From theall at tenablesecurity.com Tue Sep 2 15:35:43 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 2 Sep 2008 11:35:43 -0400 Subject: [VIM] Gallery LFI - third party disputed vs vendor In-Reply-To: References: Message-ID: On Aug 24, 2008, at 6:02 AM, security curmudgeon wrote: > CVE-2008-3600 > > Disclosure and Dispute: > http://archives.neohapsis.com/archives/bugtraq/2008-08/0091.html > http://archives.neohapsis.com/archives/bugtraq/2008-08/0115.html > > Vendor: > http://gallery.menalto.com/gallery_1.5.8_released > > One security issue was reported to us in private by the Digital > Security Research Group [DSecRG] who were professional and are > waiting until after this release to publish their findings. > > -- > > who's right? =) DSecRG -- gallery doesn't have much under "contrib/phpBB2" other than "modules.php" and some text files: http://gallery.svn.sourceforge.net/viewvc/gallery/tags/RELEASE_1_5_7/gallery/contrib/phpBB2/ There is no "extension.inc". Nor is there anything matching "common.*" or "includes/functions.*", which makes me wonder why DSecRG's PoC uses a directory traversal sequence to grab "/etc/passwd". George -- theall at tenablesecurity.com From theall at tenablesecurity.com Fri Sep 5 16:37:15 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 5 Sep 2008 12:37:15 -0400 Subject: [VIM] Moodle <= 1.8.4 Remote Code Execution Exploit Message-ID: FYI, while looking into milw0rm 6356, I notice the underlying issue is in the KSES library it uses. The project addressed the issue earlier this year; eg, http://moodle.org/mod/forum/discuss.php?d=95031 http://cvs.moodle.org/moodle/lib/kses.php?r1=1.3.2.2&r2=1.3.2.3 SecurityFocus created BID 30995 for the issues covered by milw0rm 6356, yet they also have BID 28599, which covers the code execution issue in KSES as well as a couple of other issues, so 30995 would seem to be a dup. I only see one CVE associated with the earlier BID: CVE-2008-1502, which refers only to XSS attacks. Steve, if there another for the code execution the earlier BID notes? George -- theall at tenablesecurity.com From jericho at attrition.org Mon Sep 8 09:43:50 2008 From: jericho at attrition.org (security curmudgeon) Date: Mon, 8 Sep 2008 09:43:50 +0000 (UTC) Subject: [VIM] Moodle <= 1.8.4 Remote Code Execution Exploit In-Reply-To: References: Message-ID: On Fri, 5 Sep 2008, George A. Theall wrote: : FYI, while looking into milw0rm 6356, I notice the underlying issue is in the : KSES library it uses. The project addressed the issue earlier this year; eg, : : http://moodle.org/mod/forum/discuss.php?d=95031 : http://cvs.moodle.org/moodle/lib/kses.php?r1=1.3.2.2&r2=1.3.2.3 : : SecurityFocus created BID 30995 for the issues covered by milw0rm 6356, : yet they also have BID 28599, which covers the code execution issue in : KSES as well as a couple of other issues, so 30995 would seem to be a : dup. BID 30995 is for multiple remote file inclusions in Moodle and references the milw0rm exploit under 'exploit' (well, not reference, copies the code from?). I assume this is KSES based code based on the /lib/kses.php reference. BID 28599 is for kses multiple input validation vulns, but the discussion covers XSS and references previous BID 28424 and 28121. OSVDB 43677 covers the XSS weakness, but we didn't have an entry for the RFI (and to confirm, the $injection_points array is for each unique script vulnerable right?). We will make one to cover this and cross-ref Milw0rm 6356 / BID 30995. Based on the two BIDs, they don't seem to be a dupe to me though as one is for RFI, the other for XSS? From theall at tenablesecurity.com Tue Sep 9 17:05:53 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 9 Sep 2008 13:05:53 -0400 Subject: [VIM] Moodle <= 1.8.4 Remote Code Execution Exploit In-Reply-To: References: Message-ID: On Sep 8, 2008, at 5:43 AM, security curmudgeon wrote: > BID 28599 is for kses multiple input validation vulns, but the > discussion > covers XSS and references previous BID 28424 and 28121. The discussion under BID 28599 says PHP code execution is also possible, as does the Bugtraq posting from ?ukasz Pilorz referenced by the BID: http://www.securityfocus.com/archive/1/490402 > OSVDB 43677 covers the XSS weakness, but we didn't have an entry for > the > RFI (and to confirm, the $injection_points array is for each unique > script > vulnerable right?). It's not a remote file include but rather code injection caused by unsafe usage of the 'e' pattern modifier in a preg_replace() call. Yes, the scripts and (POST) parameters listed in $injection_points in Milw0rm 6356 represent attack vectors. But the actual issue lies in kses_bad_protocol_once() in lib/kses.php. And that was addressed by the Moodle team here: http://moodle.org/mod/forum/discuss.php?d=95031 as BID 28599 notes. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Tue Sep 9 19:22:13 2008 From: str0ke at milw0rm.com (str0ke) Date: Tue, 09 Sep 2008 14:22:13 -0500 Subject: [VIM] [Fwd: http://milw0rm.com/exploits/6294] Message-ID: <48C6CCE5.8050702@milw0rm.com> -------------- next part -------------- An embedded message was scrubbed... From: "Tim Mousel" Subject: http://milw0rm.com/exploits/6294 Date: Tue, 9 Sep 2008 13:43:00 -0500 Size: 4156 Url: http://www.attrition.org/pipermail/vim/attachments/20080909/52f9fbc9/attachment.eml From theall at tenablesecurity.com Mon Sep 15 02:33:17 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Sun, 14 Sep 2008 22:33:17 -0400 Subject: [VIM] Grafitti Forums 1.0 Remote SQL Injection/HTML Injection Vulnerabilities Message-ID: <12781687-5CDB-49FA-BDA7-4831E30D9935@tenablesecurity.com> Anyone know which product milw0rm 6429 supposedly covers? SirGod doesn't mention a vendor, nor does the corresponding Bugtraq ID (31130). Apart from a slight difference in the spelling of the product, the SQL injection issue involving the 'f' parameter to 'topics.php' seems to be a rehash of a discovery made by Paisterist back in 2006: http://archives.neohapsis.com/archives/bugtraq/2006-07/0102.html and covered by Bugtraq 18928. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Sep 15 05:11:15 2008 From: str0ke at milw0rm.com (str0ke) Date: Mon, 15 Sep 2008 00:11:15 -0500 Subject: [VIM] Grafitti Forums 1.0 Remote SQL Injection/HTML Injection Vulnerabilities In-Reply-To: <12781687-5CDB-49FA-BDA7-4831E30D9935@tenablesecurity.com> References: <12781687-5CDB-49FA-BDA7-4831E30D9935@tenablesecurity.com> Message-ID: <48CDEE73.1000102@milw0rm.com> George, Vendor url: http://www.bluedojo.com/graffiti.php Ya its a dupe. George A. Theall wrote: > Anyone know which product milw0rm 6429 supposedly covers? SirGod > doesn't mention a vendor, nor does the corresponding Bugtraq ID (31130). > > Apart from a slight difference in the spelling of the product, the SQL > injection issue involving the 'f' parameter to 'topics.php' seems to > be a rehash of a discovery made by Paisterist back in 2006: > > http://archives.neohapsis.com/archives/bugtraq/2006-07/0102.html > > and covered by Bugtraq 18928. > > George From coley at linus.mitre.org Tue Sep 16 00:17:59 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 15 Sep 2008 20:17:59 -0400 (EDT) Subject: [VIM] OpenWiki (CVE-2006-2473) dispute Message-ID: Dispute by the owner of a web site who has talked to the developer: http://www.openwiki.com/ow.asp?OpenWikiVulnerability http://www.openwiki.com/ow.asp?XssVulnerability I didn't investigate too closely, but the original disclosure by LiNuX_rOOt was rather brief and didn't include the specific XSS pattern that triggered the issue. I don't remember that researcher's reliability. - Steve ====================================================== Name: CVE-2006-2473 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2473 Reference: BUGTRAQ:20060517 OpenWiki<--v0.78 Cross-Site Scripting Reference: URL:http://www.securityfocus.com/archive/1/archive/1/434295/100/0/threaded Reference: MISC:http://www.openwiki.com/ow.asp?OpenWikiVulnerability Reference: MISC:http://www.openwiki.com/ow.asp?XssVulnerability Reference: BID:18013 Reference: URL:http://www.securityfocus.com/bid/18013 Reference: SREASON:920 Reference: URL:http://securityreason.com/securityalert/920 Reference: XF:openwiki-ow-xss(26517) Reference: URL:http://xforce.iss.net/xforce/xfdb/26517 ** DISPUTED ** Cross-site scripting (XSS) vulnerability in ow.asp in OpenWiki 0.78 allows remote attackers to inject arbitrary web script or HTML via the p parameter. NOTE: this issue has been disputed by the vendor and a third party who is affiliated with the product. The vendor states "You cannot insert code in a wikipage or via URL parameters as they are all escaped before usage, so nothing can be compromised at other sites." From theall at tenablesecurity.com Mon Sep 22 16:01:19 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 22 Sep 2008 12:01:19 -0400 Subject: [VIM] e107 Plugin my_gallery (image) Remote SQL Injection Vulnerability Message-ID: <2BD9AD72-3C7B-4F8B-A284-461368B86091@tenablesecurity.com> Milw0rm 6516 claims to be in a plugin named "My_Gallery" . This appears to be wrong. The affected file isn't in the distribution package that I downloaded, either for version 1.9.2 which is what the link in the advisory points to or version 2.3, which I downloaded several months ago. Instead, it looks like it's Akira Powered's "Image Gallery", from . Version 0.9.6.2, which is what's currently available (you need to register first), is definitely vulnerable. The problem is in 'showBreadcrumb()' in 'functions.php' -- the second query fails to sanitize input to the 'image' parameter. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Sep 22 16:13:06 2008 From: str0ke at milw0rm.com (str0ke) Date: Mon, 22 Sep 2008 11:13:06 -0500 Subject: [VIM] e107 Plugin my_gallery (image) Remote SQL Injection Vulnerability In-Reply-To: <2BD9AD72-3C7B-4F8B-A284-461368B86091@tenablesecurity.com> References: <2BD9AD72-3C7B-4F8B-A284-461368B86091@tenablesecurity.com> Message-ID: <48D7C412.5000707@milw0rm.com> updated the authors work and title info, great job George. /str0ke From jericho at attrition.org Tue Sep 23 03:38:43 2008 From: jericho at attrition.org (security curmudgeon) Date: Tue, 23 Sep 2008 03:38:43 +0000 (UTC) Subject: [VIM] The next IBM DB2 mess... Message-ID: Trying to track down and do the x-ref mess. Ran into one CVE dupe most likely (2008-0698 / 2007-3676). The question originally was if 2008-3853 crosed with OSVDB 48146. Here is a list of APARs, CVEs and relevant notes and fix info: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-3853 http://www-01.ibm.com/support/docview.wss?uid=swg1IZ12406 irst fixed in DB2 UDB Version 9.5, FixPak 1 http://www-01.ibm.com/support/docview.wss?uid=swg1IZ10033 irst fixed in DB2 UDB Version 8.2, FixPak 16 http://www-1.ibm.com/support/docview.wss?uid=swg1IZ12379 First fixed in DB2 UDB Version 9.1, FixPak 4a OSVDB 48146 / CVE-NO-MATCH ? http://www-01.ibm.com/support/docview.wss?uid=swg1IZ22190 Problem was fixed in Version 9.5 Fix Pack 2 http://www-01.ibm.com/support/docview.wss?uid=swg1IZ22004 Problem was first fixed in Version 8.2 Fix Pack 16 http://www-01.ibm.com/support/docview.wss?uid=swg1IZ22188 Problem was fixed in Version 9.1 Fix Pack 5 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-0698 http://www-1.ibm.com/support/docview.wss?uid=swg1IZ05496 First fixed in DB2 UDB Version 8, FixPak 16 http://www-01.ibm.com/support/docview.wss?uid=swg1IZ05478 First fixed in DB2 V9.1 fixpak 4 (FP4) This APAR addresses the issues described by CVE-2007-3676 at cve.mitre.org Based on that, 2008-3853 and OSVDB 48146 seem different, since in each case the vuln was fixed in different versions 2 of the 3 times. Based on that, OSVDB is keeping two entries for these. The note in APAR 05478 (CVE 2008-0698) makes it pretty clear it crosses with 2007-3676 though From theall at tenablesecurity.com Fri Sep 26 02:13:20 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 25 Sep 2008 22:13:20 -0400 Subject: [VIM] The next IBM DB2 mess... In-Reply-To: References: Message-ID: <2CFE80C7-E249-455E-B2EE-99A0FBA2E199@tenablesecurity.com> On Sep 22, 2008, at 11:38 PM, security curmudgeon wrote: > Trying to track down and do the x-ref mess. What I find confusing is that there are many cases in which the text within the APAR itself says it's been fixed in a particular version, but if you then look in the overall list of APARs by Fix Pack, you find it in a different version. Or not at all. > http://www-1.ibm.com/support/docview.wss?uid=swg1IZ12379 > First fixed in DB2 UDB Version 9.1, FixPak 4a Case in point. Text says 4a, but the list of APARs by Fix Pack lists it under 5. > OSVDB 48146 / CVE-NO-MATCH ? > > http://www-01.ibm.com/support/docview.wss?uid=swg1IZ22190 > Problem was fixed in Version 9.5 Fix Pack 2 I don't see it included in the 9.5 list of APARs by Fix Pack. > http://www-01.ibm.com/support/docview.wss?uid=swg1IZ22004 > Problem was first fixed in Version 8.2 Fix Pack 16 While that's what the APAR says, the dates it lists are more in line with Fix Pack 17 (Fix Pack 16 came out in February 2008, 17 in September 2008, and the issue was apparently submitted May 2008). In addition, the APAR itself is listed under Fix Pack 17 on the list of Version 8 list of APARS by Fix Pack. > http://www-01.ibm.com/support/docview.wss?uid=swg1IZ22188 > Problem was fixed in Version 9.1 Fix Pack 5 It's not in the 9.1 list of APARs by Fix Pack. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Sun Sep 28 02:44:03 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Sat, 27 Sep 2008 22:44:03 -0400 Subject: [VIM] X7 Chat 2.0.5.1 (mini.php help_file) Local File Include Vulnerability Message-ID: <0CFF00C4-8B3A-4B46-8990-0933CCAA2E21@tenablesecurity.com> I'm not sure the exploit as described in milw0rm 6592 works generally. Notice the affected file is "help/mini.php" and the arg to include() starts with "./help/"? When you call the script directly, the working directory will be something like "/var/www/html/x7chat/help"., which causes the directory traversal to fail on targets running, say, *nix since there's no directory named "help" under that. The issue is exploitable under version 2.0.0, but it appears to have been fixed in response to rgod's earlier advisory : http://archives.neohapsis.com/archives/bugtraq/2006-05/0028.html which leverages a very similar issue in 'help/index.php' to execute arbitrary code. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Sun Sep 28 03:17:21 2008 From: str0ke at milw0rm.com (str0ke) Date: Sat, 27 Sep 2008 22:17:21 -0500 Subject: [VIM] X7 Chat 2.0.5.1 (mini.php help_file) Local File Include Vulnerability In-Reply-To: <0CFF00C4-8B3A-4B46-8990-0933CCAA2E21@tenablesecurity.com> References: <0CFF00C4-8B3A-4B46-8990-0933CCAA2E21@tenablesecurity.com> Message-ID: <48DEF741.60304@milw0rm.com> Correct, removing it now. /str0ke George A. Theall wrote: > I'm not sure the exploit as described in milw0rm 6592 works generally. > Notice the affected file is "help/mini.php" and the arg to include() > starts with "./help/"? When you call the script directly, the working > directory will be something like "/var/www/html/x7chat/help"., which > causes the directory traversal to fail on targets running, say, *nix > since there's no directory named "help" under that. > > The issue is exploitable under version 2.0.0, but it appears to have > been fixed in response to rgod's earlier advisory : > > http://archives.neohapsis.com/archives/bugtraq/2006-05/0028.html > > which leverages a very similar issue in 'help/index.php' to execute > arbitrary code. > > George From str0ke at milw0rm.com Sun Sep 28 03:19:25 2008 From: str0ke at milw0rm.com (str0ke) Date: Sat, 27 Sep 2008 22:19:25 -0500 Subject: [VIM] X7 Chat 2.0.5.1 (mini.php help_file) Local File Include Vulnerability In-Reply-To: <48DEF741.60304@milw0rm.com> References: <0CFF00C4-8B3A-4B46-8990-0933CCAA2E21@tenablesecurity.com> <48DEF741.60304@milw0rm.com> Message-ID: <48DEF7BD.2070404@milw0rm.com> Actually I'm going to change the topic info it affects 2.0.1a as well. Regards, /str0ke str0ke wrote: > Correct, > > removing it now. > > /str0ke > > George A. Theall wrote: > >> I'm not sure the exploit as described in milw0rm 6592 works generally. >> Notice the affected file is "help/mini.php" and the arg to include() >> starts with "./help/"? When you call the script directly, the working >> directory will be something like "/var/www/html/x7chat/help"., which >> causes the directory traversal to fail on targets running, say, *nix >> since there's no directory named "help" under that. >> >> The issue is exploitable under version 2.0.0, but it appears to have >> been fixed in response to rgod's earlier advisory : >> >> http://archives.neohapsis.com/archives/bugtraq/2006-05/0028.html >> >> which leverages a very similar issue in 'help/index.php' to execute >> arbitrary code. >> >> George >> > > From theall at tenablesecurity.com Mon Sep 29 02:41:16 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Sun, 28 Sep 2008 22:41:16 -0400 Subject: [VIM] soapCaller.bs Message-ID: <332AA334-A5AA-48EB-A54C-8AA34928D824@tenablesecurity.com> I've noticed recently a lot of scans from Morpheus for soapCaller.bs; eg, 208.40.33.20 - - [27/Sep/2008:17:46:53 -0400] "GET /user/ soapCaller.bs HTTP/1.1" 404 216 "-" "Morfeus Fucking Scanner" Does anyone know what vulnerability the scanner's trying to exploit? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Sep 29 03:49:36 2008 From: str0ke at milw0rm.com (str0ke) Date: Sun, 28 Sep 2008 22:49:36 -0500 Subject: [VIM] soapCaller.bs In-Reply-To: <332AA334-A5AA-48EB-A54C-8AA34928D824@tenablesecurity.com> References: <332AA334-A5AA-48EB-A54C-8AA34928D824@tenablesecurity.com> Message-ID: <48E05050.9080302@milw0rm.com> http://72.14.205.104/search?q=cache:M0zbRuRSIMMJ:stateofsecurity.com/%3Fp%3D467+soapCaller.bs&hl=en&ct=clnk&cd=1&gl=us George A. Theall wrote: > I've noticed recently a lot of scans from Morpheus for soapCaller.bs; eg, > > 208.40.33.20 - - [27/Sep/2008:17:46:53 -0400] "GET > /user/soapCaller.bs HTTP/1.1" 404 216 "-" "Morfeus Fucking Scanner" > > Does anyone know what vulnerability the scanner's trying to exploit? > > George From theall at tenablesecurity.com Mon Sep 29 11:00:43 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 29 Sep 2008 07:00:43 -0400 Subject: [VIM] soapCaller.bs In-Reply-To: <48E05050.9080302@milw0rm.com> References: <332AA334-A5AA-48EB-A54C-8AA34928D824@tenablesecurity.com> <48E05050.9080302@milw0rm.com> Message-ID: On Sep 28, 2008, at 11:49 PM, str0ke wrote: > http://72.14.205.104/search?q=cache:M0zbRuRSIMMJ:stateofsecurity.com/%3Fp%3D467+soapCaller.bs&hl=en&ct=clnk&cd=1&gl=us I had noticed that earlier, but it only talks about how Morpheus scans for it. I was hoping someone would be able to point to a specific advisory that says which package was affected. Btw, most of the issues I've seen Morpheus scanning for in the past have been older vulnerabilities. This seems different. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Sep 29 14:08:27 2008 From: str0ke at milw0rm.com (str0ke) Date: Mon, 29 Sep 2008 09:08:27 -0500 Subject: [VIM] soapCaller.bs In-Reply-To: References: <332AA334-A5AA-48EB-A54C-8AA34928D824@tenablesecurity.com> <48E05050.9080302@milw0rm.com> Message-ID: <48E0E15B.5040503@milw0rm.com> I would just add the file and watch what the next step is the bot takes. George A. Theall wrote: > On Sep 28, 2008, at 11:49 PM, str0ke wrote: > >> http://72.14.205.104/search?q=cache:M0zbRuRSIMMJ:stateofsecurity.com/%3Fp%3D467+soapCaller.bs&hl=en&ct=clnk&cd=1&gl=us >> > > > I had noticed that earlier, but it only talks about how Morpheus scans > for it. I was hoping someone would be able to point to a specific > advisory that says which package was affected. > > Btw, most of the issues I've seen Morpheus scanning for in the past > have been older vulnerabilities. This seems different. > > George From theall at tenablesecurity.com Mon Sep 29 14:25:04 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 29 Sep 2008 10:25:04 -0400 Subject: [VIM] soapCaller.bs In-Reply-To: <48E0E15B.5040503@milw0rm.com> References: <332AA334-A5AA-48EB-A54C-8AA34928D824@tenablesecurity.com> <48E05050.9080302@milw0rm.com> <48E0E15B.5040503@milw0rm.com> Message-ID: On Sep 29, 2008, at 10:08 AM, str0ke wrote: > I would just add the file and watch what the next step is the bot > takes. I can do that. But the article you referenced says there hasn't been a "next step" observed yet. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Sep 29 15:10:58 2008 From: str0ke at milw0rm.com (str0ke) Date: Mon, 29 Sep 2008 10:10:58 -0500 Subject: [VIM] soapCaller.bs In-Reply-To: References: <332AA334-A5AA-48EB-A54C-8AA34928D824@tenablesecurity.com> <48E05050.9080302@milw0rm.com> <48E0E15B.5040503@milw0rm.com> Message-ID: <48E0F002.3020707@milw0rm.com> Eww, thats kind of scary. George A. Theall wrote: > On Sep 29, 2008, at 10:08 AM, str0ke wrote: > >> I would just add the file and watch what the next step is the bot takes. > > I can do that. But the article you referenced says there hasn't been a > "next step" observed yet. > > George