 should deal with. - Steve From jericho at attrition.org Wed Aug 24 17:55:46 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Aug 24 17:55:48 2005 Subject: [VIM] Bitten by Mantis? In-Reply-To: <200508242149.j7OLn8KB006563@linus.mitre.org> References: <200508242149.j7OLn8KB006563@linus.mitre.org> Message-ID: : For those who operate at a low level of detail for your vuln reports, : watch out for the recent Mantis bugs. The Mantis changelog at : http://www.mantisbt.org/changelog.php and Debian's "diff" file have : inconsistencies regarding what was, or was not, fixed. Only 1 out of 4 : separate bugs seems to be covered by both Debian and the original Mantis : developers. I have an inquiry into Debian for clarification, since it's : not clear which issues CAN-2005-2557 should deal with. I noticed this when creating four entries for OSVDB. Two of the four have corresponding changelog that I saw (one was based on a small assumption due to vague wording, but creditee matched). Two of the issues were not referenced in the changelog, and only 1 of 4 bugzilla entries referenced by Secunia were public. From jericho at attrition.org Fri Aug 26 02:18:44 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Aug 26 02:18:50 2005 Subject: [VIM] Likely errors in PhpAuction report In-Reply-To: <200507130632.j6D6WPio002421@linus.mitre.org> References: <200507130632.j6D6WPio002421@linus.mitre.org> Message-ID: : (CAN-2005-2252, CAN-2005-2253, and CAN-2005-2254 forthcoming) : : has a couple oddnesses about them. Specifically, some URLs contain : "/phpauction-gpl-2.5/" whereas others don't. : : There is further evidence from the raw error outputs that some, or all, : of these results were obtained by testing on a live web site. : : Given this, there is some evidence that the "viewnews.php" and : "login.php" errors are specific to the live web site and *not* the : PhpAuction product; however the PhpAuction source code isn't available : so I can't be sure. : : Normally I might not comment on this but if I'm right, then a lot of : DB's didn't catch this. Mailed the vendor originally, fast reply saying they were auditing and would confirm. Didn't hear back, pinged them a week ago and still no reply. Bleh. From jericho at attrition.org Sun Aug 28 21:06:17 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun Aug 28 21:06:19 2005 Subject: [VIM] rpc.pcnfsd mess Message-ID: Geez this is a headache .. #1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0078 pcnfsd (aka rpc.pcnfsd) allows local users to change file permissions, or execute arbitrary commands through arguments in the RPC call. Christey> This candidate should be SPLIT, since there are two separate software flaws. One is a symlink race and the other is a shell metacharacter problem. based on: http://archives.neohapsis.com/archives/bugtraq/1995_4/0124.html #2 http://cve.mitre.org/cgi-bin/cvename.cgi?name=1999-0353 rpc.pcnfsd in HP gives remote root access by changing the permissions on the main printer spool directory. #3 http://archives.neohapsis.com/archives/bugtraq/1998_3/0575.html 1998-07-14 RSI.0008a.08-18-98.ALL.RPC_PCNFSD pr_init() Symlink File Permission Modification Privilege Escalation run_ps630() Crafted Request Remote Command Execution #4 http://archives.neohapsis.com/archives/bugtraq/1998_3/0590.html 1998-08-19 Rhino9 Security Advisory - RPC.PCNFSD VULNERABILITES Vulnerability #1: pr_cancel - Most implementations of rpc.pcnfsd Vulnerability #2: get_pr_status - OpenBSD is the only confirmed vulnerable OS Vulnerability #3: mapid / auth - All implementations are vulnerable -- Now followup to R9 post: http://archives.neohapsis.com/archives/bugtraq/1998_3/0591.html I should mention that both the RepSec and Rhino advisories document bugs which were found and documented 2 years ago. Both the vulnerable chmod and the su_popen functions were documented in the CA-96.08.pcnfsd. The mkdir bug is somewhat different, however, only because the previous fix wasn't sufficient enough to prevent it. The result is the same, the ability to change arbitrary permissions to 777. Unfortunately whoever fixed this originally, didnt see far enough into it. followup to RSI post: http://archives.neohapsis.com/archives/bugtraq/1998_3/0588.html By the way, at least the first problem has been known for a few weeks. See ftp://ftp.cert.org/pub/cert_advisories/CA-96.08.pcnfsd (dated April 1996) for a description The confusion is Avalon didn't really do any disclosure beyond exploit code. RSI gave details but subsequent posts suggest RSI #1 issue is the same as one of the Avalon, even though some of the keywords aren't found in each description. Oliver's post suggests that RSI/R9 did not disclose anything new, but that seems like 5 distinct issues when Avalon previously disclosed 2? From jericho at attrition.org Mon Aug 29 16:59:48 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Aug 29 16:59:50 2005 Subject: [VIM] Vendor dispute of Land Down Under issues In-Reply-To: <200508231859.j7NIxcbC025498@linus.mitre.org> References: <200508231859.j7NIxcbC025498@linus.mitre.org> Message-ID: : The front page of the Land Down Under site includes a news item : "Regarding LDU at SecurityFocus.com" that disputes the original claims : of SQL injection/XSS issues in LDU: : : Regarding LDU at SecurityFocus.com : 21-08-2005 05:25 : Since yesterday there's 2 new items about LDU at : http://www.securityfocus.com, about "security exploits" that may : affect LDU build 800. None of the tricks written there are working, : the variables are properly sanitized and no LDU version is : affected. This morning I notified the moderators of the site. : : The 2 articles are here : : : http://securityfocus.com/bid/14618/exploit : http://securityfocus.com/bid/14619/exploit : : I'll post here as soon as possible if there's updates regarding this : topic. : : *UPDATE* : : A little "Hello!" to all the people trying the non-working URLs here : at Neocrome.net, you will be forever famous in the log :] Interesting. Original disclosure AND two subsequent posts with vulnerabilities. Makes me wonder if LDU is playing the 'deny everything' game... Sat Aug 20 2005 http://archives.neohapsis.com/archives/bugtraq/2005-08/0277.html Sun Aug 28 2005 http://archives.neohapsis.com/archives/bugtraq/2005-08/0395.html Mon Aug 29 2005 http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0988.html