[VIM] various Apache products - not enough details
security curmudgeon
jericho at attrition.org
Wed Oct 28 01:52:26 UTC 2009
I went trolling through the Apache Jira system, fun times!
Ended up finding a world of vulnerabilities that were not disclosed
through regular channels. Ended up making about 80 new entries in OSVDB
for them. There will be a blog post listing them all at some point.
During that crawl, found about 30 or so that I just don't have enough
details for. Based on the wording of the bug report, it suggests security
implications. I don't have the time, patience or expertise to try to
reproduce these to figure them out. Hoping that someone on the list can
give insight over the coming week as I post a few a day probably. =)
--
https://issues.apache.org/jira/browse/JS2-714
i read this as a 'delegated security portlet' has the right to manage an
admin user, and it should not. question is, does this give the delegated
security portlet privileges it shouldn't have, that it can use in a bad
way?
https://issues.apache.org/jira/browse/DERBY-3462
versions 10.4.1.3, 10.5.1.1 fix, no clue if this has security
implications for 'information disclosure'
https://issues.apache.org/jira/browse/GERONIMO-4587
version 2.2 fixes. i read this as 'getX Method Access Restriction Bypass'
based on the info available.
https://issues.apache.org/jira/browse/AXIS2-4241
i read this as 'Service Fault Security Policy Application Weakness', where
a policy may not be properly enforced.
https://issues.apache.org/jira/browse/NET-74
this involves application of RFC855, specifically telnet subnegotiation.
if it doesn't handle 0xFF correctly, is this a DoS condition? from the
RFC:
[snip]
Designers of options requiring "subnegotiation" must take great care to
avoid unending loops in the subnegotiation process. For example, if each
party can accept any value of a parameter, and both parties suggest
parameters with different values, then one is likely to have an infinite
oscillation of "acknowledgments" (where each receiver believes it is only
acknowledging the new proposals of the other). Finally, if parameters in
an option "subnegotiation" include a byte with a value of 255, it is
necessary to double this byte in accordance the general TELNET rules.
[eosnip]
More information about the VIM
mailing list