[VIM] various Apache products - not enough details

security curmudgeon jericho at attrition.org
Wed Oct 28 01:52:26 UTC 2009

I went trolling through the Apache Jira system, fun times!

Ended up finding a world of vulnerabilities that were not disclosed 
through regular channels. Ended up making about 80 new entries in OSVDB 
for them. There will be a blog post listing them all at some point.

During that crawl, found about 30 or so that I just don't have enough 
details for. Based on the wording of the bug report, it suggests security 
implications. I don't have the time, patience or expertise to try to 
reproduce these to figure them out. Hoping that someone on the list can 
give insight over the coming week as I post a few a day probably. =)



i read this as a 'delegated security portlet' has the right to manage an 
admin user, and it should not. question is, does this give the delegated 
security portlet privileges it shouldn't have, that it can use in a bad 


versions, fix, no clue if this has security 
implications for 'information disclosure'


version 2.2 fixes. i read this as 'getX Method Access Restriction Bypass' 
based on the info available.


i read this as 'Service Fault Security Policy Application Weakness', where 
a policy may not be properly enforced.


this involves application of RFC855, specifically telnet subnegotiation. 
if it doesn't handle 0xFF correctly, is this a DoS condition? from the 

Designers of options requiring "subnegotiation" must take great care to 
avoid unending loops in the subnegotiation process. For example, if each 
party can accept any value of a parameter, and both parties suggest 
parameters with different values, then one is likely to have an infinite 
oscillation of "acknowledgments" (where each receiver believes it is only 
acknowledging the new proposals of the other). Finally, if parameters in 
an option "subnegotiation" include a byte with a value of 255, it is 
necessary to double this byte in accordance the general TELNET rules.

More information about the VIM mailing list