From jericho at attrition.org Sun May 1 13:49:42 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 1 13:49:44 2005 Subject: [VIM] AWStats question [CVE 2005-0362 & 2005-0436] Message-ID: CAN-2005-0362 / OSVDB 1000034 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488 awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the (1) "pluginmode", (2) "loadplugin", or (3) "noloadplugin" parameters. CAN-2005-0436 / OSVDB 13832 BUGTRAQ:20050214 AWStats <= 6.4 Multiple vulnerabilities URL:http://www.securityfocus.com/archive/1/390368 Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 allows remote attackers to execute portions of Perl code via the PluginMode parameter. -- 2005-0362 is effectively Feb 11, 2005 and 2005-0436 is Feb 14, 2005. Given the proximity of the two, and one parameter seems to be the same (PluginMode / pluginmode), these seem like they should be merged possibly. First question is how CVE differentiates between "commands via shell metacharacters" and "direct code injection". Second question is, are 'PluginMode' and 'pluginmode' the same params, or is the script case sensitive and these are two different variables? brian From coley at linus.mitre.org Mon May 2 15:07:55 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon May 2 15:15:34 2005 Subject: [VIM] AWStats question [CVE 2005-0362 & 2005-0436] In-Reply-To: References: Message-ID: On Sun, 1 May 2005, security curmudgeon wrote: > > CAN-2005-0362 / OSVDB 1000034 > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=294488 > > awstats.pl in AWStats 6.2 allows remote attackers to execute arbitrary > commands via shell metacharacters in the (1) "pluginmode", (2) > "loadplugin", or (3) "noloadplugin" parameters. > > > CAN-2005-0436 / OSVDB 13832 > BUGTRAQ:20050214 AWStats <= 6.4 Multiple vulnerabilities > URL:http://www.securityfocus.com/archive/1/390368 > > Direct code injection vulnerability in awstats.pl in AWStats 6.3 and 6.4 > allows remote attackers to execute portions of Perl code via the > PluginMode parameter. These two were SPLIT based on (1) differing affected versions, as reported (6.2 vs. 6.4), and probably (2) different vuln types, "shell metacharacters" vs. "direct code injection" (my throwaway term for piping code directly into an "eval" statement or the equivalent, which only has a dozen or two published examples I would guess.) Note how you could "fix" a shell metacharacter problem but still be vulnerable to feeding portions of code directly into an eval, e.g. an input of "exit" contains no shell metachars but would still cause the Perl "exit" function to be called if it's piped into an eval. Or "print FILEHANDLE XXXX" or "system ls" or "return TRUE" or whatever. But looking deeper, the question becomes whether pluginmode is/was vulnerable to shell metacharacters, then another question becomes whether the "direct code injection" was fully fixed. The Debian bug report 294488 includes an Ubuntu diff from here: http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff (note the typo in the CVE ID in that URL; it should have been CAN-2005-0116). The changelog in the Ubuntu diff implies shell metacharacters in pluginpage: wwwroot/cgi-bin/awstats.pl: remove all non-path characters from the "config", "pluginmode", "loadplugin", and "noloadplugin" parameters (which are defined by the remote user) to prevent execution of arbitrary shell commands through shell metacharacters. [the "config" was SPLIT off the others because it was also in 4.0, where the others weren't, and CVE splits on different affected versions). However, they also include this reference: http://packetstormsecurity.nl/0501-exploits/AWStatsVulnAnalysis.pdf which is really "direct code injection" into an eval, i.e. 1) The code example shows $PluginMode being fed into an eval statement: if ($PluginMode) { if ($PluginMode) { my $function="BuildFullHTMLOutput_$PluginMode()"; my $function="BuildFullHTMLOutput_$PluginMode()"; eval("$ eval("$function"); 2) the sample exploit given is: http://xxx/awstats/awstats.pl?pluginmode=:system ("/bin/ls");. Which isn't shell metacharacters. So, *was* pluginpage actually vulnerable at one point to shell metacharacters? This I don't know and don't have the time at the moment to research. And there's yet another question - is the Ubuntu patch actually sufficient to fix all Perl execution? I suspect that's what this post is about: (CAN-2005-0436) BUGTRAQ:20050214 AWStats <= 6.4 Multiple vulnerabilities URL:http://www.securityfocus.com/archive/1/390368 where the inputs contain nothing but a colon, alphabetic characters, and spaces - which pass the regexp cleanser - but are still fed directly into the eval. Interestingly, Ubuntu's patch doesn't seem to allow the ":" so maybe the bug is still in the original AWStats source, but not some of the Linux distributions. A nice little mess! > First question is how CVE differentiates between "commands via shell > metacharacters" and "direct code injection". Hopefully the previous explanation highlights some of that difference, but "different vuln type" can be a judgment call sometimes. > Second question is, are 'PluginMode' and 'pluginmode' the same params, or > is the script case sensitive and these are two different variables? According to this patch URL and others: http://patches.ubuntu.com/patches/awstats.more-CAN-2005-0016.diff the external parameter name is "pluginmode" but its value is saved in the internal Perl variable named $PluginMode. - Steve From coley at mitre.org Mon May 2 17:08:44 2005 From: coley at mitre.org (Steven M. Christey) Date: Mon May 2 17:16:12 2005 Subject: [VIM] Legitimate spelling diffs in Claroline report; XSS unfixed? Message-ID: <200505022108.j42L8ib8024978@linus.mitre.org> Issue: BUGTRAQ:20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111464607103407&w=2 The reporters list "exercise_result.php" and "exercice_submit.php", which might suggest a spelling discrepancy or typo ("exercise" vs. "exercice") but the CVS logs for Claroline indicate that this discrepancy is legit: http://cvs.claroline.net/cgi-bin/viewcvs.cgi/Claroline010/claroline/exercice/exercise_result.php http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/exercice/exercice_submit.php The CVS log for exercise_result.php does not include any recent mods that specifically mention XSS, nor do the changes show typical XSS protections, and yet it is mentioned by the original researchers as an attack vector. Possibly a library problem? - Steve From coley at mitre.org Tue May 3 14:30:57 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue May 3 14:38:34 2005 Subject: [VIM] Skype advisories Message-ID: <200505031830.j43IUvjh009669@linus.mitre.org> Skype has created a security page that lists 3 separate advisories, including one that apparently didn't make it through the normal channels when they posted it in April. I have an inquiry to my Skype contact about the lang file directory permissions problem (CAN-2004-1778): BUGTRAQ:20041222 Permission problem in Skype BETA for linux URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110374568916303&w=2 OSVDB - I'm curious why your short title for a Skype lang issue mentions symlinks? I don't see that mentioned in the Bugtraq posts. - Steve From coley at mitre.org Tue May 3 14:31:59 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue May 3 14:39:37 2005 Subject: [VIM] Re: Skype advisories Message-ID: <200505031831.j43IVxcO009960@linus.mitre.org> Oh, if you want an actual URL, here you go: Security page: http://www.skype.com/security Advisories: http://www.skype.com/security/advisories.html - Steve From jericho at attrition.org Tue May 3 14:43:18 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue May 3 14:43:25 2005 Subject: [VIM] Skype advisories In-Reply-To: <200505031830.j43IUvjh009669@linus.mitre.org> References: <200505031830.j43IUvjh009669@linus.mitre.org> Message-ID: : Skype has created a security page that lists 3 separate advisories, : including one that apparently didn't make it through the normal channels : when they posted it in April. : : I have an inquiry to my Skype contact about the lang file directory : permissions problem (CAN-2004-1778): : : BUGTRAQ:20041222 Permission problem in Skype BETA for linux : URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110374568916303&w=2 : : OSVDB - I'm curious why your short title for a Skype lang issue mentions : symlinks? I don't see that mentioned in the Bugtraq posts. >From the post: During installation a world-writable directory "/usr/share/skype/lang" is created. Impact: The directory (presumably) contains various language files used by the skype application. An attacker could modify these files. It is unknown if this could be used for attacking local users running the skype application. So looks like this was skimming too fast =) Seeing "installation" and "world-writable directory created" lead to 'symlink' snap judgement. =) I have updated the title. From coley at mitre.org Fri May 6 01:12:17 2005 From: coley at mitre.org (Steven M. Christey) Date: Fri May 6 02:02:34 2005 Subject: [VIM] April Oracle advisory - drowning in the wrong data Message-ID: <200505060512.j465CHpe008527@linus.mitre.org> Just thought I'd share. I'e been slugging it out with the April 2005 Oracle advisory, trying to apply CVE's usual content decisions to it, which makes for small clusters of vulns if they all affect the same versions. I was all ready to create about 25 new candidates. The only remaining task was to map them to existing published advisories. BIG BRICK WALL. There's not enough published data to figure out which public researchers' advisories go with which Oracle bug ID's. Also, I can't tell which issues already have CANs, and which ones don't. For example, AppSecInc reported SQL injection in SYS.DBMS_CDC_IPUBLISH.CREATE_SCN_CHANGE_SET, but I have no idea which vuln to map it to in the alert - AppSecInc doesn't list the Oracle Vuln#, and the Oracle alert doesn't say which Vuln# was found by AppSecInc. NGSSoftware have published a generic advisory at http://www.ngssoftware.com/advisories/oracle-03.txt but they only mention "multiple" vulnerabilities and you can't infer from the affected versions which vulns they're talking about, either. Red Database Security posted some rather detailed comments here: http://www.red-database-security.com/wp/comments_oracle_cpu_april_2005_us.pdf And it includes several bits of information that aren't in the version of the Oracle update that I have, e.g. that DB01 is related to SQL injection in the DBMS_CDC_IPUBLISH package. Where did they GET that information?? In addition, Oracle has a CVE-to-advisory mapping which is quite nice for knowing that they've fixed the issues (I was unaware of this - thanks Red Database!): http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html Unfortunately, I can't figure out from the April advisory, whether CAN-2004-0079 - an OpenSSL issue - is associated with Oracle Vuln# DB06/AS16, DB22/AS14, DB24/AS17, or other vulnerability ID's that are listed in the SSL-related components (presumably that's where it is right now). Same with all the other issues. The obvious conclusion here is to contact the Oracle people and the researchers, and try to sort everything out, which I will. But I wish it didn't take me the better part of a day before realizing that I was mostly back to Square One. - Steve From jericho at attrition.org Sun May 8 02:36:28 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 8 02:36:31 2005 Subject: [VIM] Legitimate spelling diffs in Claroline report; XSS unfixed? In-Reply-To: <200505022108.j42L8ib8024978@linus.mitre.org> References: <200505022108.j42L8ib8024978@linus.mitre.org> Message-ID: : Issue: : : BUGTRAQ:20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline : URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111464607103407&w=2 : : The reporters list "exercise_result.php" and "exercice_submit.php", : which might suggest a spelling discrepancy or typo ("exercise" : vs. "exercice") but the CVS logs for Claroline indicate that this : discrepancy is legit: : : http://cvs.claroline.net/cgi-bin/viewcvs.cgi/Claroline010/claroline/exercice/exercise_result.php : http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/exercice/exercice_submit.php : : The CVS log for exercise_result.php does not include any recent mods : that specifically mention XSS, nor do the changes show typical XSS : protections, and yet it is mentioned by the original researchers as an : attack vector. Possibly a library problem? I had held off splitting this out on OSVDB so I could examine the changelog and other vendor information. I'll add this to my to-do list and may end up waiting this out a bit more until I can find more confirmation. From jericho at attrition.org Sun May 8 15:32:47 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 8 15:32:50 2005 Subject: [VIM] CVE Ethereal Overlap? Message-ID: I'm working through the 50+ Ethereal breakout.. fun times =) CAN-2005-1464 Multiple unknown vulnerabilities in the (1) KINK, (2) L2TP, (3) MGCP, (4) EIGRP, (5) DLSw, (6) MEGACO, (7) LMP, and (8) RSVP dissectors in Ethereal before 0.10.11 allow remote attackers to cause a denial of service (infinite loop). So the RSVP dissector is vuln to an infinite loop DoS.. CAN-2005-1281 Ethereal 0.10.10 and earlier allows remote attackers to cause a denial of service (infinite loop) via a crafted RSVP packet of length 4. which refs: BUGTRAQ:20050426 tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop DOS. i'd imagine 2005-1464 #8 is the same as 2005-1281? From jericho at attrition.org Mon May 9 17:22:01 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon May 9 17:22:13 2005 Subject: [VIM] Re: Sql Injection in CJ Ultra Plus v1.0.3-1.0.4 In-Reply-To: <20050505230032.16285.qmail@www.securityfocus.com> References: <20050505230032.16285.qmail@www.securityfocus.com> Message-ID: Hi Kold, : #Sql Injection in CJ Ultra Plus v1.0.3-1.0.4(?) # Can you verify if this is the same "Cjultra" found at http://www.cjultra.com/ or something different? Thanks! Brian OSVDB.org From coley at linus.mitre.org Tue May 10 21:15:30 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue May 10 21:23:33 2005 Subject: [VIM] RaidenFTPD vulnerability fixed? (fwd) Message-ID: Inquiry sent to RaidenFTPD to get authoritative acknowledgement. Usually I like to have proof when a vendor releases a vague advisory that appears around the same time as a third party advisory - you can never be absolutely sure which bug(s) they fixed. - Steve ---------- Forwarded message ---------- Date: Tue, 10 May 2005 21:13:44 -0400 (EDT) From: Steven M. Christey To: johnlong@RaidenFTPD.com Cc: coley@mitre.org Subject: RaidenFTPD vulnerability fixed? Hello, I am the editor of CVE, a resource for computer security professionals regarding vulnerabilities. Recently, a vulnerability was posted to various security mailing lists regarding a directory traversal issue in RaidenFTPD before 2.4.2241: http://marc.theaimsgroup.com/?l=bugtraq&m=111507556127582&w=2 There was also an announcement of a vulnerability to the RaidenFTPD forum a couple weeks earlier, at: http://forum.raidenftpd.com/showflat.php?Board=UBB13&Number=45685 Are these in fact the same issue? Regards, Steve Christey CVE Editor From coley at mitre.org Tue May 10 21:33:47 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue May 10 21:41:48 2005 Subject: [VIM] Claimed SQL injection in ArticleLive Message-ID: <200505110133.j4B1Xllt005687@linus.mitre.org> FYI, Diabolic Crab's recent advisory on ArticleLive claims SQL injection, but doesn't provide any clear examples: http://www.digitalparadox.org/advisories/inal.txt http://marc.theaimsgroup.com/?l=bugtraq&m=111530871724865&w=2 A modified Query parameter to the search utility is given, and the parameter starts with the "'" character, but the resulting error message suggests straightforward "information-leak-on-error" without any apparent relation to SQL injection. I'll post a followup to Bugtraq to see what's up. - Steve From jericho at attrition.org Tue May 10 21:49:40 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue May 10 21:49:42 2005 Subject: [VIM] Claimed SQL injection in ArticleLive In-Reply-To: <200505110133.j4B1Xllt005687@linus.mitre.org> References: <200505110133.j4B1Xllt005687@linus.mitre.org> Message-ID: : FYI, Diabolic Crab's recent advisory on ArticleLive claims SQL : injection, but doesn't provide any clear examples: : : http://www.digitalparadox.org/advisories/inal.txt : http://marc.theaimsgroup.com/?l=bugtraq&m=111530871724865&w=2 : : A modified Query parameter to the search utility is given, and the : parameter starts with the "'" character, but the resulting error message : suggests straightforward "information-leak-on-error" without any : apparent relation to SQL injection. Very likely the case. If he can trigger *any* error with *any* vague SQL syntax or related words, he assumes it is an SQL injection. From coley at linus.mitre.org Tue May 10 21:57:51 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue May 10 22:05:53 2005 Subject: [VIM] RaidenFTPD vulnerability fixed? (fwd) In-Reply-To: References: Message-ID: On Tue, 10 May 2005, Steven M. Christey wrote: > Inquiry sent to RaidenFTPD to get authoritative acknowledgement. That was fast! The developer replied and said "it is the same problem so it is fixed." - Steve From coley at linus.mitre.org Tue May 10 22:01:30 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue May 10 22:09:31 2005 Subject: [VIM] Claimed SQL injection in ArticleLive In-Reply-To: References: <200505110133.j4B1Xllt005687@linus.mitre.org> Message-ID: On Tue, 10 May 2005, security curmudgeon wrote: > > : FYI, Diabolic Crab's recent advisory on ArticleLive claims SQL > : injection, but doesn't provide any clear examples: > : > : http://www.digitalparadox.org/advisories/inal.txt > : http://marc.theaimsgroup.com/?l=bugtraq&m=111530871724865&w=2 > : > : A modified Query parameter to the search utility is given, and the > : parameter starts with the "'" character, but the resulting error message > : suggests straightforward "information-leak-on-error" without any > : apparent relation to SQL injection. > > Very likely the case. If he can trigger *any* error with *any* vague SQL > syntax or related words, he assumes it is an SQL injection. If it generates an SQL-related error then that should be enough to label it SQL injection - although conditions might render it non-exploitable. But you aren't always even given the error message. This is in the general case, not just Diabolic Crab's. Unfortunately, the lack of solid diagnosis is a common researcher error. - Steve From jericho at attrition.org Tue May 10 22:11:59 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue May 10 22:12:00 2005 Subject: [VIM] Claimed SQL injection in ArticleLive In-Reply-To: References: <200505110133.j4B1Xllt005687@linus.mitre.org> Message-ID: : > Very likely the case. If he can trigger *any* error with *any* vague SQL : > syntax or related words, he assumes it is an SQL injection. : : If it generates an SQL-related error then that should be enough to label : it SQL injection - although conditions might render it non-exploitable. : But you aren't always even given the error message. This is in the : general case, not just Diabolic Crab's. Right. They assume that since it errors out, it is an SQL injection and exploitable. The last one I found could only be used on my test box to make a blog show all the posts at once. Since the blog had no 'private' posts and it was all public, it essentially did nothing. Technically a vulnerability, but so lame =) From coley at linus.mitre.org Tue May 10 22:07:13 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue May 10 22:15:14 2005 Subject: [VIM] Claimed SQL injection in ArticleLive In-Reply-To: References: <200505110133.j4B1Xllt005687@linus.mitre.org> Message-ID: On Tue, 10 May 2005, security curmudgeon wrote: > Right. They assume that since it errors out, it is an SQL injection and > exploitable. I strongly suspect that a number of claimed XSS issues in PHP applications are really XSS-style inputs being reflected back to the user in error messages as generated by the PHP interpreter, but alas I can't *prove* it yet ;-) - Steve From jericho at attrition.org Wed May 11 02:40:56 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 11 02:41:12 2005 Subject: [VIM] WoltLab security question Message-ID: I am trying to ascertain if a recent security posting is the same issue listed on various security sites. http://www.woltlab.com/news/399_en.php 04-19-2005 06:45pm Security Update for Burning Board 2 and Burning Board Lite released Today we have been notified about a possible security hole in all Burning Board and Burning Board Lite versions. We have fixed the problem and provide you the update files for versions 2.0.3, 2.1.5, 2.2.1 and 2.3.1 in the members area. The download of the fixed Burning Board Lite version can be found in Products -> Burning Board Lite. Checking the CVE project (http://cve.mitre.org) and OSVDB (http://osvdb.org), the following vulnerabilities are listed in the rough time frame: 15907 WoltLab Burning Board pms.php folderid Variable XSS Apr 24, 2005 15807 WoltLab Burning Board thread.php hilight Variable XSS Apr 22, 2005 14356 WoltLab Burning Board session.php Multiple Parameter SQL Injection Mar 3, 2005 The date of the posting above puts it between the session.php and thread.php issues. Can you please verify if the posting above relates to one of these two issues, the date is incorrect and it pertains to another issue afterwards, or if it is an entirely different vulnerability? Thanks! Brian Martin OSVDB.org From jericho at attrition.org Wed May 11 20:51:32 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 11 20:51:36 2005 Subject: [VIM] Re: Authentication bypass, sql injections and xss in ArticleLive 2005 (fwd) Message-ID: For archiving. ---------- Forwarded message ---------- From: Steven M. Christey To: dcrab@hackerscenter.com Cc: bugtraq@securityfocus.com Date: Tue, 10 May 2005 21:42:17 -0400 (EDT) Subject: Re: Authentication bypass, sql injections and xss in ArticleLive 2005 Diabolic Crab, The title and text of this advisory suggest SQL injection, but I don't see any any clear examples that demonstrate this. A modified Query parameter to the search function is given, and the parameter starts with the "'" character - which might *suggest* SQL injection - but the resulting error message suggests that it's using the input for some array operations, which could be the fairly common "bad data type" problem that leads to full path disclosure on PHP applications. Indeed there might be other invalid characters that could trigger the same problem (I don't know; I don't have ArticleLive available to test). Could you provide more specific examples or otherwise clarify the problem? Thanks, Steve From jericho at attrition.org Thu May 12 07:15:19 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu May 12 07:15:26 2005 Subject: [VIM] Re: apexec.pl question (fwd) Message-ID: Not very helpful. He never replied to my followup saying that didn't answer the question. ---------- Forwarded message ---------- From: Paul Kuhn X-Originating-IP: 82.212.47.112 To: security curmudgeon Date: Wed, 04 May 2005 05:59:08 +0800 Subject: Re: apexec.pl question ----- Original Message ----- From: "security curmudgeon" To: msdarkflyer@linuxmail.org Subject: apexec.pl question Date: Thu, 28 Apr 2005 18:57:06 -0400 (EDT) > > > In reference to: > > http://archives.neohapsis.com/archives/bugtraq/2005-04/0270.html > > Is this the same product as found at: > > http://www.osvdb.org/435 > > Anaconda! Partners Foundation Directory? If so, what version did you test? > > Thanks! > > Brian Hi Brian Take the newest version and test it like example in bagtraq greetz MSDarkflyer -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze From jericho at attrition.org Thu May 12 12:14:36 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu May 12 12:15:29 2005 Subject: [VIM] windows clarity Message-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1049 links to MS05-002 http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx links to CAN-2004-1049 and CAN-2004-1305 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0416 links to MS05-002 [..] MS05-002 doesn't mention CAN-2005-0416 though. does anyone know why? looking at the two CVE entries that seem to overlap: 2004-1049 Integer overflow in the LoadImage API of the USER32 Lib for Microsoft Windows allows remote attackers to execute arbitrary code via a .bmp, .cur, .ico or .ani file with a large image size field, which leads to a buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." 2005-0416 The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 allows remote attackers to execute arbitrary code via the AnimationHeaderBlock length field, which leads to a stack-based buffer overflow. Integer overflow vs stack-based overflow. image size field vs AnimationHeaderBlock field. are these really two distinct vulns, or fundamentally the same library underneath? From coley at linus.mitre.org Thu May 12 15:14:36 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu May 12 15:22:58 2005 Subject: [VIM] windows clarity In-Reply-To: References: Message-ID: On Thu, 12 May 2005, security curmudgeon wrote: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1049 > > links to MS05-002 > > http://www.microsoft.com/technet/security/bulletin/MS05-002.mspx > > links to CAN-2004-1049 and CAN-2004-1305 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0416 > > links to MS05-002 > > [..] > > MS05-002 doesn't mention CAN-2005-0416 though. does anyone know why? > looking at the two CVE entries that seem to overlap: > > 2004-1049 > Integer overflow in the LoadImage API of the USER32 Lib for Microsoft > Windows allows remote attackers to execute arbitrary code via a .bmp, > .cur, .ico or .ani file with a large image size field, which leads to a > buffer overflow, aka the "Cursor and Icon Format Handling Vulnerability." > > 2005-0416 > The Windows Animated Cursor (ANI) capability in Windows NT, Windows 2000 > through SP4, Windows XP through SP1, and Windows 2003 allows remote > attackers to execute arbitrary code via the AnimationHeaderBlock length > field, which leads to a stack-based buffer overflow. > > > Integer overflow vs stack-based overflow. image size field vs > AnimationHeaderBlock field. are these really two distinct vulns, or > fundamentally the same library underneath? Oh, THAT one. This is one of the good things about VIM! I spent a couple hours digging deeply into this one, I think after Kurt Seifried asked me about it. Reading descriptions of file formats, etc. It'll take some time to dig up my email response, but they're definitely distinct bugs, in slightly different places in the file format. I don't remember EXACTLY, but I think I privately confirmed with Microsoft that MS05-002 addressed both of them. Oh, looks like it didn't take much time at all - yay grep! I'll forward it in the next message. - Steve From coley at linus.mitre.org Thu May 12 15:17:33 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu May 12 15:25:48 2005 Subject: [VIM] windows clarity In-Reply-To: References: Message-ID: Here's my original inquiry to MSRC. I proposed creating separate CANs since they were separate issues, and MSRC responded to confirm this. - Steve -----Original Message----- From: Steven M. Christey [mailto:coley@mitre.org] Sent: Tuesday, February 01, 2005 4:06 PM To: Microsoft Security Response Center Cc: coley@mitre.org Subject: Clarification requested on CAN-2004-1049/MS05-002 ANI issue(s) Hello, MS:MS05-002 discusses a "Cursor and Icon Format Handling Vulnerability" and credits eEye, but also uses the CAN-2004-1049 reference, which is for an xfocus-discovered issue. Issue 1) The xfocus-reported issue is for an integer overflow in the LoadImage function. BUGTRAQ:20041223 Microsoft Windows LoadImage API Integer Buffer overflow URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110382891718076&w=2 Issue 2) The eEye-reported issue specifically involves manipulating the "Length_of_AnimationHeader" field, whose value is "not checked appropriately," however it's not an integer overflow (since eEye would be smart enough to label it as such) eEye further explicitly states "This vulnerability is a separate vulnerability from the ones discovered by Xfocus." BUGTRAQ:20050111 EEYE: Windows ANI File Parsing Buffer Overflow URL:http://marc.theaimsgroup.com/?l=bugtraq&m=110547079218397&w=2 By directly crediting eEye in MS05-002, but implicitly linking to the xfocus issue in CAN-2004-1049, it seems to me that MS05-002 is covering 2 separate but closely related issues. If this is the case, then I will update CAN-2004-1049 so that its description mentions BOTH issues, and links to BOTH advisories. Please confirm that this is the appropriate action. The alternative would be to create a separate candidate for the eEye issue, but that doesn't seem like the proper way to go; since both issues involve the same general type of vulnerability, I'd prefer that they stay combined. Thanks, Steve From coley at linus.mitre.org Thu May 12 15:21:35 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu May 12 15:29:51 2005 Subject: [VIM] windows clarity In-Reply-To: References: Message-ID: Here's my original response to Kurt Seifried, which goes into the nitty-gritty detective work for how I really determined that they were different. See the "** THUS **" statement for a techy executive summary. This is the kinw of heavy duty work that should be shared across the VIM community. It's a lot faster to verify than to do it entirely on your own; I forget how long it took, but it was a couple hours at least. - Steve Date: Wed, 16 Feb 2005 12:55:53 -0500 (EST) From: "Steven M. Christey" To: Kurt Seifried cc: "Steven M. Christey" Subject: Re: dupe for sure On Wed, 16 Feb 2005, Kurt Seifried wrote: > > CAN-2005-0416 The Windows Animated Cursor (ANI) capability in Windows > NT, Windows 2000 through SP4, Windows XP through SP1, and Windows 2003 > allows remote attackers to execute arbitrary code via the > AnimationHeaderBlock length field, which leads to a stack-based buffer > overflow. BUGTRAQ:20050111 EEYE: Windows ANI File Parsing Buffer Overflow > > Is for SURE: CAN- 2004- 1049 > > our write up even includes: > "... the length of the AnimationHeaderBlock is 36 bytes ..." Dude, you're killing me! This one's been giving me headaches and I thought I finally had a resolution. 1) eEye's advisory says "[CAN-2005-0416] is not the same bug as [CAN-2004-1049] 2) the xfocus issue explicitly mentions frame/rate values, neither of which seems to be related to the animation length. 3) the xfocus issue's exploit involves setting these values to 0. 4) the fairly big one - Microsoft confirmed via email that they're 2 different issues entirely 5) Looking at this ANI file format info: http://underwar.livedns.co.il/projects/ani/ani_file_format.txt we see "anih" which is "length of ANI header (36 bytes)" but right after "anih" we see: "rate" {Length of rate block} and then this file: http://www.daubnet.com/formats/ANI.html goes more into the format of the rate block *and* the anih block For the anih block, 4 of the 36 bytes are for a "DisplayRate" field... and another 4 are for a "NumFrames" field. The XFOCUS frame/rate issues say: "no proper check of the frame number set in the ANI file header" -- which must be talking about the NumFrames field - and "no proper check of the rate number set in the ANI file header" - which must be talking about the DisplayRate field. 6) ** THUS ** eEye mucked around with the *length* of the ANI block, whereas Xfocus mucked around with fields *within* the ANI block. How do ya like THEM apples? ;-) - Steve From coley at linus.mitre.org Thu May 12 17:17:25 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu May 12 17:25:34 2005 Subject: [VIM] CVE Ethereal Overlap? In-Reply-To: References: Message-ID: On Sun, 8 May 2005, security curmudgeon wrote: > I'm working through the 50+ Ethereal breakout.. fun times =) Absolutely! > CAN-2005-1464 > Multiple unknown vulnerabilities in the (1) KINK, (2) L2TP, (3) MGCP, (4) > EIGRP, (5) DLSw, (6) MEGACO, (7) LMP, and (8) RSVP dissectors in Ethereal > before 0.10.11 allow remote attackers to cause a denial of service > (infinite loop). > > So the RSVP dissector is vuln to an infinite loop DoS.. > > CAN-2005-1281 > Ethereal 0.10.10 and earlier allows remote attackers to cause a denial of > service (infinite loop) via a crafted RSVP packet of length 4. > > which refs: > BUGTRAQ:20050426 tcpdump(/ethereal)[]: (RSVP) rsvp_print() infinite loop > DOS. > > > i'd imagine 2005-1464 #8 is the same as 2005-1281? Probably. I'll send a confirmation email just to be sure, though. - Steve From jericho at attrition.org Fri May 13 21:14:07 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri May 13 21:14:15 2005 Subject: [VIM] WP 1.5.1 security question Message-ID: Hi Matt, The recent 1.5.1 release announcement says that it fixes "an important" security issue. Is this an issue not found in any of the security/administration related bugzilla entries? Or does this wording refer to one of the existing entries found on the changelog? Thanks! Brian OSVDB.org From jericho at attrition.org Fri May 13 21:28:03 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri May 13 21:28:10 2005 Subject: [VIM] Re: WP 1.5.1 security question (fwd) Message-ID: ---------- Forwarded message ---------- From: Matthew Mullenweg To: security curmudgeon Date: Fri, 13 May 2005 18:16:26 -0700 Subject: Re: WP 1.5.1 security question security curmudgeon wrote: > The recent 1.5.1 release announcement says that it fixes "an important" > security issue. Is this an issue not found in any of the > security/administration related bugzilla entries? Or does this wording refer > to one of the existing entries found on the changelog? The vulnerability has not been disclosed yet. -- Matt Mullenweg http://photomatt.net | http://wordpress.org http://pingomatic.com | http://cnet.com From coley at mitre.org Fri May 13 22:15:14 2005 From: coley at mitre.org (Steven M. Christey) Date: Fri May 13 22:23:33 2005 Subject: [VIM] MaxWebPortal acknowledgement - but for what? Message-ID: <200505140215.j4E2FE5J019826@linus.mitre.org> from http://www.maxwebportal.com/announcements.asp#48 "MaxWebPortal Version 1.36 MaxWebPortal Version 1.36 - Keeping MaxWebPortal Secure All security fixes have been thoroughly tested in all supported operating systems and databases... Special thanks to Zinho from SecurityForge for auditing the source code. Thanks to mAtrix for fixing the injection bugs and to all who participated in testing." The announcement isn't dated, and their forums are currently down, and they have other recent vuln's announced. So at this instant it's not clear whether they're talking about these issues: BUGTRAQ:20050511 [HSC Security Group] MaxWebPortal - Multiple SQL injection/XSS MISC:http://www.hackerscenter.com/archive/view.asp?id=2542 ... or some other set of issues. Can't find an email POC, either... - Steve From jericho at attrition.org Fri May 13 22:38:00 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri May 13 22:38:07 2005 Subject: [VIM] MaxWebPortal acknowledgement - but for what? In-Reply-To: <200505140215.j4E2FE5J019826@linus.mitre.org> References: <200505140215.j4E2FE5J019826@linus.mitre.org> Message-ID: : from http://www.maxwebportal.com/announcements.asp#48 : : "MaxWebPortal Version 1.36 : : MaxWebPortal Version 1.36 - Keeping MaxWebPortal Secure : : All security fixes have been thoroughly tested in all supported : operating systems and databases... Special thanks to Zinho from : SecurityForge for auditing the source code. Thanks to mAtrix for fixing : the injection bugs and to all who participated in testing." : : The announcement isn't dated, and their forums are currently down, and : they have other recent vuln's announced. So at this instant it's not : clear whether they're talking about these issues: : : BUGTRAQ:20050511 [HSC Security Group] MaxWebPortal - Multiple SQL : injection/XSS : MISC:http://www.hackerscenter.com/archive/view.asp?id=2542 : : ... or some other set of issues. : : Can't find an email POC, either... SecurityTracker had another bunch of MaxWebPortal vulns. Apr 27 = big batch of SQL injection http://www.hackerscenter.com/archive/view.asp?id=2542 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-1417 May 11 = big batch of SQL injection http://securitytracker.com/alerts/2005/May/1013932.html Look to be all different scripts with little or no overlap? From coley at linus.mitre.org Fri May 13 23:07:25 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri May 13 23:15:45 2005 Subject: [VIM] bttlxeForum infoleak - SQL injection instead? (fwd) Message-ID: Inquiry sent to researcher - possible mis-diagnosis. ---------- Forwarded message ---------- Date: Fri, 13 May 2005 23:06:49 -0400 (EDT) From: Steven M. Christey To: deadlink@elitemail.org Cc: coley@mitre.org Subject: bttlxeForum infoleak - SQL injection instead? ComSec, I saw your recent bttlxeForum post on SecurityTracker: http://securitytracker.com/id?1013934 You say there's a full-path information leak after providing a hex-encoded value to the page parameter, but you also show the following portion of the error message: The SELECT statement includes a reserved word or an argument name that is misspelled or missing, or the punctuation is incorrect. This suggests - but does not prove - that bttlxeForum might have constructed all or part of a SQL query with input from the topic parameter - your hex-encoded input - which would then suggest SQL injection. Have you been able to confirm if the real underlying problem is, in fact, SQL injection? Thanks, Steve Christey CVE Editor From coley at mitre.org Sat May 14 00:00:51 2005 From: coley at mitre.org (Steven M. Christey) Date: Sat May 14 00:09:22 2005 Subject: [VIM] Original quartzcomposer-dev refs for Quartz Composer infoleak Message-ID: <200505140400.j4E40p0u020110@linus.mitre.org> David Remahl's post on Quartz Composer (DR018, CAN-2005-1579) alluded to a public post on the quartzcomposer-dev mailing list that prompted him to disclose. I dug up the relevant URLs from that list: MLIST:[quartzcomposer-dev] 20050510 Quartz Quicktime embedded in remote webpages... URL:http://lists.apple.com/archives/quartzcomposer-dev/2005/May/msg00250.html MLIST:[quartzcomposer-dev] 20050511 Re: Quartz Quicktime embedded in remote webpages... URL:http://lists.apple.com/archives/quartzcomposer-dev/2005/May/msg00263.html ... though there were other posts in the same thread, too. - Steve From jericho at attrition.org Sat May 14 06:09:55 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat May 14 06:10:02 2005 Subject: [VIM] MaxWebPortal acknowledgement - but for what? In-Reply-To: References: <200505140215.j4E2FE5J019826@linus.mitre.org> Message-ID: : : "MaxWebPortal Version 1.36 : : : : BUGTRAQ:20050511 [HSC Security Group] MaxWebPortal - Multiple SQL : : injection/XSS : : MISC:http://www.hackerscenter.com/archive/view.asp?id=2542 : : : : ... or some other set of issues. : : : : Can't find an email POC, either... and.. correction =) Three batches on two days. Two batches from one person, the third from a second researcher. Apr 27 = big batch of SQL injection Soroush Dalili from Grayhatz security SecurityTracker Alert ID: 1013845 article_popular.asp article_rate.asp article_toprated.asp dl_popular.asp dl_rate.asp dl_toprated.asp pic_popular.a sp pic_rates.asp pic_toprated.asp links_popular.asp links_rate.asp links_toprated.asp May 11 = big batch of SQL injection Soroush Dalili , From Grayhatz security group SecurityTracker Alert ID: 1013932 inc_top.asp inc_function.asp pic_pop_share.asp pic_pop_share.asp pm_dele te2.asp pm_pop_privatesend_info.asp pm_view.asp?marknew=1 pop_announce_delete.asp pop_avatar_delete.asp pop_delete.asp pop_profile.asp privatedelete.asp privatese nd_info.asp register.asp May 11 - SQL and XSS From: Zinho http://www.hackerscenter.com/archive/view.asp?id=2542 post.asp XSS inc_functions.asp post_info.asp search.asp pop_profile.asp pm_delete2.asp From jericho at attrition.org Sat May 14 06:52:13 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat May 14 06:52:19 2005 Subject: [VIM] discuss: MaxWebPortal as an example In-Reply-To: References: <200505140215.j4E2FE5J019826@linus.mitre.org> Message-ID: Assuming that all of the vulnerabilities disclosed are accurate (for the sake of this discussion), consider: Apr 27: Soroush Dalili finds 12 SQL injections in various .asp May 11: Soroush Dalili finds 14 SQL injections in various .asp May 11: Zinho finds 1 XSS and 5 SQL injections in various .asp All of these vulnerabilities are found in the same product, MaxWebPortal. There are no duplicates, meaning a total of 31 seperate scripts were found vulnerable to SQL injection. It is safe to assume that both researchers installed it or were testing a full distribution (based on past advisories, if Zinho tested it on a live site it would not surprise me). The question to consider is, why didn't either of the researchers find all of these injections? Why was there 14 days between Soroush's two groups? Any speculation as to why we would see such a disclosure pattern? From jericho at attrition.org Sat May 14 07:01:49 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat May 14 07:01:56 2005 Subject: [VIM] discuss: VulnDisco Message-ID: Evgeny Demidov of GLEG posted to DailyDave announcing the release of their "VulnDisco" pack. This is a pack of exploits for the CANVAS framework, released by Aitel & Immunity. According to PDF, this pack contained a wide variety of 0day exploits. Since then, he has followed up with three updates that include a few more exploits each time. Before anyone replies, consider this. I mailed Dave Aitel and asked if he could verify that this pack of vulnerabilities were legit. Since they are a CANVAS framework based set, I figured he of all people could authenticate Evgeny's research. Dave replied and said he had not tested any of it, and in fact, had not received a copy. While Immunity was a reseller of the VulnDisco pack, they were not privileged to a copy of it. I found that surprising. There has been no followup on DailyDave regarding these packs, good nor bad. Below you will find a summary of the posts and exploits claimed in each pack. That said, how does a vulnerability database handle such claims? Should we be creating entries with the details we have? Or does this amount of exploit code in one place suggest it may not be fully legit? Thoughts from the madmen? -- http://archives.neohapsis.com/archives/dailydave/2005-q1/0290.html [Dailydave] ANNOUNCE - VulnDisco Pack for CANVAS release http://www.gleg.net/download/VULNDISCO.pdf To summarize: Remotes in this version: Windows [0day] Ipswitch IMail buffer overflow Vendor URL: http://www.ipswitch.com Notes: remote exploit for certain IMail service. [0day] MaxDB WebAgent stack overflow Vendor URL: http://www.mysql.com Notes: remote exploit for MaxDB WebTools wahttp service. [0day] Pragma Fortress buffer overflow Vendor URL: http://www.pragmasys.com Notes: remote exploit for Pragma Fortress SSH server. Unix [0day] Exim 4.43 stack overflow Vendor URL: http://www.exim.org Notes: exploit for published AUTH SPA stack overflow. [0day] ntpd buffer overflow Vendor URL: http://www.ntp.org Notes: remote root for certain configurations of ntpd [0day] Samba buffer overflow Vendor URL: http://www.samba.org Notes: remote exploit for certain configurations of smbd [0day] Sun ONE ASP buffer overflow Vendor URL: http://www.sun.com [0day] Sun ONE ASP arbitrary file retrieval exploit Vendor URL: http://www.sun.com Denial of service attacks [0day] FreeBSD/NetBSD/OpenBSD kernel remote DoS Vendor URL: http://www.freebsd.org, http://www.openbsd.org, http://www.openbsd.org Notes: remote crash&reboot for certain configurations of *BSD kernel [0day] fam remote DoS Vendor URL: http://oss.sgi.com/projects/fam/ Notes: remote crash for certain configurations of fam [0day] Ipswitch IMail remote DoS Vendor URL: http://www.ipswitch.com [0day] Kerio MailServer remote DoS Vendor URL: http://www.kerio.com Notes: remote crash in Kerio MailServer [0day] MDaemon remote DoS Vendor URL: http://www.altn.com [0day] LSASS.EXE remote DoS Vendor URL: http://www.microsoft.com [0day] MySQL 4.x server remote DoS Vendor URL: http://www.mysql.com http://archives.neohapsis.com/archives/dailydave/2005-q1/0340.html [Dailydave] VulnDisco Pack for CANVAS v1.1 is available New remotes in this version: [0day] Ethereal heap overflow (proof of concept) [0day] Miranda IM buffer overflow [0day] MDaemon buffer overflow http://archives.neohapsis.com/archives/dailydave/2005-q2/0008.html [Dailydave] VulnDisco Pack v1.2 for CANVAS is available New remotes in this version: [0day] PHP remote DoS [0day] OpenSSL remote DoS [0day] NSS heap overflow (proof of concept)** http://archives.neohapsis.com/archives/dailydave/2005-q2/0087.html [Dailydave] VulnDisco Pack v1.3 for CANVAS is available New remote in this version: [0day] SIMA - Samba remote root From jericho at attrition.org Sat May 14 08:22:33 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat May 14 08:22:40 2005 Subject: [VIM] April Oracle advisory - drowning in the wrong data In-Reply-To: <200505060512.j465CHpe008527@linus.mitre.org> References: <200505060512.j465CHpe008527@linus.mitre.org> Message-ID: : I'e been slugging it out with the April 2005 Oracle advisory, trying to : apply CVE's usual content decisions to it, which makes for small : clusters of vulns if they all affect the same versions. good.. : I was all ready to create about 25 new candidates. The only remaining : task was to map them to existing published advisories. bad! the last two months of dealing with Oracle advisories have taught me this is a futile effort. even by a week after the advisory is released, only a small percent of people speak up and post details about the flaws. this last time was worse I think. ended up making a ton of entries and only seeing half a dozen correspond to researcher's posts. : There's not enough published data to figure out which public : researchers' advisories go with which Oracle bug ID's. Also, I can't : tell which issues already have CANs, and which ones don't. i even mailed a few of the people credited with finding flaws. one replied "no clue if issue X in the advisory matches issue Y that I disclosed". Oracle's wording and description was vague enough so that the researcher could not confirm it, even after I picked 1 entry out of a hundred that I thought was a match. : NGSSoftware have published a generic advisory at : http://www.ngssoftware.com/advisories/oracle-03.txt but they only : mention "multiple" vulnerabilities and you can't infer from the affected : versions which vulns they're talking about, either. .. and they wait 90 days =) bleh : Red Database Security posted some rather detailed comments here: : : http://www.red-database-security.com/wp/comments_oracle_cpu_april_2005_us.pdf He will respond to your mails fast, but i'm fairly sure this is who I refer to above as not being able to match up the issues himself. : The obvious conclusion here is to contact the Oracle people and the : researchers, and try to sort everything out, which I will. But I wish : it didn't take me the better part of a day before realizing that I was : mostly back to Square One. I hate to be the dark spot on a sunny day.. but even if you contacted 100% of the researchers mentioned, and they could confirm 100% that their vuln matched a specific oracle entry.. you'd still only be hitting about 5% =) I ended up spending about two full days breaking this out according to OSVDb standards. I mailed the researches I could that might answer questions (not NGSS), and got nowhere. Oracle abstracts the issues a bit farther by including their idea of the vulnerable module/function/routine that doesn't necessarily match the researcher. I imagine this is due to what an end user sees vs a developer. OSVDB 15554 - 15616, 15736. So I ended up making 63 entries for Apr 12, 2005 advisory. Of those, I was not able to get a single researcher confirmation of any of the issues. .b From sullo at cirt.net Sat May 14 21:59:23 2005 From: sullo at cirt.net (Sullo) Date: Sat May 14 22:07:41 2005 Subject: [VIM] discuss: MaxWebPortal as an example In-Reply-To: References: <200505140215.j4E2FE5J019826@linus.mitre.org> Message-ID: <4286ACFB.4050209@cirt.net> security curmudgeon wrote: >The question to consider is, why didn't either of the researchers find all >of these injections? Why was there 14 days between Soroush's two groups? > >Any speculation as to why we would see such a disclosure pattern? > > I suspect they just got bored & took a few days off. When I was messing with cPanel the same happened, even though there were a lot more vulns... then a few days later I notified them of some more... then I just gave up because it was just swiss cheese. Had someone else been looking at the same time, they may have found 20 different problems than I did. But that's a guess. who knows. -- http://www.cirt.net/ | http://www.osvdb.org/ From jericho at attrition.org Sun May 15 00:34:56 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 15 00:35:02 2005 Subject: [VIM] Re: question about recent advisory (fwd) Message-ID: FYI, don't think I originally sent to the list. ---------- Forwarded message ---------- From: Siegfried To: security curmudgeon Date: Fri, 29 Apr 2005 00:16:53 +0200 Reply-To: Siegfried Subject: Re: question about recent advisory Hi Brian, For the 3. yes just multiple variables of these scripts are affected, i didn't give much details about the 4. to not see the sites using claroline in the onhold list on zone-h the next day.. :P but for sure i can give you: claroline/inc/claro_init_header.inc.php claroline/inc/introductionSection.inc.php claroline/inc/lib/admin.lib.inc.php claroline/inc/lib/tool_access_details.lib.php i didn't know you were part of osvdb jericho, good job! regards Siegfried ----- Original Message ----- From: "security curmudgeon" To: Sent: Thursday, April 28, 2005 9:34 PM Subject: question about recent advisory > > Hi Siegfried, > > http://archives.neohapsis.com/archives/bugtraq/2005-04/0467.html > > In reference to the advisory on Claroline, can you provide a few more details > so that I can properly enter these vulnerabilities in the Open Source > Vulnerability Database (osvdb.org)? > > You state: Multiple Cross site scripting, 10 SQL injection, 7 directory > traversal and 4 remote file inclusion vulnerabilities have been found in > Claroline. > > 3)Multiple directory traversal vulnerabilities in > "claroline/document/document.php" and > "claroline/learnPath/insertMyDoc.php" could allow project administrators > (teachers) to upload files in arbitrary folders or copy/move/delete (then > view) files of arbitrary folders by performing directory traversal > attacks. > > > Of the directory traversals, are these the only two scripts affected, and the > 7 come from different variables? Or are other scripts also affected? > > > 4)Four remote file inclusion vulnerabilities have been discovered. > > Can you share which files are affected? > > Thanks! > > Brian > OSVDB.org > From jericho at attrition.org Sun May 15 03:38:21 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 15 03:38:29 2005 Subject: [VIM] Legitimate spelling diffs in Claroline report; XSS unfixed? In-Reply-To: <200505022108.j42L8ib8024978@linus.mitre.org> References: <200505022108.j42L8ib8024978@linus.mitre.org> Message-ID: : Issue: : : BUGTRAQ:20050427 ZRCSA-200501 - Multiple vulnerabilities in Claroline : URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111464607103407&w=2 Finally got to this as you can probably guess from one of my last mails.. : The reporters list "exercise_result.php" and "exercice_submit.php", : which might suggest a spelling discrepancy or typo ("exercise" : vs. "exercice") but the CVS logs for Claroline indicate that this : discrepancy is legit: : : http://cvs.claroline.net/cgi-bin/viewcvs.cgi/Claroline010/claroline/exercice/exercise_result.php : http://cvs.claroline.net/cgi-bin/viewcvs.cgi/claroline/claroline/exercice/exercice_submit.php : : The CVS log for exercise_result.php does not include any recent mods : that specifically mention XSS, nor do the changes show typical XSS : protections, and yet it is mentioned by the original researchers as an : attack vector. Possibly a library problem? The timeline included with the disclosure suggests the vendor was well in the loop and disclosure occured after release of a patched version. Based on that and your comment above, along with the fact Sieg Fried clearly examined some library scripts (look at the remote file inclusions).. i'd imagine the XSS and/or the SQL injection problems are likely due to some libraries. Without followup or examining the files further.. From coley at mitre.org Mon May 16 14:54:06 2005 From: coley at mitre.org (Steven M. Christey) Date: Mon May 16 15:02:42 2005 Subject: [VIM] Altiris AClient privilege escalation bugs - one or two? Message-ID: <200505161854.j4GIs6iH027391@linus.mitre.org> Various vulnerability information sources appear to be combining two separate Altiris Client Service for Windows (AClient) privilege escalation reports into a single issue; however, the reported versions, and methods of attack, suggest that there may be separate issues, although closely related. Both issues were announced by the same researcher, Reed Arvin. One was announced in November 2004 and one in April 2005. November 2004 - BUGTRAQ:20041119 Privilege escalation flaw in AClient Service for Windows (Version 5.6.181). URL:http://www.securityfocus.com/archive/1/381649 Affected version: 5.6 SP1 Hotfix E (5.6.181) Method of attack: open the AClient tray icon, use View Log File, launch cmd.exe with SYSTEM privileges April 2005 - FULLDISC:20050427 Privilege escalation and password protection bypass in Altiris Client Service for Windows (Version 6.0.88) URL:http://archives.neohapsis.com/archives/fulldisclosure/2005-04/0614.html Affected version: 6.0.88 Method of attack: use a program to find the "Altiris Client Service" window. Report implies that this window is normally hidden - "Compile and run the following code to unhide the Altiris Client Service window." The user can then modify the various options in the window, including disabling the "Hide client tray icon box" option. This in turn enables the same attack as specified in the November 2004 report. A major question is whether this new post is merely a new attack vector that the researcher had not been aware of in November, and/or a new attack vector that's been enabled by the new version that he later tested, or if Altiris attempted to fix the November bug but didn't do it properly. I'll email Reed to get some clarification, but at this point, CVE is considering these two separate issues (CAN-2005-1590 and CAN-2004-2070, forthcoming). - Steve From jericho at attrition.org Mon May 16 17:24:31 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon May 16 17:24:40 2005 Subject: [VIM] lbreakout security question Message-ID: Hello, I work with the Open Security Vulnerability Database (osvdb.org) and am trying to determine something about the security problems reported in the lbreakout game. Around Feb 22, 2004 Ulf Harnhammar from Debian found a local overflow in the HOME environment variable. Debian provided a patch for their users, but there was no indication if the original package was updated with a fix. A couple days ago, the Freshmeat mail list indicated a new version of lbreakout was available. Checking the details, it said that a security patch was applied. The changelog credits "U.H." (Ulf Harnhammar I assume) but shows a date of 05/02/14, about one year after the overflow issue. Can you confirm if these are the same vulnerability? Thanks! Brian OSVDB.org references: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0158 http://www.debian.org/security/2004/dsa-445 From jericho at attrition.org Mon May 16 17:33:43 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon May 16 17:33:48 2005 Subject: [VIM] Re: Woltlab Burning Board SQL Injection Vulnerability (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: GulfTech Security Research Date: Mon, 16 May 2005 17:03:06 -0400 (EDT) Subject: Re: Woltlab Burning Board SQL Injection Vulnerability Hey James, Do you know if this is the issue as described at http://www.woltlab.de/news/399_en.php? Thanks! Brian OSVDB.org From jericho at attrition.org Mon May 16 17:46:56 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon May 16 17:47:04 2005 Subject: [VIM] Re: Woltlab Burning Board SQL Injection Vulnerability (fwd) Message-ID: ---------- Forwarded message ---------- From: GulfTech Security Research To: security curmudgeon Date: Mon, 16 May 2005 16:35:53 -0500 Subject: Re: Woltlab Burning Board SQL Injection Vulnerability I don't think it is, because I did not report my finding until 5/1/2005 and as of yesterday the available Burning Board download was still vulnerable. I hope this helps. James GulfTech Research And Development P.O. Box 691 Gulfport, MS 39501 http://www.gulftech.org/?node=webappsec security curmudgeon wrote: > Hey James, > > Do you know if this is the issue as described at > http://www.woltlab.de/news/399_en.php? > > Thanks! > > Brian > OSVDB.org > > > From jericho at attrition.org Mon May 16 17:57:34 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon May 16 17:57:37 2005 Subject: [VIM] Slackware security a tad behind.. Message-ID: In the past I've noted vendors who are slow to patch. Slackware may win the record with a two and a half year delay.. http://slackware.com/security/viewer.php?l=slackware-security&y=2005&m=slackware-security.349681 Date: Sun, 15 May 2005 23:54:44 -0700 (PDT) fixes a vuln in NcFTP and references: http://www.ncftp.com/ncftp/doc/changelog.html#3.1.5 That changelog entry: 3.1.5, 2002-10-13 <--- Security: Problem fixed where a malicious or trojaned FTP server could send back pathnames with directories different from the directory requested. For example, if you did: cd /pub get *.zip the malicious server could send back a pathname like ../../../some/other/dir/filename.here rather than pathnames such as filename.zip, and trick NcFTP into writing into a different local pathname if your user privileges had permission to write it. This problem affects many other FTP client programs. We were asked not to post this item in the change log until these other programs could be fixed. That is why this item in the change log was added two months after the initial posting of version 3.1.5. From jericho at attrition.org Tue May 17 15:11:26 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue May 17 15:11:41 2005 Subject: [VIM] Re: lbreakout security question (fwd) Message-ID: ---------- Forwarded message ---------- From: Michael Speck To: security curmudgeon Date: Tue, 17 May 2005 14:59:52 +0200 Subject: Re: lbreakout security question Hi, The patch from Ulf I applied this time was about bad snprintf calls. I think I very distantly remember about getting a patch (actually some since other games were affected too) about the HOME environment variable. I'm quite sure I applied this one even if I did not mention it. However, I no longer have this patch floating around and don't know what the problem was so I cannot confirm 100%. But I'm quite sure though. regards, Michael On 5/16/05, security curmudgeon wrote: > > Hello, > > I work with the Open Security Vulnerability Database (osvdb.org) and am > trying to determine something about the security problems reported in the > lbreakout game. Around Feb 22, 2004 Ulf Harnhammar from Debian found a > local overflow in the HOME environment variable. Debian provided a patch > for their users, but there was no indication if the original package was > updated with a fix. > > A couple days ago, the Freshmeat mail list indicated a new version of > lbreakout was available. Checking the details, it said that a security > patch was applied. The changelog credits "U.H." (Ulf Harnhammar I assume) > but shows a date of 05/02/14, about one year after the overflow issue. > > Can you confirm if these are the same vulnerability? > > Thanks! > > Brian > OSVDB.org > > references: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0158 > http://www.debian.org/security/2004/dsa-445 > > From jericho at attrition.org Tue May 17 15:11:54 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue May 17 15:12:01 2005 Subject: [VIM] Re: WoltLab security question (fwd) Message-ID: ---------- Forwarded message ---------- From: WoltLab GmbH Team To: security curmudgeon Date: Tue, 17 May 2005 16:39:53 +0200 Subject: Re: WoltLab security question Dear security curmudgeon, all vulnerabilities are fixed in our new version 2.3.2: http://www.woltlab.de/news/405_en.php > I am trying to ascertain if a recent security posting is the same issue > listed on various security sites. > http://www.woltlab.com/news/399_en.php > 04-19-2005 06:45pm > Security Update for Burning Board 2 and Burning Board Lite released > Today we have been notified about a possible security hole in all > Burning Board and Burning Board Lite versions. We have fixed the problem > and provide you the update files for versions 2.0.3, 2.1.5, 2.2.1 and > 2.3.1 in the members area. The download of the fixed Burning Board Lite > version can be found in Products -> Burning Board Lite. > Checking the CVE project (http://cve.mitre.org) and OSVDB > (http://osvdb.org), the following vulnerabilities are listed in the rough > time frame: > 15907 WoltLab Burning Board pms.php folderid Variable XSS > Apr 24, 2005 > 15807 WoltLab Burning Board thread.php hilight Variable XSS > Apr 22, 2005 > 14356 WoltLab Burning Board session.php Multiple Parameter SQL Injection > Mar 3, 2005 > The date of the posting above puts it between the session.php and > thread.php issues. Can you please verify if the posting above relates to > one of these two issues, the date is incorrect and it pertains to another > issue afterwards, or if it is an entirely different vulnerability? > Thanks! > Brian Martin > OSVDB.org Thank you for using Burning Board, The WoltLab GmbH Team From jericho at attrition.org Tue May 17 16:48:35 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue May 17 16:48:42 2005 Subject: [VIM] GAs Guestbook & Ultimate Forum - odd Message-ID: GAs Guest Book http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0351.html Ultimate Forum http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0350.html Same vendor so this attack being in common makes sense. However, hitting the vendor web page I don't see 'Ultimate Forum' listed on the product links anywhere (GAs Guest Book is there). Secunia lists the vendor for the guestbook as http://www.4u2ges.com/gb/gb.htm, the original posts say http://www.gurgensvbstuff.com. GA = Gurgen Alaverdian and both sites are owned by GASoft. The 4u2ges site has "GA's Forum" but no "Ultimate Forum" making me wonder if this affects "GA's Forum" instead. From coley at mitre.org Tue May 17 19:37:18 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue May 17 19:45:49 2005 Subject: [VIM] Zoidcom 1.0 beta 4 crash - not an overflow Message-ID: <200505172337.j4HNbIYm010505@linus.mitre.org> Regarding: BUGTRAQ:20050510 Crash in Zoidcom 1.0 beta 4 URL:http://archives.neohapsis.com/archives/bugtraq/2005-05/0107.html MISC:http://aluigi.altervista.org/adv/zoidboom-adv.txt Multiple sources have referred to this as a buffer overflow, when it's not an "overflow" at least as traditionally regarded. According to Luigi Auriemma's report, the attack involves manipulating a size field of a packet. This size field, if too big, then causes Zoidcom to "try to read the unallocated memory located after the packet buffer or the library will exit immediately if the amount of bits is so big that the target buffer cannot be allocated." So there's bad buffer management, and modification of length fields is a common attack these days, but in this case, there's no stack-smashing or heap corruption. I'm not sure what term to use, as the underlying bug is still basically the same as the bugs that allow classic overflows, but to just say "buffer overflow" seems inaccurate. - Steve From coley at mitre.org Tue May 17 21:12:46 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue May 17 21:21:17 2005 Subject: [VIM] Re: GAs Guestbook & Ultimate Forum - odd Message-ID: <200505180112.j4I1CkTZ012790@linus.mitre.org> >GAs Guest Book >http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0351.html > >Ultimate Forum >http://archives.neohapsis.com/archives/fulldisclosure/2005-05/0350.html > >Same vendor so this attack being in common makes sense. However, >hitting the vendor web page I don't see 'Ultimate Forum' listed on the >product links anywhere (GAs Guest Book is there). This screams "copy-and-paste" error on the part of the researcher, as a lot of the text in one advisory is used verbatim in the other advisory. But let's wait and see... >Secunia lists the vendor for the guestbook as >http://www.4u2ges.com/gb/gb.htm... This is linked to from the http://www.gurgensvbstuff.com/gbook/ front page. >... >The 4u2ges site has "GA's Forum" but no "Ultimate Forum" >making me wonder if this affects "GA's Forum" instead. I downloaded "GA's Forum Light-4-RC3.0" from that URL, but it does not have a "commit.asp" page (mentioned in basher's "Ultimate Forum" post) nor does it have a "reset.asp" page (mentioned in the "Gurgens Guest Book" post). Neither is there a "Genid.dat" or "mappath" in any of the ASP files, so whatever GA's Forum is, it doesn't seem like it's the same as "Ultimate Forum." But then again we have this: http://www.freevbcode.com/ShowCode.asp?ID=4288 which links "Ultimate Forum" with "Gurgen Alaverdian" and gets us right back to http://www.gurgensvbstuff.com/ HOWEVER... I navigated to this page: http://www.gurgensvbstuff.com/index.php?ID=22 which is theoretically *also* "GA's Forum Light" which gives us this download URL: http://www.gurgensvbstuff.com/Zips/forum_21.zip which, when downloaded looks a bit different from the *other* "GA's Forum Lite" that I had downloaded, but there's a db/genid file (no .dat), but still no commit.asp. But it has some code that calls a CryptText function, as mentioned in basher's "Ultimate Forum" post. Still, it's not quite it. I went back to the freebvcode.com site with the Ultimate Forum, and downloaded *this* : http://www.freevbcode.com/source/Forum.zip and voila! it has a commit.asp, a db/genid.dat, even the "$u@gess" key. So, we have: 1) "Ultimate Forum," released by Gurgen Alaverdian in May 2002, and still available for download in some places; and the subject of basher's "Ultimate Forum" post. 2) "GA's Forum 2.1," released by Gurgen Alaverdian in March 2004, which has some code in common with "Ultimate Forum." 3) "GA's Forum Light 4 RC3.0," released by Gurgen Alaverdian in February 2005, which has some code in common with Forum 2.1. I just love having to infer codebase relationships for obscure products! - Steve From jericho at attrition.org Tue May 17 22:52:15 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue May 17 22:52:17 2005 Subject: [VIM] Re: Slackware security a tad behind.. (fwd) Message-ID: ---------- Forwarded message ---------- Hey folks, ----- An advisory recently went out on NcFTP, but it appears that the issue in question was fixed long ago in version 3.1.5, released on 2002-10-13. I received an email at security@slackware.com from a well-meaning user informing me that 3.1.9 had a security issue that was going unpatched: > I just noticed that there is a new security update (version 3.1.9) for > NcFTP client available, but the current Slacware Package Browser lists > version ncftp-3.1.8-i486-1. I then went to www.ncftp.com to verify this, and managed to misread the site, thinking that an old security advisory pertained to 3.1.9. I imagine that's the same thing that happened to the person who wrote to me. Anyway, just to let you all know that if you already have 3.1.5 or newer that there aren't any security issues affecting you that I'd consider worth an advisory. My apologies if this has been an inconvenience to any Slackware users, or if the fine people at NcFTP or other distributions have had to answer any questions about this. I'll try to read more carefully next time. :-) Take care, Pat ----- From coley at mitre.org Tue May 17 23:33:54 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue May 17 23:42:25 2005 Subject: [VIM] Re: discuss: VulnDisco Message-ID: <200505180333.j4I3Xs9j023541@linus.mitre.org> >Below you will find a summary of the posts and exploits claimed in >each pack. That said, how does a vulnerability database handle such >claims? Should we be creating entries with the details we have? Or >does this amount of exploit code in one place suggest it may not be >fully legit? This question is rather disconcerting for a number of reasons. Ignoring the ethical questions that it raises regarding disclosure, the report does not provide sufficient information that - could allow a DB to know if the issue is truly 0day (i.e., to make sure it's not a duplicate of something that's already in the DB) - could allow a vendor to validate and repair the issue - could allow a third party to validate and repair the issue At least, such validation could not be performed without paying the asking price for the pack ($1200 and up). The license explicitly says that the user cannot "disclose any information concerning the Pack or any information derived from the Pack," which means that even summarizing the technical details - which are theoretically derivable from the CANVAS scripts if not already described by the author - is prohibited. In terms of quality information, which is needed to have a good database, VulnDisco is thus less informative to the general public than posts to unmoderated and unfiltered publication sources such as the Full-Disclosure list. Then again, it's not much less informative than security advisories from some vendors. I'd say that it's a judgment call on the part of each database owner, but if the issues are catalogued, then the database should emphasize strongly that the issues can not be independently verifiable based on existing information. A roughly similar thing happened recently with some claims about a DoS problem in Adobe Acrobat reader (CAN-2005-1347), in which a vague, detail-free researcher post to SecurityTracker was picked up by various vulnerability information sources, but the researcher would not provide details to either Adobe nor SecurityTracker. On the one hand you can't say for sure whether it's legit or not, but it seems like a bad precedent is being set. How's that for a non-answer? ;-) (I'm still thinking about it for CVE.) - Steve From jericho at attrition.org Wed May 18 00:58:57 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 18 00:58:59 2005 Subject: [VIM] Re: discuss: VulnDisco In-Reply-To: <200505180333.j4I3Xs9j023541@linus.mitre.org> References: <200505180333.j4I3Xs9j023541@linus.mitre.org> Message-ID: : Ignoring the ethical questions that it raises regarding disclosure, : the report does not provide sufficient information that : : - could allow a DB to know if the issue is truly 0day (i.e., to make : sure it's not a duplicate of something that's already in the DB) I haven't looked, but there is a chance some of them could be determined. "Product X remote overflow" would be new if we found no mention of that product having a remote overflow before. Still not that helpful since previous entries might be "remote DoS" and it is unclear that it was an overflow causing the DoS. : - could allow a vendor to validate and repair the issue : : - could allow a third party to validate and repair the issue The best hope of getting it validated at all would be them providing a copy to Dave Aitel or Immunity and getting some kind of confirmation that the exploits are real. It would still leave a lot of this up in the air, but having someone I trust technically to validate them helps a lot. : Then again, it's not much less informative than security advisories from : some vendors. So true =) : How's that for a non-answer? ;-) Hah, exactly what I expected actually. This is a rough issue for VDBs. : (I'm still thinking about it for CVE.) I'm keeping track of them so far, but not making entries. I'm curious if just the postings so far will prompt someone to find the vulns and disclose them. From coley at mitre.org Wed May 18 01:24:11 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed May 18 01:32:44 2005 Subject: [VIM] verifiable vendor acknowledgement for Orenosv overflows Message-ID: <200505180524.j4I5OBNo025291@linus.mitre.org> Regarding the Orenosv server overflows as reported by SIG^2 in early May (CAN-2005-1666, forthcoming): http://www.security.org.sg/vuln/orenosv081.html Vendor acknowledgement is claimed in the SIG^2 advisory, and verifiable by the vendor home page: http://hp.vector.co.jp/authors/VA027031/orenosv/index_en.html The vendor front page includes a Status item for version 0.8.1a, dated 5/7/2005 (obviously May 7 instead of July 5, since this page was viewed on May 18), which says "Security DoS: Fixed vulnerabilities reported by Tan Chew Keong" (i.e., SIG^2). - Steve From jericho at attrition.org Wed May 18 05:30:20 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 18 05:30:26 2005 Subject: [VIM] Re: GAs Guestbook & Ultimate Forum - odd In-Reply-To: <200505180112.j4I1CkTZ012790@linus.mitre.org> References: <200505180112.j4I1CkTZ012790@linus.mitre.org> Message-ID: : So, we have: : : 1) "Ultimate Forum," released by Gurgen Alaverdian in May 2002, and : still available for download in some places; and the subject of : basher's "Ultimate Forum" post. : : 2) "GA's Forum 2.1," released by Gurgen Alaverdian in March 2004, : which has some code in common with "Ultimate Forum." : : 3) "GA's Forum Light 4 RC3.0," released by Gurgen Alaverdian in : February 2005, which has some code in common with Forum 2.1. Hah, very nice work on this =) And I thought programmers were more on the anal retentive and organized side.. From jericho at attrition.org Wed May 18 05:40:49 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 18 05:40:56 2005 Subject: discuss terminology: overflow (was Re: [VIM] Zoidcom ..) In-Reply-To: <200505172337.j4HNbIYm010505@linus.mitre.org> References: <200505172337.j4HNbIYm010505@linus.mitre.org> Message-ID: : Multiple sources have referred to this as a buffer overflow, when it's : not an "overflow" at least as traditionally regarded. : : According to Luigi Auriemma's report, the attack involves manipulating a : size field of a packet. This size field, if too big, then causes : Zoidcom to "try to read the unallocated memory located after the packet : buffer or the library will exit immediately if the amount of bits is so : big that the target buffer cannot be allocated." : : So there's bad buffer management, and modification of length fields is a : common attack these days, but in this case, there's no stack-smashing or : heap corruption. : : I'm not sure what term to use, as the underlying bug is still basically : the same as the bugs that allow classic overflows, but to just say : "buffer overflow" seems inaccurate. There a VDB dictionary anywhere? I imagine the original term was more vague and meant overflowing a buffer. After a while it morphed into the more well known overflow (stack smashing etc) but when you think about it.. who determines the meaning? Another example that just came up with OSVDB. Unspecified vs Nondescript .. which is more appropriate? The older (1910 range) meaning is appropriate for our titles. nondescript \non"de*script\, a. [Pref. non- + L. descriptus described.] 1. Not hitherto described; hence, of no recognizable type or class; odd; abnormal; unclassifiable. [1913 Webster] 2. Dull or uninteresting; undistinguished. [PJC] Check a more recent dictionary listing though, and it has taken on the 'dull' or 'drab' meaning. nondescript adj : lacking distinct or individual characteristics; dull and uninteresting; "women dressed in nondescript clothes"; "a nondescript novel" [syn: characterless] n : a person is not easily classified and not very interesting So over time, nondescript turned into a term that wasn't ideal for describing vague security vulnerabilities, and 'unspecified' is more appropriate. Point being.. has 'overflow' started as one thing, turned into another, and now ends up being accurate if the original meaning is applied? In this case there is a small buffer being provided too much information, and the program acting poorly. Isn't that "overflowing" the buffer? From jericho at attrition.org Wed May 18 06:19:12 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 18 06:19:14 2005 Subject: [VIM] Altiris AClient privilege escalation bugs - one or two? In-Reply-To: <200505161854.j4GIs6iH027391@linus.mitre.org> References: <200505161854.j4GIs6iH027391@linus.mitre.org> Message-ID: : Various vulnerability information sources appear to be combining two : separate Altiris Client Service for Windows (AClient) privilege : escalation reports into a single issue; however, the reported versions, : and methods of attack, suggest that there may be separate issues, : although closely related. : : Both issues were announced by the same researcher, Reed Arvin. One was : announced in November 2004 and one in April 2005. To me that stands out and suggests two issues. Reed Arvin has disclosed a number of vulnerabilities.. seems he would point out "still not patched" if it was the same issue. : November 2004 - 11995 Altiris Deployment Solution AClient Service Taskbar Local Privilege Escalation : Method of attack: open the AClient tray icon, use View Log File, : launch cmd.exe with SYSTEM privileges : : April 2005 - 15896 Altiris Deployment Solution AClient Password Protection Bypass 15897 Altiris Deployment Solution AClient System Tray Icon Privilege Escalation I broke this out as two seperate issues. If the client was running under an account with privileges, just bypassing the password protection could give an attacker increased privileges. If it isn't, then using the second issue can escalate as well. : Method of attack: use a program to find the "Altiris Client Service" : window. Report implies that this window is : normally hidden - "Compile and run the following : code to unhide the Altiris Client Service window." : The user can then modify the various options in : the window, including disabling the "Hide client : tray icon box" option. This in turn enables the : same attack as specified in the November 2004 : report. So OSVDB 11995 and 15897 are duplicates in our database it seems. Both use the same method to gain privileges, the only difference is the time that passed between disclosures. : A major question is whether this new post is merely a new attack vector : that the researcher had not been aware of in November, and/or a new : attack vector that's been enabled by the new version that he later : tested, or if Altiris attempted to fix the November bug but didn't do it : properly. : : I'll email Reed to get some clarification, but at this point, CVE is : considering these two separate issues (CAN-2005-1590 and CAN-2004-2070, : forthcoming). Based on the above, yes. From coley at mitre.org Wed May 18 17:05:06 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed May 18 17:14:03 2005 Subject: [VIM] Generic vs. Specific XSS in phpCodeCabinet 0.4 Message-ID: <200505182105.j4IL56ji006814@linus.mitre.org> In February 2004, phpCodeCabinet 0.4 and earlier was reported to have various XSS issues. Some vuln. sources created a generic entry to cover all of them; some also included a specific item for some (but not all) instances. I've done a little more research to resolve the generic vs. specific issues to obtain some clarity and figure out how many candidates to create. The generic issue probably comes from the changelog here: http://sourceforge.net/project/shownotes.php?release_id=214860 This "CHANGELOG for phpCodeCabinet v0.5 (since 0.4)" includes the following item: 6. Fixed http script injection vulnerability within several files. Thanks to Yao-Wen (Wayne) Huang for pointing them out. In turn, the changelog lists various files that have been modified, which includes non-security fixes: - browse.php - category.php - comments.php - config.php - export.php - import.php - input.php - search.php - setup.php - snippet.php - theme/facade/header.php - theme/phpcc/header.php Looks like OSVDB had garnered the CVS diff's for some of these files, namely comments.php (OSVDB:3885), category.php (OSVDB:3886), and input.php (OSVDB:3887). There's also a generic identifier (OSVDB:3920), which points to a generic item from ISS X-Force - phpcodecabinet-multiple-xss(15190) - which in turn points to the previously mentioned changelog. OSVDB:3920 also points to Secunia's SA10862, which is also generic, and credits Yao-Wen, which effectively links back to the same changelog. So, these generic entries are all talking about changelog item #6 as listed above. I searched the comments in the CVS diffs for all the modified files identified in the changelog, looking for changes that were relevant to the generic XSS issue. Each of these files has an item in January 2004 that says: Fixed http script injection vulnerabilities. Those files are: comments.php category.php input.php browse.php themes/facade/header.php themes/phpcc/header.php (note the typo in the vendor's changelog that uses "theme/" instead of "themes/") The relevant diff's are: http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/comments.php?r1=1.1&r2=1.2 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/category.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/input.php?r1=1.7&r2=1.8 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/browse.php?r1=1.5&r2=1.6 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/facade/header.php?r1=1.4&r2=1.5 http://cvs.sourceforge.net/viewcvs.py/phpcodecabinet/phpcc/themes/phpcc/header.php?r1=1.4&r2=1.5 So, the infosources that use generic *and* specific entries for phpCodeCabinet 0.4 XSS now have a little more information to work with. - Steve From coley at linus.mitre.org Thu May 19 12:32:29 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu May 19 12:41:11 2005 Subject: discuss terminology: overflow (was Re: [VIM] Zoidcom ..) In-Reply-To: References: <200505172337.j4HNbIYm010505@linus.mitre.org> Message-ID: On Wed, 18 May 2005, security curmudgeon wrote: > : Multiple sources have referred to this as a buffer overflow, when it's > : not an "overflow" at least as traditionally regarded. > : > : According to Luigi Auriemma's report, the attack involves manipulating a > : size field of a packet. This size field, if too big, then causes > : Zoidcom to "try to read the unallocated memory located after the packet > : buffer or the library will exit immediately if the amount of bits is so > : big that the target buffer cannot be allocated." > : > : So there's bad buffer management, and modification of length fields is a > : common attack these days, but in this case, there's no stack-smashing or > : heap corruption. > : > : I'm not sure what term to use, as the underlying bug is still basically > : the same as the bugs that allow classic overflows, but to just say > : "buffer overflow" seems inaccurate. > > There a VDB dictionary anywhere? I imagine the original term was more > vague and meant overflowing a buffer. After a while it morphed into the > more well known overflow (stack smashing etc) but when you think about > it.. who determines the meaning? It's informal, near as I can tell, but it seems like VDB's play a strong role in increasing the adoption of particular terms. > Another example that just came up with OSVDB. Unspecified vs Nondescript > .. which is more appropriate? CVE has been saying "unknown vulnerability" but the trend is clearly to say "unspecified," and I like that better, so I expect to start using "unspecified" fairly soon. > Point being.. has 'overflow' started as one thing, turned into another, > and now ends up being accurate if the original meaning is applied? When format string vulnerabilities first came out, they were sometimes referred to as buffer overflows. You see a similar thing with integer overflows and signedness issues these days. I think that "overflow" first started as - "blindly copies a large input buffer into a smaller input buffer," but now there are a whole lot of variants to that. Consider cases where there are 2 inputs - a length field and a string - and the application trusts the length field but doesn't verify that the provided string is that length. That leads to an overflow, but it's more than a "blind copy" error. Or take off-by-one overflows, which are really due to a mathematical bug. It used to be that you just provided a single large string of 'A' characters - now, multiple strings are constructed, and the overflow may arise because the application doesn't properly track "special" characters. Or you use special characters that wind up being expanded in the final string, e.g. "&" might become "&" in a web app. >From the programming side, you're seeing a lot of different bugs cropping up; the exploits, at their core, are the same (provide more input than allocated), but with these new bug types, the exploits may require more "prep work" and/or multiple inputs, where a "classic" overflow was just one input, one bug. > case there is a small buffer being provided too much information, and > the program acting poorly. Isn't that "overflowing" the buffer? The problem is that "overflow" once merged both programming bug ("blind unbounded copy") and attack technique ("send larger string than expected"), but now there are multiple bugs and multiple attack techniques all being described with the same term. - Steve From coley at mitre.org Thu May 19 12:41:09 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu May 19 12:49:47 2005 Subject: [VIM] mysql_install_db permissions (CAN-2005-1636) version correction Message-ID: <200505191641.j4JGf9EI020722@linus.mitre.org> Issue: CVE:CAN-2005-1636 FULLDISC:20050517 MySQL < 4.0.12 && MySQL <= 5.0.4 : Insecure tmp URL:http://marc.theaimsgroup.com/?l=full-disclosure&m=111632686805498&w=2 MISC:http://www.zataz.net/adviso/mysql-05172005.txt Secunia pointed out to me that the researcher made a mistake in the initial advisory, saying that 4.x before 4.0.12 was affected, when in fact it's 4.1.x before 4.1.12; the original advisory at http://www.zataz.net/adviso/mysql-05172005.txt can be consulted to confirm that this change was made. - Steve From coley at mitre.org Thu May 19 13:09:29 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu May 19 13:18:27 2005 Subject: [VIM] Vendor ack for Miranda IM PopUp overflow (CAN-2005-1093) Message-ID: <200505191709.j4JH9T6N029154@linus.mitre.org> Juha-Matti Laurio informed CVE of vendor acknowledgement for the Miranda IM PopUp overflow (CAN-2005-1093): "Popup+: remotely exploitable buffer overflow" http://forums.miranda-im.org/showthread.php?p=9624 "Critical Bug In PopUp Plus Plugin" http://forums.miranda-im.org/showthread.php?t=1070 The News Column on the vendor front page (http://www.miranda-im.org/) also has an entry dated 19/04/2005 that says: Popup+ Remotely exploitable overflow - by Sam K (19/04/2005) As reported on various security mailing lists - The Popup+ plugin contains a bug when used with smiley add that lets a remote attack run arbitrary code from a crafted instant message on any protocol. Notes: - PopUp is a plugin for Miranda IM - the PopUp author is known as "zazoo" but also posted as "nullbie" on the Miranda IM forums - Steve From jericho at attrition.org Sun May 22 03:12:23 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 22 03:12:26 2005 Subject: [VIM] Generic vs. Specific XSS in phpCodeCabinet 0.4 In-Reply-To: <200505182105.j4IL56ji006814@linus.mitre.org> References: <200505182105.j4IL56ji006814@linus.mitre.org> Message-ID: : The generic issue probably comes from the changelog here: : : http://sourceforge.net/project/shownotes.php?release_id=214860 We often get entries from changelogs.. this one was due to the ISS entry though, which references the changelog. : Looks like OSVDB had garnered the CVS diff's for some of these files, : namely comments.php (OSVDB:3885), category.php (OSVDB:3886), and : input.php (OSVDB:3887). yep. i dug into the CVS at the time and found those 3 with specific mention of security fixes. : There's also a generic identifier (OSVDB:3920), which points to a : generic item from ISS X-Force - phpcodecabinet-multiple-xss(15190) - : which in turn points to the previously mentioned changelog. OSVDB:3920 : also points to Secunia's SA10862, which is also generic, and credits : Yao-Wen, which effectively links back to the same changelog. this is a dupe to the other 3, yep. will remove : Each of these files has an item in January 2004 that says: : : Fixed http script injection vulnerabilities. : : Those files are: : : comments.php : category.php : input.php : browse.php : themes/facade/header.php : themes/phpcc/header.php interesting. the night i checked, only the 3 had them. wonder if the other 3 surfaced a day or two after i made entries.. : So, the infosources that use generic *and* specific entries for : phpCodeCabinet 0.4 XSS now have a little more information to work with. Sure does, thanks for catching this! From jericho at attrition.org Sun May 22 14:42:33 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 22 14:42:36 2005 Subject: [VIM] [Change Request] 15931: Smartor Photo Album for phpBB (fwd) Message-ID: this would be yet another false report from Diabolic Crab if true. Dcrab is hitting about 50% on valid vulnerabilities these days I think. ---------- Forwarded message ---------- From: Smartor XP X-Sender: smartor_xp@hotmail.com X-Originating-IP: [203.160.1.68] To: moderators@osvdb.org Cc: dcrab@hackerscenter.com Date: Mon, 23 May 2005 01:31:50 +0700 Subject: [OSVDB Mods] [Change Request] 15931: Smartor Photo Album for phpBB Hi, I am Smartor. Ive just imformed about this http://www.osvdb.org/displayvuln.php?osvdb_id=15931 Did you verify it? Try it wih my site http://smartor.is-root.com I am sure that is false bug report, because my album has not album_search.php at all :D Maybe Diablic Crab missed my own written album with some (many) others modified versions (by other programmers) around the Internet Greetz, Smartor _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ From jericho at attrition.org Sun May 22 14:51:17 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 22 14:51:20 2005 Subject: [VIM] Re: [Change Request] 15931: Smartor Photo Album for phpBB (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: Smartor XP Cc: moderators@osvdb.org, dcrab@hackerscenter.com Date: Sun, 22 May 2005 14:48:56 -0400 (EDT) Subject: Re: [OSVDB Mods] [Change Request] 15931: Smartor Photo Album for phpBB : I am Smartor. Ive just imformed about this : http://www.osvdb.org/displayvuln.php?osvdb_id=15931 : : Did you verify it? Try it wih my site http://smartor.is-root.com By default, we do not verify all vulnerabilities reported to the mail lists due to time and resources. However, we do report them when the vendor or another researcher suggests it would be prudent. =) : I am sure that is false bug report, because my album has not : album_search.php at all :D : : Maybe Diablic Crab missed my own written album with some (many) others : modified versions (by other programmers) around the Internet The 2.0.53 zip file does not contain album_search.php .. do you have any other older versions available? Or an online CVS repository? In the mean time, I am going to flag OSVDB ID 15931 as a myth/fake. Also, don't get your hopes up about Diabolic Crab replying. He tends to go quiet when someone points out the numerous errors in his research. Brian OSVDB.org From jericho at attrition.org Sun May 22 16:02:48 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 22 16:02:51 2005 Subject: [VIM] Diabolic Crab history Message-ID: Since it has come up a few times between OSVDB folks, and several vendors have replied to us about reported vulnerabilities, I dug up a list of examples where Diabolic Crab made signficant errors or failed to respond to my questions. This comes after him getting upset that I said he released advisories with errors. ---- From: security curmudgeon To: Diabolic Crab Date: Wed, 20 Apr 2005 12:01:06 -0400 (EDT) Subject: Re: DUportal Pro 3.4 has MANY Sql injection and Sql Errors. Hi Dcrab, : Title: DUportal Pro 3.4 has MANY Sql injection and Sql Errors. [Advisory showing the same handful of vulns over and over due to using ../ notation. first mail was 138k and contained 556 examples of SQL Injection. in reality, this was only 10 scripts vulnerable.] ---- "HTTP response splitting" Fiasco: original post: http://archives.neohapsis.com/archives/bugtraq/2005-04/0186.html someone pointing out his cut/paste solution to all vulnerabilities may not apply here: http://archives.neohapsis.com/archives/bugtraq/2005-04/0238.html someone points out this isnt an http response splitting attack: http://archives.neohapsis.com/archives/bugtraq/2005-04/0246.html someone points out his paper is based on another: http://archives.neohapsis.com/archives/bugtraq/2005-04/0254.html ---- From: Massimo Arrigoni To: moderators@osvdb.org Date: Fri, 8 Apr 2005 23:30:40 -0700 Subject: [OSVDB Mods] [Change Request] 15267: ProductCart storelocator_submit.asp country Variable XSS Dear Sirs, The file referenced in this posting ("storelocator_submit.asp") doesn't even exist in ProductCart, our ecommerce application. [mailed Dcrab, no reply] ---- http://digitalparadox.org/advisories/prodcart.txt tarinasworld_butterflyjournal.asp doesn't exist in the package when asked, reply: "well its a customized version that i audited.. just try da journal page.." when asked about reporting site specific vulns as default package vulns, no reply. ---- From: security curmudgeon To: Diabolic Crab Date: Mon, 11 Apr 2005 18:14:51 -0400 (EDT) Subject: Re: Directory transversal, sql injection and xss vulnerabilities in RadBids Gold v2 [asked for clarification on vuln, no reply] From jericho at attrition.org Mon May 23 06:21:25 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon May 23 06:21:32 2005 Subject: [VIM] paFileDB Path Disclosure mess Message-ID: Looks like there are 3 seperate times where someone discovered several path disclosure vulns in paFileDB. Enough time passed between them so CVE/OSVDB didn't notice. I only noticed it now because I was going back matching IDs between the two databases. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1974 20040427 paFileDB 3.1 allows remote attackers to gain sensitive information via a direct request to (1) login.php, (2) category.php, (3) search.php, (4) main.php, (5) viewall.php, (6) download.php, (7) email.php, (8) file.php, (9) rate.php, or (10) stats.php, which reveals the path in an error message. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0724 20050308 paFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via (1) an invalid str parameter to pafiledb.php, or a direct request to (2) viewall.php, (3) stats.php, (4) search.php, (5) rate.php, (6) main.php, (7) license.php, (8) category.php, (9) download.php, (10) file.php, (11) email.php, or (12) admin.php, which reveals the path in a PHP error message. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0780 20050312 paFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) auth.php, (2) login.php, (3) category.php, (4) file.php, (5) team.php, (6) license.php, (7) custom.php, (8) admins.php, or (9) backupdb.php, which reveal the path in a PHP error message. There is a lot of overlap on these, and they all affect version 3.1 =) I'm currently cleaning up our mess of these. .b From jericho at attrition.org Mon May 23 07:24:44 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon May 23 07:24:51 2005 Subject: [VIM] paFileDB Path Disclosure mess (update) Message-ID: almost done working through this. will have a summary shortly.. adding one more cve that covers this -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1974 20040427 paFileDB 3.1 allows remote attackers to gain sensitive information via a direct request to (1) login.php, (2) category.php, (3) search.php, (4) main.php, (5) viewall.php, (6) download.php, (7) email.php, (8) file.php, (9) rate.php, or (10) stats.php, which reveals the path in an error message. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0724 20050308 paFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via (1) an invalid str parameter to pafiledb.php, or a direct request to (2) viewall.php, (3) stats.php, (4) search.php, (5) rate.php, (6) main.php, (7) license.php, (8) category.php, (9) download.php, (10) file.php, (11) email.php, or (12) admin.php, which reveals the path in a PHP error message. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0780 20050312 paFileDB 3.1 and earlier allows remote attackers to obtain sensitive information via a direct request to (1) auth.php, (2) login.php, (3) category.php, (4) file.php, (5) team.php, (6) license.php, (7) custom.php, (8) admins.php, or (9) backupdb.php, which reveal the path in a PHP error message. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2005-0326 20050131 pafiledb.php in PaFileDB 3.1 allows remote attackers to gain sensitive information via an invalid or missing action parameter, which reveals the path in an error message when it cannot include a login.php script. From jericho at attrition.org Mon May 23 07:31:44 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon May 23 07:31:50 2005 Subject: [VIM] paFileDB Path Disclosure mess (summary) In-Reply-To: References: Message-ID: well, we ended up having as many as three entries for the same vuln. gruesome for a VDB =( here is the summary. most of these are stable so everyone can check them out. as such i'm not going to list all the CVEs with each. this will show the unique scripts and first date of disclosure though. there were 4 CVE entries attached to them, quoted in previous mail. 1000277 paFileDB xx Path Disclosure Mar 12, 2005 Mangle not yet public. this will cover custom.php and backupdb.php from CVE 2005-0780, as well as a few others I mailed you about seperately. waiting to create these entries based on your comments and the potential for it including more vulnerable scripts. 5696 paFileDB pafiledb.php Installation Path Disclosure Mar 8, 2005 Stable 14972 paFileDB license.php Installation Path Disclosure Mar 8, 2005 Stable 14977 paFileDB admin.php Installation Path Disclosure Mar 8, 2005 Stable 13495 paFileDB $action.php Path Disclosure Feb 5, 2005 New 12264 paFileDB admins.php Path Disclosure Dec 3, 2004 New 12266 paFileDB team.php Path Disclosure Dec 3, 2004 New 14967 paFileDB viewall.php Installation Path Disclosure Apr 27, 2004 Stable 14968 paFileDB stats.php Installation Path Disclosure Apr 27, 2004 Stable 14969 paFileDB search.php Installation Path Disclosure Apr 27, 2004 Stable 14970 paFileDB rate.php Installation Path Disclosure Apr 27, 2004 Stable 14971 paFileDB main.php Installation Path Disclosure Apr 27, 2004 Stable 14973 paFileDB category.php Installation Path Disclosure Apr 27, 2004 Stable 14974 paFileDB download.php Installation Path Disclosure Apr 27, 2004 Stable 14975 paFileDB file.php Installation Path Disclosure Apr 27, 2004 Stable 14976 paFileDB email.php Installation Path Disclosure Apr 27, 2004 Stable 15033 paFileDB login.php Installation Path Disclosure Apr 27, 2004 Stable From coley at linus.mitre.org Tue May 24 17:48:17 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue May 24 17:57:16 2005 Subject: [VIM] bttlxeForum infoleak - SQL injection instead? (fwd) In-Reply-To: References: Message-ID: On Fri, 13 May 2005, Steven M. Christey wrote: > Inquiry sent to researcher - possible mis-diagnosis. ComeSec just replied to my email, saying that he generally looks more closely upon initial response from a vendor, but he had not received any responses from his first inquiry. So at this stage there's no further research. - Steve From coley at mitre.org Tue May 24 19:04:07 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue May 24 19:13:04 2005 Subject: [VIM] PROMS issues - partial clarity in the changelog Message-ID: <200505242304.j4ON47XS021939@linus.mitre.org> SecurityTracker [1] reported details for various issues in PROMS before 0.11, but the original vendor announcement here: http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91 only suggests "Many security fixes." But the CHANGELOG file, as included in the download for PROMS 0.11, has these additional details: * Various SQL queries where vulnerable to SQL injections. Fixed. (See also README) * A few places didn't filter out HTML entities correctly. Fixed. * Certain combinations of rights caused users to be granted more rights then they should have been. Fixed. * Various improvements in the security checks. Many checks depended on being the project owner where they should have depended on the individual access right. Fixed. * It was possible for non-authorized users to view and modify the list of project members. Fixed. * Todos could be modified by non-authorized users. Fixed. There are other items in the changelog that might warrant review, but these were the interesting ones that I saw. One could easily infer more details for at least the SQL injections by doing a diff on versions 0.10 and 0.11 (both are available for download), but the diff is almost 5000 lines long. [1] http://securitytracker.com/id?1013992 From jericho at attrition.org Tue May 24 19:19:48 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue May 24 19:19:50 2005 Subject: [VIM] PROMS issues - partial clarity in the changelog In-Reply-To: <200505242304.j4ON47XS021939@linus.mitre.org> References: <200505242304.j4ON47XS021939@linus.mitre.org> Message-ID: : SecurityTracker [1] reported details for various issues in PROMS : before 0.11, but the original vendor announcement here: : : : http://projects.electricmonk.nl/proms.php?action=ReleaseOverview&project_id=2&release_id=91 I caught this via Freshmeat on May 5 and dug into the changelog: : But the CHANGELOG file, as included in the download for PROMS 0.11, : has these additional details: : : * Various SQL queries where vulnerable to SQL injections. Fixed. (See also : README) 16716 PROMS Multiple Unspecified SQL Injection May 5, 2005 : * Certain combinations of rights caused users to be granted more rights then : they should have been. Fixed. 16715 PROMS Unspecified User Rights Logic Flaw May 5, 2005 : * It was possible for non-authorized users to view and modify the list of : project members. Fixed. 16714 PROMS Project Member List Unauthorized Modification May 5, 2005 : * Todos could be modified by non-authorized users. Fixed. : * A few places didn't filter out HTML entities correctly. Fixed. : * Various improvements in the security checks. Many checks depended on : being the project owner where they should have depended on the individual : access right. Fixed. these three entries dont look familiar. i'm wondering if they were added after i went through the first time. i'll have to look at making entries. : There are other items in the changelog that might warrant review, but : these were the interesting ones that I saw. Also historically, I dug out two more entries: 16713 PROMS Unauthorized Action Link Disclosure Aug 28, 2003 16712 PROMS Unspecified SESSION ID Privilege Escalation Aug 10, 2003 From coley at linus.mitre.org Tue May 24 19:14:54 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue May 24 19:23:52 2005 Subject: [VIM] mysql_install_db permissions (CAN-2005-1636) version correction In-Reply-To: <200505191641.j4JGf9EI020722@linus.mitre.org> References: <200505191641.j4JGf9EI020722@linus.mitre.org> Message-ID: Josh Bressers of Red Hat just informed CVE independently of the incorrect version. More information, including discussion of severity, is at https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=158688 - Steve From coley at linus.mitre.org Tue May 24 19:19:42 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue May 24 19:28:40 2005 Subject: [VIM] PROMS issues - partial clarity in the changelog In-Reply-To: References: <200505242304.j4ON47XS021939@linus.mitre.org> Message-ID: On Tue, 24 May 2005, security curmudgeon wrote: > Also historically, I dug out two more entries: > > 16713 PROMS Unauthorized Action Link Disclosure Aug 28, 2003 This is probably the following from Thu Aug 28 20:11:06 CEST 2003: * Security: Action links are now only shown if the user is authorized to perform the actions. > 16712 PROMS Unspecified SESSION ID Privilege Escalation Aug 10, 2003 Sun Aug 10 16:00:17 CEST 2003: * Fixed serious security bug due to non-usage of $_SESSION[]. ... whatever THAT means, I'm not versed in all the subtleties of PHP. - Steve From coley at mitre.org Tue May 24 19:39:25 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue May 24 19:48:23 2005 Subject: [VIM] Iron Bars SHell format string - two, not one Message-ID: <200505242339.j4ONdP3i026405@linus.mitre.org> diff analysis on source code for Iron Bars SHell between 0.3c and 0.3d - available from the sourceforge site - shows that in fact there were two format string issues related to syslog misuse, not just one, as reported by the developer. More specifically, logPrintBadfile() in delbadfiles.c and log_attempt() in misc.c. diff ibsh-0.3[cd]/misc.c 50c50 < syslog(LOG_WARNING, logmsg); --- > syslog(LOG_WARNING, "%s", logmsg); diff ibsh-0.3[cd]/delbadfiles.c 236c236 < syslog(LOG_WARNING, msg); --- > syslog(LOG_WARNING, "%s", msg); - Steve From coley at mitre.org Tue May 24 23:55:34 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed May 25 00:04:33 2005 Subject: [VIM] Re: Iron Bars SHell format string - two, not one Message-ID: <200505250355.j4P3tYMo017850@linus.mitre.org> *sigh* What happens when the mistake-finders make their own mistakes? While there is a fix in log_attempt() in misc.c that's relevant to format strings and syslog, there's only one usage of log_attempt, with a username that's obtained from the password file, so there's no real vulnerable code path. - Steve From coley at mitre.org Wed May 25 00:19:19 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed May 25 00:28:20 2005 Subject: [VIM] Re: Diabolic Crab history Message-ID: <200505250419.j4P4JJYQ018119@linus.mitre.org> I've noticed a pattern for some researchers who first start out publishing everything under the sun, when it's raw and riddled with mistakes. But some develop into solid researchers, possibly even at the professional level. Whether Diabolic Crab goes this route will take some time to find out. I distinctly remember the DUportal example, once you mentioned it. Looked like a raw dump of a brute force web app scanner. A CVE content team member initially gave up and just said "many scripts" in the draft description for the CAN, but I decided to dig deep into it and came up with roughly the same results that you did. The CVE read on DUportal (CAN-2005-1224) is: Multiple SQL injection vulnerabilities in DUportal Pro 3.4 allow remote attackers to execute arbitrary SQL commands via the (1) nChannel parameter to default.asp, cat.asp, or detail.asp, (2) the iChannel parameter to search.asp, default.asp, result.asp, cat.asp, or detail.asp (3) the iCat parameter to cat.asp or detail.asp, (4) the iData parameter to detail.asp or result.asp, the (5) POL_ID, (6) POL_PARENT, (7) POL_CATEGORY, (8) CHA_NAME, or (9) CHA_ID parameters to inc_vote.asp, or the (10) tfm_order or (11) tfm_orderby parameters to toppages.asp, a different set of vulnerabilities than CAN-2005-1236. (CAN-2005-1236 was created for a different version). HTTP Response Splitting is a fairly complicated problem, so his mis-statements in that department are understandable. As Amit Klein pointed out in a reply, there was CRLF injection, so there *was* a possible vector for response splitting, just not the example that DCrab gave. The tarinasworld example is already noted with a question mark in CVE (CAN-2005-0994), but thanks for the info on storelocator_submit.asp not being in ProductCart (CAN-2005-0995). I've since updated CAN-2005-0995 accordingly. - Steve From jericho at attrition.org Wed May 25 01:20:58 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 25 01:21:01 2005 Subject: [VIM] Re: Iron Bars SHell format string - two, not one In-Reply-To: <200505250355.j4P3tYMo017850@linus.mitre.org> References: <200505250355.j4P3tYMo017850@linus.mitre.org> Message-ID: : What happens when the mistake-finders make their own mistakes? : : While there is a fix in log_attempt() in misc.c that's relevant to : format strings and syslog, there's only one usage of log_attempt, with a : username that's obtained from the password file, so there's no real : vulnerable code path. So two format string issues. One is not used anywhere? The other is used in a single place but offers no way for a user to inject their own content, as it comes from the password file? If so, those are programming bugs but not vulnerabilities it sounds like.. From jericho at attrition.org Wed May 25 01:23:48 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 25 01:23:50 2005 Subject: [VIM] Re: Diabolic Crab history In-Reply-To: <200505250419.j4P4JJYQ018119@linus.mitre.org> References: <200505250419.j4P4JJYQ018119@linus.mitre.org> Message-ID: : The tarinasworld example is already noted with a question mark in CVE : (CAN-2005-0994), but thanks for the info on storelocator_submit.asp not : being in ProductCart (CAN-2005-0995). I've since updated CAN-2005-0995 : accordingly. tarinasworld is due to him auditing a live site and finding a vulnerability on it.. something that he, Lostmon and several others are doing frequently. this is a real bother to me as many of the vulnerabilities may be found in modified/custom versions like we've seen. so the tarinasworld issue he reported is only vulnerable on a single site on the net probable. being site specific, we don't include it. if the vulnerability lies in the journal code distributed with the package, he didn't clearly identify that. From jericho at attrition.org Wed May 25 01:34:04 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 25 01:34:07 2005 Subject: [VIM] PROMS issues - partial clarity in the changelog In-Reply-To: References: <200505242304.j4ON47XS021939@linus.mitre.org> Message-ID: : > Also historically, I dug out two more entries: : > : > 16713 PROMS Unauthorized Action Link Disclosure Aug 28, 2003 : : This is probably the following from Thu Aug 28 20:11:06 CEST 2003: : : * Security: Action links are now only shown if the user is authorized to : perform the actions. : : > 16712 PROMS Unspecified SESSION ID Privilege Escalation Aug 10, 2003 : : Sun Aug 10 16:00:17 CEST 2003: : : * Fixed serious security bug due to non-usage of $_SESSION[]. : : ... whatever THAT means, I'm not versed in all the subtleties of PHP. Yep, those were the two changelog entries that prompted the osvdb entries. The second one I have seen in other changelogs, most of which call it a serious security issue (or critical, or major..). From ph0enix at attrition.org Wed May 25 06:46:44 2005 From: ph0enix at attrition.org (ph0enix) Date: Wed May 25 06:46:46 2005 Subject: [VIM] Re: Diabolic Crab history In-Reply-To: References: <200505250419.j4P4JJYQ018119@linus.mitre.org> Message-ID: > tarinasworld is due to him auditing a live site and finding a > vulnerability on it.. something that he, Lostmon and several others are > doing frequently. just curious and a question from Germany, is this legal?? From coley at linus.mitre.org Wed May 25 12:07:11 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed May 25 12:16:26 2005 Subject: [VIM] Re: Iron Bars SHell format string - two, not one In-Reply-To: References: <200505250355.j4P3tYMo017850@linus.mitre.org> Message-ID: On Wed, 25 May 2005, security curmudgeon wrote: > : While there is a fix in log_attempt() in misc.c that's relevant to > : format strings and syslog, there's only one usage of log_attempt, with a > : username that's obtained from the password file, so there's no real > : vulnerable code path. > > So two format string issues. One is not used anywhere? The other is used > in a single place but offers no way for a user to inject their own > content, as it comes from the password file? The log_attempt format string has no way for a user to inject content. The logPrintBadfile format string does appear to do so, however. The shell implements a "jail" and part of the functionality involves cleaning up symlinks that attempt to reference files outside of the jail. from delbadfiles.c: void DelBadFiles (const char *basedir) { ... ... } else if ( S_ISLNK(attr.st_mode) ) { /* in the case of a symlink */ if ( symlinkGoesOuttaJail(list->d_name) ) { #ifdef DEBUG printf("symlinkoutofjail: %s\n", list->d_name); #endif if (unlink(list->d_name) == 0) { bzero (tmp, sizeof(tmp)); snprintf (tmp, sizeof(tmp)-1, "Illegal symbolic link %s was erased. Contact the sysadmin for policy.\n", list->d_name); logPrintBadfile (tmp); } So, based on source code inspection, it looks like the attacker could create a symlink that points out of the jail and contains format strings, which would then be processed by logPrintBadfile when the symlink is deleted. > If so, those are programming bugs but not vulnerabilities it sounds like.. There's the code path above, and a couple others it appears. - Steve From coley at linus.mitre.org Wed May 25 12:31:22 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed May 25 12:40:28 2005 Subject: [VIM] Re: Sql Injection in CJ Ultra Plus v1.0.3-1.0.4 In-Reply-To: References: <20050505230032.16285.qmail@www.securityfocus.com> Message-ID: On Mon, 9 May 2005, security curmudgeon wrote: > : #Sql Injection in CJ Ultra Plus v1.0.3-1.0.4(?) # > > Can you verify if this is the same "Cjultra" found at > http://www.cjultra.com/ or something different? I downloaded CJUltra 2.0.3 and 2.1. Both of them have an out.php file with the following code snippet: if ($perm) { $perm = addslashes($perm); $query = "select * from trade where a1 = '$perm'"; $result = mysql_query($query); if(!$result) error_message(sql_error()); This isn't exactly the code from 1.0.3 as originally announced for the SQL injection, but: (1) it's close enough and (2) the $perm variable is now cleansed, so the problem - if it existed - is now fixed. - Steve From jericho at attrition.org Wed May 25 18:35:19 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 25 18:35:22 2005 Subject: [VIM] Re: Diabolic Crab history In-Reply-To: References: <200505250419.j4P4JJYQ018119@linus.mitre.org> Message-ID: : > tarinasworld is due to him auditing a live site and finding a : > vulnerability on it.. something that he, Lostmon and several others are : > doing frequently. : : just curious and a question from Germany, is this legal?? In the US, no. He is essentially attempting to break into a networked site without permission. If any company that he did this to decided to pursue it, odds are the FBI would not take the case since there is basically no damage done. Despite that, it is against the law. From jericho at attrition.org Wed May 25 19:09:20 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed May 25 19:09:24 2005 Subject: [VIM] Your advisories Message-ID: Hi Romty, Would you please notify moderators@osvdb.org when you release new advisories so that we may include them in our database? Also, i'd like to suggest that you include the date you found and/or published your findings for vulnerability databases. Thanks! Brian OSVDB.org From coley at mitre.org Thu May 26 13:06:33 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu May 26 13:15:45 2005 Subject: [VIM] Vendor ACK and version corrections for gxine (CAN-2005-1692) Message-ID: <200505261706.j4QH6XiG024692@linus.mitre.org> CVE was just informed by Darren Salt, a gxine developer, that the affected versions in the gxine format string issue (CAN-2005-1692) are 0.4.1 through 0.4.4, and *not* "0.41 through 0.44" as originally disclosed by the researcher. In addition, the changelog makes it clear that there is vendor acknowledgement: http://cvs.sourceforge.net/viewcvs.py/xine/gnome-xine/ChangeLog?rev=HEAD&content-type=text/vnd.viewcvs-markup An item for 0.4.5 says "SECURITY FIX (pst.advisory 2005-21) Remotely-exploitable missing-format-string vulnerability in some message dialogue boxes." - Steve ====================================================== Candidate: CAN-2005-1692 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1692 Reference: BUGTRAQ:20050521 pst.advisory 2005-21: gxine remote exploitable . opensource is god .lol windows Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111670637812128&w=2 Reference: BID:13707 Reference: URL:http://www.securityfocus.com/bid/13707 Reference: SECUNIA:15451 Reference: URL:http://secunia.com/advisories/15451 Format string vulnerability in gxine 0.4.1 through 0.4.4 allows remote attackers to execute arbitrary code via a ram file with a URL whose hostname contains format string specifiers. From jericho at attrition.org Thu May 26 17:34:00 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu May 26 17:34:07 2005 Subject: [VIM] [Change Request] 15931: Smartor Photo Album for phpBB (fwd) In-Reply-To: References: Message-ID: : ---------- Forwarded message ---------- : From: Smartor XP : To: moderators@osvdb.org : Cc: dcrab@hackerscenter.com : Date: Mon, 23 May 2005 01:31:50 +0700 : Subject: [OSVDB Mods] [Change Request] 15931: Smartor Photo Album for phpBB : : I am Smartor. Ive just imformed about this : http://www.osvdb.org/displayvuln.php?osvdb_id=15931 : : I am sure that is false bug report, because my album has not album_search.php : at all :D : : Maybe Diablic Crab missed my own written album with some (many) others : modified versions (by other programmers) around the Internet The vendor figured out what software was really vulnerable. I ended up editing the entry on our site to refer to the mod (search) of a mod (photo album) for phpBB. That promises to get messy as time passes! Imagine when we're tracking these vulnerabilities and a popular module for PHP-Nuke, PostNuke or phpBB gets edited and re-edited several times, each with a very blurry public history as to the ownership of the code. ---------- Forwarded message ---------- From: Smartor XP To: dcrab@hackerscenter.com, jericho@attrition.org Date: Mon, 23 May 2005 09:32:31 +0700 Subject: Re: [Change Request] 15931: Smartor Photo Album for phpBB Hi DCrab, I never use phpBB Plus. My site is running my own personalized version of phpBB. And all your advisories do not work at my site, of course :) About album_search.php, it is a mod (by Clown) for my Photo Album. There are so much mods for my photo album by a lot developers, and i (cant) take no responsible of those mods, like phpBB Group does not take responsible of mods too. You should inform yourself before posting. Your advisories are not clearly correct ;) Smartor From jericho at attrition.org Thu May 26 20:55:01 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu May 26 20:55:08 2005 Subject: [VIM] Exim - 2003, possible dupes? Message-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0698 Buffer overflow in Exim before 4.21 allows remote attackers to cause a denial of service via an SMTP EHLO/HELO command with a large number of spaces followed by a NULL character and CRLF, which is not properly trimmed before the "(no argument given)" string is appended to the buffer. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0743 Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline. 1. dates are very close 2. SMTP 3. HELO/EHLO commands 4. "large number of spaces followed by a NULL char and a newline" Based on those four points, this seems like a possible duplicate issue. Thoughts? From sullo at cirt.net Thu May 26 21:35:55 2005 From: sullo at cirt.net (Sullo) Date: Thu May 26 21:45:09 2005 Subject: [VIM] InfoTouch Surfnet vulnerabiliies Message-ID: <4296797B.5010606@cirt.net> I am a volunteer with the OSVDB.org project doing research on the Surfnet vulnerabilities you are credited with discovering in January, 2004 (listed below). I have not been able to find a copy of your original advisory or email. Do you still have a copy of it, or know where it can be found on the web? I would like to document more details than what are currently available. Surfnet CMD_CREDITCARD_CHARGE Denial Of Service Vulnerability http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1781 http://www.securityfocus.com/bid/9348 Surfnet Unauthorized Account Depositing Vulnerability http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1780 http://www.securityfocus.com/bid/9347 Surfnet Kiosk Filesystem Access Vulnerability http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-1795 http://www.securityfocus.com/bid/9346 Thanks Sullo -- http://www.cirt.net/ | http://www.osvdb.org/ From jericho at attrition.org Sat May 28 05:43:44 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat May 28 05:43:52 2005 Subject: [VIM] Vendor ACK and version corrections for gxine (CAN-2005-1692) In-Reply-To: <200505261706.j4QH6XiG024692@linus.mitre.org> References: <200505261706.j4QH6XiG024692@linus.mitre.org> Message-ID: : In addition, the changelog makes it clear that there is vendor : acknowledgement: : : http://cvs.sourceforge.net/viewcvs.py/xine/gnome-xine/ChangeLog?rev=HEAD&content-type=text/vnd.viewcvs-markup : : An item for 0.4.5 says "SECURITY FIX (pst.advisory 2005-21) : Remotely-exploitable missing-format-string vulnerability in some message : dialogue boxes." Also of interest: 0.4.0-rc1: + [SECURITY] fix a buffer overflow in the HTTP fetch code 0.4.0 was released 2004-12-11 From coley at linus.mitre.org Sat May 28 15:14:08 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat May 28 15:23:40 2005 Subject: [VIM] Exim - 2003, possible dupes? In-Reply-To: References: Message-ID: On Thu, 26 May 2005, security curmudgeon wrote: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0698 > > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2003-0743 > > 1. dates are very close > 2. SMTP > 3. HELO/EHLO commands > 4. "large number of spaces followed by a NULL char and a newline" > > Based on those four points, this seems like a possible duplicate issue. > Thoughts? Yes, they're dupes. The conclusive kicker for me is the announcement: 20030814 [Exim] Minor security bug http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057720.html which credits Nick Cleaton, whose post to Bugtraq appears soon afterward and has all the details you mentioned. I'm not sure why this duplicate occurred, as it should have been caught. It looks like there were two separate candidate reservations. Since CAN-2003-0743 appears to be in more widespread use, that will eb preserved, and CAN-2003-0698 will be rejected. See below. - Steve ====================================================== Candidate: CAN-2003-0698 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0698 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CAN-2003-0743. Reason: This candidate is a duplicate of CAN-2003-0743. Notes: All CVE users should reference CAN-2003-0743 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ====================================================== Candidate: CAN-2003-0743 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0743 Reference: BUGTRAQ:20030901 exim remote heap overflow, probably not exploitable Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=106252015820395&w=2 Reference: VULN-DEV:20030903 Re: exim remote heap overflow, probably not exploitable Reference: URL:http://marc.theaimsgroup.com/?l=vuln-dev&m=106264740820334&w=2 Reference: MLIST:[Exim] 20030814 Minor security bug Reference: URL:http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057720.html Reference: MLIST:[Exim] 20030815 Minor security bug Reference: URL:http://www.exim.org/pipermail/exim-users/Week-of-Mon-20030811/057809.html Reference: CONFIRM:http://packages.debian.org/changelogs/pool/main/e/exim/exim_3.36-13/changelog Reference: CONFIRM:http://packages.debian.org/changelogs/pool/main/e/exim4/exim4_4.34-10/changelog Reference: CONFIRM:http://www.exim.org/pipermail/exim-announce/2003q3/000094.html Reference: DEBIAN:DSA-376 Reference: URL:http://www.debian.org/security/2003/dsa-376 Reference: CONECTIVA:CLA-2003:735 Reference: URL:http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000735 Heap-based buffer overflow in smtp_in.c for Exim 3 (exim3) before 3.36 and Exim 4 (exim4) before 4.21 may allow remote attackers to execute arbitrary code via an invalid (1) HELO or (2) EHLO argument with a large number of spaces followed by a NULL character and a newline, which is not properly trimmed before the "(no argument given)" string is appended to the buffer. From jericho at attrition.org Sun May 29 16:29:56 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 29 16:30:03 2005 Subject: [VIM] Re: [Change Request] 15738 WebApp E-Cart index.cgi art Parameter Arbitrary Command Execution In-Reply-To: <200505291510.16105@i860> References: <200505291510.16105@i860> Message-ID: Hi Brad, : The link: http://www.osvdb.org/displayvuln.php?osvdb_id=15738 falsely : states that the Nasrani Software Foundation is the vendor of the : software mentioned with a vulnerability. This is inaccurate and we : would appreciate that the information on your Site be updated accurately : as soon as possible. The software is connected with http://web-app.org/ : instead of the Nasrani Software Foundation. The Nasrani Software : Foundation is the vendor of a PHP program called WebApp PHP, but not the : Perl version associated with the vulnerable software mentioned in your : security notice. The original disclosure point on this issue was: http://archives.neohapsis.com/archives/bugtraq/2005-04/0388.html The vulnerability researcher says the vendor is located at: http://www.yazaport.com/kadfors/kwamd/mods/ecart/index.cgi When visiting the vendor link, I am redirected to: http://www.nasranisoft.org/en/ The researcher says the vulnerability is in "E-Cart 2004 v1.1". Web-app.org doesn't appear to have a product called that, and their product is at version 0.9.9.2.1. The Nasrani page shows WebApp PHP Version 1.0 as the current version. So that leaves me wondering, who exactly created E-Cart 2004 v1.1 if not Web-APP or Nasrani =) I am removing Nasrani from OSVDb 15738 for now while I try to research who the vendor is. Thanks for bringing this to our attention! Brian OSVDB.org From jericho at attrition.org Sun May 29 18:35:46 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun May 29 18:36:09 2005 Subject: [VIM] Re: [Change Request] 15738 WebApp E-Cart index.cgi art Parameter Arbitrary Command Execution In-Reply-To: <200505291534.07390@i860> References: <200505291510.16105@i860> <200505291534.07390@i860> Message-ID: : Thank you for getting back with me so quickly. I wasn't really : expecting a human touch to that. LOL. Accuracy is a big thing for us =) : The E-Cart was written by Henrik Kadfors (Sweden?) specifically as a : module for WebApp (the Perl version). It will not work with WebApp PHP : since it is written in CGI instead. Mr. Kadfor's site located at : www.yazaport.com/kadfors is an independent module support related site Ahh. Hitting that page doesn't redirect. Diving down the directory structure a bit, I find: http://www.yazaport.com/kadfors/pixysoft/downloads/ and Ecart2.zip which I assume is the software. : and he has banners to the Nasrani Software Foundation on that site, but : it is not owned by Nasrani. Well this makes it easy. I can update the vendor from 'unknown' to Henrik Kadfors now. : Again, thank you very much for your prompt reply. No problem, thanks for helping me dig up the vendor! Brian OSVDB.org From coley at linus.mitre.org Tue May 31 19:01:33 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue May 31 19:11:01 2005 Subject: [VIM] Question on BookReview vulns (fwd) Message-ID: FYI... lostmon says he's a data mangler for OSVDB... any inside scoop from the OSVDB people? - Steve ---------- Forwarded message ---------- Date: Tue, 31 May 2005 18:59:51 -0400 (EDT) From: Steven M. Christey To: lostmon@gmail.com Subject: Question on BookReview vulns Hello Lostmon, I am the editor of the CVE List. I have a question on your BookReview vulnerability report. You say that the vendor URL is http://www.readersunite.com, but that is just an online book store for Christian books. However, I cannot find information on the "BookReview" software on that site. Google search suggests that there is a product called "BookReview" by somebody named W.M.R. Simpson, apparently a Christian software developer. His URL is at http://www.justwilliams.com/. However, I can't find any information on "BookReview" on that site, either. Can "BookReview" be downloaded and used by other people? If so, do you know where that information is? I am asking because it seems like "BookReview" is custom software for live web site, but it is not generally available to the public, and CVE only covers vulnerabilities in publicly available software. Thank you, Steve Christey CVE Editor From coley at mitre.org Tue May 31 19:17:43 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue May 31 19:27:11 2005 Subject: [VIM] Name clarification, vendor ack for Funky ASP AD System Message-ID: <200505312317.j4VNHhNW026574@linus.mitre.org> The SQL injection vulnerability as reported for "Funky ASP System 1.1" has apparently been fixed. The product URL here: http://www.funkyasp.co.uk/product.asp?prod=1¤cy=USD is for 1.1 and includes the statement "Note: SQL injection vunerability fixed (27/05/05)" Also note that the proper spelling and usage for the name is "FunkyASP AD System," as confirmed by the above page. - Steve From coley at linus.mitre.org Tue May 31 23:54:39 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Jun 1 00:04:12 2005 Subject: [VIM] Question on OS4E vulnerability (fwd) Message-ID: OS4E appears to be a vendor, not a product. Clarification requested from the researcher... - Steve ---------- Forwarded message ---------- Date: Tue, 31 May 2005 23:53:55 -0400 (EDT) From: Steven M. Christey To: udnst@yahoo.com Subject: Question on OS4E vulnerability Hello, I am the editor of the CVE List. Your recent vulnerability report on SQL injection in OS4E did not give a specific product name. OS4E is the name of the vendor. Their web site shows three products: - 30-Minute Websites for Teachers - Pupil Pages - Sites-4-Schools which product has the SQL injection vulnerability? Or is there a different product that has the problem? Thank you, Steve