From coley at mitre.org Wed Nov 14 20:47:07 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 14 Nov 2007 15:47:07 -0500 (EST) Subject: [VIM] dispute: Django CSRF (CVE-2007-5828) Message-ID: <200711142047.lAEKl7Lm028884@faron.mitre.org> Debian disputes this because they view it as an insecure configuration; product documentation covers a CSRF protection module that's available as part of the Django distribution. For CVE, we still include it because it's related to a default configuration, even if the "blame" is squarely on the administrator. - Steve ====================================================== Name: CVE-2007-5828 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5828 Reference: BUGTRAQ:20071029 Django 0.96 (stable) Admin Panel CSRF Reference: URL:http://www.securityfocus.com/archive/1/archive/1/482983/100/0/threaded ** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the admin panel in Django 0.96 allows remote attackers to change passwords of arbitrary users via a request to admin/auth/user/1/password/. NOTE: this issue has been disputed by Debian, since product documentation includes a recommendation for a CSRF protection module that is included with the product. However, CVE considers this an issue because the default configuration does not use this module. From theall at tenablesecurity.com Fri Nov 16 19:27:37 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 16 Nov 2007 14:27:37 -0500 Subject: [VIM] CVE-2007-5944 vs CVE-2006-3918 Message-ID: <473DEF29.1000500@tenablesecurity.com> Is the XSS issue covered by CVE-2007-5944 any different from that in CVE-2006-3918? Both arise from a failure to filter user-supplied input passed via an Expect header. George -- theall at tenablesecurity.com From noamr at beyondsecurity.com Mon Nov 19 15:22:11 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Mon, 19 Nov 2007 17:22:11 +0200 Subject: [VIM] Mocana Security Contact Message-ID: <200711191722.11624.noamr@beyondsecurity.com> Hi, Anyone has a security contact for Mocana? (http://www.mocana.com/) -- ? Noam Rathaus ? CTO ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From coley at linus.mitre.org Wed Nov 21 00:34:58 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 20 Nov 2007 19:34:58 -0500 (EST) Subject: [VIM] CVE-2007-5944 vs CVE-2006-3918 In-Reply-To: <473DEF29.1000500@tenablesecurity.com> References: <473DEF29.1000500@tenablesecurity.com> Message-ID: > Is the XSS issue covered by CVE-2007-5944 any different from that in > CVE-2006-3918? Both arise from a failure to filter user-supplied input > passed via an Expect header. CVE-wise, we'll do separate identifiers for separate codebases/implementations. These do look pretty similar. So, the only question is whether WebSphere Web Application server is built on top of Apache or not - my sense is that it isn't (except maybe a community edition), although http://publib.boulder.ibm.com/infocenter/wasinfo/v5r1//index.jsp?topic=/com.ibm.websphere.base.doc/info/aes/ae/tins_installIHS2.html suggests strong support for Apache as a plugin (via IBM HTTP Server, which is "powered by apache"). Current CVE analysis is: ABSTRACTION: CVE-2006-3918 is for Apache. This is based on IBM documents that mention WebSphere Application Server (WAS). WAS can install an IBM HTTP Server plug-in, which is based on Apache, but it can also install separate products. It is not clear whether WAS implements its own functionality that has the Expect header issue, or whether it's "inheriting" it from the web servers that it uses. I've made a note of the possible dupe. - Steve From theall at tenablesecurity.com Wed Nov 21 02:54:55 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 20 Nov 2007 21:54:55 -0500 Subject: [VIM] CVE-2007-5944 vs CVE-2006-3918 In-Reply-To: References: <473DEF29.1000500@tenablesecurity.com> Message-ID: <47439DFF.1090200@tenablesecurity.com> On 11/20/07 19:34, Steven M. Christey wrote: > These do look pretty similar. So, the only question is whether WebSphere > Web Application server is built on top of Apache or not - my sense is that > it isn't (except maybe a community edition), I have a copy of WebSphere Application Server v5.1 installed on Windows. It uses opens up several web servers by default, none of which use Apache. Server response headers are: Server: WebSphere Application Server/5.1 and all correspond to processes running java. So, since it's not Apache, I take it you'll keep the CVEs separate? George -- theall at tenablesecurity.com From jericho at attrition.org Fri Nov 23 23:47:09 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 23 Nov 2007 23:47:09 +0000 (UTC) Subject: [VIM] Global I.S. S.A. phpYellowpage Version 6.08 (fwd) Message-ID: I believe this refers to OSVDB 21428/21429. Interesting vendor response to a vulnerability. ---------- Forwarded message ---------- From: To: moderators at osvdb.org Date: Fri, 8 Jun 2007 03:21:42 -0500 Reply-To: moderators at osvdb.org Subject: [OSVDB Mods] Global I.S. S.A. phpYellowpage Version 6.08 We are running 2 copies of Global I.S. S.A. phpYellowpage Version 6.08 on two sites. This product has a vulnerability flaw with SQL injection. We contacted the vendor and was told to pay $65.00 for their product to be update with a captcha code. We provide when with an FTP address to access the sites but we continue to wait for a solution for this annoying problem to be resolve. As we wait, we continue to clean our database on a daily basic. Thanks, Charles