From jericho at attrition.org Sun Dec 2 04:38:05 2007 From: jericho at attrition.org (security curmudgeon) Date: Sun, 2 Dec 2007 04:38:05 +0000 (UTC) Subject: [VIM] SquirrelMail GPG Plugin Vulnerabilities In-Reply-To: <4692E4F1.7000207@tenablesecurity.com> References: <4692E4F1.7000207@tenablesecurity.com> Message-ID: : I'm trying to make sense of the spate of recent vulnerabilities : associated with the GPG Plugin for SquirrelMail. : : [concise summary of mail list traffic] : : So, how are you VDB folks sorting all this out? I've noticed so far that : Bugtraq 24782 maps to WabiSabiLabi's advisory (although oddly it claims : the issue has now been resolved with version 2.1 of the plugin) and : 24828 to Esser's posting. : : Am I getting all this straight? Looks like it. I just now caught up on mail and read through these and decided I don't have time to sort them vs changelogs. It's discouraging to see so many researchers, many reliable when they do formal vulnerability disclosure, dispense information with no real details or clarification. From theall at tenablesecurity.com Mon Dec 3 02:03:46 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Sun, 02 Dec 2007 21:03:46 -0500 Subject: [VIM] CVE-2007-4158 == CVE-2007-5553? Message-ID: <47536402.1020901@tenablesecurity.com> Steve or anyone... what is the difference between CVE-2007-4158 and CVE-2007-5553? Both involve an unspecified denial of service issue in the rvd daemon in TIBCO Rendezvous discovered by IRM, but reading their "Security Testing Enterprise Messaging Systems" whitepaper I only find one new and unspecified issue. [There is a new degredation of service issue, but that's covered by CVE-2007-4161.] Also, I only see one 0-day listed for the app under , and that points to their Advisory 025. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Mon Dec 3 14:59:11 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 03 Dec 2007 09:59:11 -0500 Subject: [VIM] tellmatic 1.0.7 Multiple Remote File Inclusion Vulnerabilities Message-ID: <475419BF.9060309@tenablesecurity.com> FWIW, the issues covered by Milw0rm 4684 are valid, but when you install tellmatic, a .htaccess file is created in include/; eg: AuthType Basic AuthName "Tellmatic" AuthUserFile /var/www/htdocs/tellmatic/include/.htpasswd require valid-user So exploitation not only requires register_globals to be enabled, but also probably won't be successful when installed on Apache. George -- theall at tenablesecurity.com From coley at linus.mitre.org Mon Dec 3 23:47:08 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 3 Dec 2007 18:47:08 -0500 (EST) Subject: [VIM] CVE-2007-4158 == CVE-2007-5553? In-Reply-To: <47536402.1020901@tenablesecurity.com> References: <47536402.1020901@tenablesecurity.com> Message-ID: Ouch, that's a tough one. I'm not sure. These vague pre-advisories are tough for us to handle in CVE. Advisory 25 probably wasn't available at the time CVE-2007-5553 was created on Oct 18, but neither did we quote the specific descriptions. Here's our original notes for CVE-2007-5553: ABSTRACTION: This seems to have a different impact than CVE-2007-4161 and CVE-2007-4158. Also, for CVE-2007-4161, the researcher had already made a public announcement of details, so it's unclear why (if the issue were the same) the details would be omitted within the 111-Vendor-Alerts document. Admittedly, however, the likely discovery timeframe (July 2007) looks similar. This does seem to line up with the "Memory Leak vulnerability in TIBCO Rendezvous RVD daemon" listed on the 111-Vendor-Alerts page though, so I'm going to call it a dupe. CVE-2007-4158 will be preserved. - Steve On Sun, 2 Dec 2007, George A. Theall wrote: > Steve or anyone... what is the difference between CVE-2007-4158 and > CVE-2007-5553? Both involve an unspecified denial of service issue in > the rvd daemon in TIBCO Rendezvous discovered by IRM, but reading their > "Security Testing Enterprise Messaging Systems" whitepaper I only find > one new and unspecified issue. [There is a new degredation of service > issue, but that's covered by CVE-2007-4161.] Also, I only see one 0-day > listed for the app under > , and that points to > their Advisory 025. > > George > -- > theall at tenablesecurity.com > From theall at tenablesecurity.com Tue Dec 4 00:38:08 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 03 Dec 2007 19:38:08 -0500 Subject: [VIM] CVE-2007-4158 == CVE-2007-5553? In-Reply-To: References: <47536402.1020901@tenablesecurity.com> Message-ID: <4754A170.1020105@tenablesecurity.com> On 12/03/07 18:47, Steven M. Christey wrote: > These vague pre-advisories are tough for us to handle in CVE. I understand. Probably about as much fun as those originating from WabiSabiLabi. :-( > CVE-2007-4158 will be preserved. Ok, I've update our Nessus plugin to use this. George -- theall at tenablesecurity.com From jericho at attrition.org Wed Dec 5 12:00:13 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 5 Dec 2007 12:00:13 +0000 (UTC) Subject: [VIM] FW: You've successfully subscribed to the XSSed.com Early Warning ML (fwd) Message-ID: This should be interesting. They are running a mail list, where you subscribe to receive warnings of web-site specific XSS flaws. Unless you are a .gov or CERT, you can only sign up to one domain (wildcard supported, but not tested fully). I signed up to *.$company.com for kicks. Since many of us have discussed site-specific flaws in the past, this is an interesting next step. -----Original Message----- From: xssed [mailto:mailing at xssed.com] Sent: Wednesday, December 05, 2007 2:16 AM To: Martin, Brian Subject: You've successfully subscribed to the XSSed.com Early Warning ML Dear Brian Martin, You or someone else (with IP address x) subscribed your email address to the XSSed.com Early Warning Mailing List. You will now receive alerts for the domain $company and its subdomains. If you want to unsubscribe, please follow this link: http://www.xssed.com/unsubscribe/[..] Regards, The XSSed.com Staff From jericho at attrition.org Thu Dec 6 21:46:22 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 6 Dec 2007 21:46:22 +0000 (UTC) Subject: [VIM] [Full-disclosure] [SECUNIA] Vendors still use the "legal" weapon (fwd) Message-ID: ---------- Forwarded message ---------- From: Thomas Kristensen To: full-disclosure at lists.grok.org.uk Date: Thu, 06 Dec 2007 13:43:51 +0100 Subject: [Full-disclosure] [SECUNIA] Vendors still use the "legal" weapon In these days, one would have believed that vendors have learned the lesson not to threaten with legal actions to withhold and suppress significant information about vulnerabilities in their products. Well, nonetheless, Secunia just received a sequel of letters from Autonomy, likely not known to many, but it is the software company that supplies the "Swiss Army Knife" in handling and opening documents in well known software like IBM Lotus Notes and Symantec Mail Security. *First a little background information* The communication between Autonomy and their OEM customers regarding which versions of their KeyView software that fix given vulnerabilities has failed again and again. This has been a mess to sort out and Secunia has had to spent hours verifying what e.g. was fixed by IBM and what was fixed by Symantec - because apparently the versioning of the KeyView software is different whether used by Symantec, IBM, or others. We've managed to figure this out and occasionally this has caused one of Autonomy's OEM customers to have unpatched publicly known vulnerabilities in their products. All thanks to Autonomy's apparent inability to co-ordinate the release of new vulnerability fixes with their customers. Now, Autonomy has become fed up with handling all these vulnerabilities and believe that it is time to control what Secunia writes about. Autonomy wants Secunia to withhold information about the fact that vulnerability SA27835 in Keyview Lotus 1-2-3 File Viewer, which has been fixed by IBM, obviously also affects Autonomy's own versions 9.2 and 10.3 of KeyView. According to Autonomy, publishing an advisory would be misleading and cause confusion because the issues already have been fixed; in fact, they believe that this would cause the public to believe that there are more issues in their product than is the case! Now that is an interesting logic. Sorry Autonomy, writing an advisory that states which vulnerabilities have been fixed and in which versions is in no way misleading or confusing - even for "historical" issues. What is really interesting here is the fact that the Vulnerability Database services offered by Autonomy's own customers IBM and Symantec (ISS X-Force and Securityfocus respectively) still (at the time of publishing) don't show information about the fact that patches are available for the Lotus 1-2-3 issue - while Secunia, who Autonomy accuses of publishing misleading information, correctly reflects the fact that Autonomy offers patches. However, this doesn't seem to be a concern for Autonomy or perhaps their legal department also treats their own customers in the same way as Secunia is treated? What is misleading and confusing in this whole case is the apparent lack of co-ordination between Autonomy and Autonomy's OEM customers, the lack of clear, precise public statements about vulnerabilities and security fixes. If Autonomy wants to avoid "misleading" and "confusing" communication, then Autonomy ought to start publishing bulletins such as those made by most other serious and established software vendors (e.g. Microsoft and their own customers IBM and Symantec) with clear information about the type of vulnerability, potential attack vectors, potential impacts, affected versions, and unaffected versions - it's really that simple. Naturally, Autonomy should also communicate to their own customers (IBM and Symantec) that patches addressing vulnerabilities are available so that both their products and their Vulnerability Database services are updated. *Our response to these claims and accusations* Despite Autonomy's unsubstantiated legal threats, Secunia will quite legally continue to do vulnerability research in Autonomy products and any other products of interest. Naturally, Secunia will also continue to publish research articles and advisories in an unbiased, balanced, accurate, and truthful manner as we serve one purpose only: To provide accurate and reliable Vulnerability Intelligence to our customers and the Internet in general. Secunia is in continuous, ongoing, and positive dialogues with most vendors including large professional organisations like Microsoft, IBM, Adobe, Symantec, Novell, Apple, and CA. All understand and respect the need for informing the public about vulnerabilities and prefer to co-ordinate and synchronise the publication with important Vulnerability Intelligence sources such as Secunia rather than battling to keep things secret. It is truly sad to see that certain vendors like Autonomy still behave like many software vendors did back in the previous millennium. Kindest regards, Thomas Kristensen CTO, Secunia Copies of all correspondence in this "matter" is available below in chronological order, enjoy: http://secunia.com/gfx/Email%20from%20Secunia%2020071128.pdf http://secunia.com/gfx/Letter%20from%20Autonomy%2020071202.pdf http://secunia.com/gfx/Email%20from%20Secunia%2020071203.pdf http://secunia.com/gfx/Letter%20from%20Autonomy%2020071203.pdf http://secunia.com/gfx/Email%20from%20Secunia%2020071204.pdf http://secunia.com/gfx/Letter%20from%20Autonomy%2020071205.pdf The above is also available in our blog: http://secunia.com/blog/15/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From jericho at attrition.org Thu Dec 6 23:38:18 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 6 Dec 2007 23:38:18 +0000 (UTC) Subject: [VIM] RedLevel RedAlert silliness In-Reply-To: References: Message-ID: On Fri, 27 Jul 2007, security curmudgeon wrote: : http://redlevel.org/redalert.php : : The red bar on the left indicates the amount of current vulnerablites : discovered throughout the world. : : The current "Active" number is 76. How do they get this? From the : footer: As of this mail, the number is 72. Still odd.. From theall at tenablesecurity.com Wed Dec 12 21:46:37 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 12 Dec 2007 16:46:37 -0500 Subject: [VIM] Sun JDK Confusion Revisited Message-ID: <476056BD.1000103@tenablesecurity.com> I posted last July about Bugtraq 24267 / CVE-2007-3004 (and CVE-2007-3005) duplicating Bugtraq 24004 / CVE-2007-2788 and CVE-2007-2789. Sun apparently confirm this: http://www.attrition.org/pipermail/vim/2007-July/001708.html SecurityFocus retired Bugtraq 24267, but the CVE references still are valid. Did the clean-up get lost in the shuffle or was there some new info that Sun sent and I just missed? P.S. When's OSVDB^2 going to be ready? What changes can we expect, Jericho? George -- theall at tenablesecurity.com From jkouns at opensecurityfoundation.org Sat Dec 15 04:09:43 2007 From: jkouns at opensecurityfoundation.org (jkouns) Date: Fri, 14 Dec 2007 23:09:43 -0500 Subject: [VIM] Sun JDK Confusion Revisited In-Reply-To: <476056BD.1000103@tenablesecurity.com> References: <476056BD.1000103@tenablesecurity.com> Message-ID: <47635387.3090407@opensecurityfoundation.org> OSVDB 2.0 should be live in a couple hours if everything goes well! The new system is actually a complete rewrite.... ? Faster interface for mangling and updating vulnerabilities ? Fully integrated portal that allows wiki style updates & editing for each field ? Watch list functionality for custom alerting ? Improved vendor dictionary, including new search functionality ? Revamped classification system Some things to consider if you are currently integrating with OSVDB: ? The current XML dump will be available for several months ? You will need to create an OSVDB account to download the database ? The new database exports will include all vulnerabilities, not just ?stable? ? XML schema changes are coming George A. Theall wrote: > I posted last July about Bugtraq 24267 / CVE-2007-3004 (and > CVE-2007-3005) duplicating Bugtraq 24004 / CVE-2007-2788 and > CVE-2007-2789. Sun apparently confirm this: > > http://www.attrition.org/pipermail/vim/2007-July/001708.html > > SecurityFocus retired Bugtraq 24267, but the CVE references still are > valid. Did the clean-up get lost in the shuffle or was there some new > info that Sun sent and I just missed? > > P.S. When's OSVDB^2 going to be ready? What changes can we expect, Jericho? > > George From coley at linus.mitre.org Tue Dec 18 00:33:25 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 17 Dec 2007 19:33:25 -0500 (EST) Subject: [VIM] Sun JDK Confusion Revisited In-Reply-To: <476056BD.1000103@tenablesecurity.com> References: <476056BD.1000103@tenablesecurity.com> Message-ID: On Wed, 12 Dec 2007, George A. Theall wrote: > I posted last July about Bugtraq 24267 / CVE-2007-3004 (and > CVE-2007-3005) duplicating Bugtraq 24004 / CVE-2007-2788 and > CVE-2007-2789. Sun apparently confirm this: > > http://www.attrition.org/pipermail/vim/2007-July/001708.html > > SecurityFocus retired Bugtraq 24267, but the CVE references still are > valid. Did the clean-up get lost in the shuffle or was there some new > info that Sun sent and I just missed? No, the clean-up got lost in the shuffle. Sun Alert 102934 now uses the older CVE's; CVE-2007-3004 and CVE-2007-3005 are being REJECTED. Note that a lot of references are affected. Sorry about the non-answer back in July :-( - Steve From smoore at securityglobal.net Tue Dec 18 00:34:45 2007 From: smoore at securityglobal.net (Stuart Moore) Date: Mon, 17 Dec 2007 19:34:45 -0500 Subject: [VIM] two CVEs for one Cisco 7940 Phone DoS issue Message-ID: <476715A5.2090806@securityglobal.net> Hi, One of CVE's updates for today (2007/12/14 20:00) says that CVE-2007-6370 was assigned and associated with this report by Radu State: http://lists.grok.org.uk/pipermail/full-disclosure/2007-December/058837.html The followup message from Clay Seaman-Kossmey at Cisco (http://seclists.org/fulldisclosure/2007/Dec/0196.html) says that CVE-2007-5583 has been assigned. BID 26711 and SECTRACK 1019059 used the Cisco-provided CVE number. Thanks in advance for clarification, Stuart From coley at mitre.org Thu Dec 20 00:52:58 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 19 Dec 2007 19:52:58 -0500 (EST) Subject: [VIM] ClamAV MEW/PE dupes - CVE-2007-5759 / CVE-2007-6335 Message-ID: <200712200052.lBK0qw2r029858@faron.mitre.org> FYI, iDefense used CVE-2007-5759 but ClamAV later acquired CVE-2007-6335 independently. The VDB's are using 5759, but Debian inherited 6335, so I'm going with 6335 instead... sorry. - Steve ====================================================== Name: CVE-2007-5759 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5759 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-6335. Reason: This candidate is a duplicate of CVE-2007-6335. Notes: All CVE users should reference CVE-2007-6335 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ====================================================== Name: CVE-2007-6335 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6335 Reference: IDEFENSE:20071218 ClamAV libclamav MEW PE File Integer Overflow Vulnerability Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=634 Reference: DEBIAN:DSA-1435 Reference: URL:http://www.debian.org/security/2007/dsa-1435 Reference: SECUNIA:28117 Reference: URL:http://secunia.com/advisories/28117 Integer overflow in libclamav in ClamAV before 0.92 allows remote attackers to execute arbitrary code via a crafted MEW packed PE file, which triggers a heap-based buffer overflow.