From coley at linus.mitre.org Wed Feb 3 00:00:59 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 2 Feb 2010 19:00:59 -0500 (EST) Subject: [VIM] disputed: CVE-2010-0158 JoomlaBamboo (JB) Simpla Admin SQL injection Message-ID: Researcher: R3d-D3v!L The CVE team has received a dispute of the following issue. More details later if the vendor is willing to provide a public statement. The software is not immediately downloadable, so I could not independently research the issue. - Steve ====================================================== Name: CVE-2010-0158 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0158 Reference: MISC:http://packetstormsecurity.org/1001-exploits/joomlabamboo-sql.txt Reference: MISC:http://www.exploit-db.com/exploits/10971 Reference: BID:37579 Reference: URL:http://www.securityfocus.com/bid/37579 Reference: VUPEN:ADV-2010-0014 Reference: URL:http://www.vupen.com/english/advisories/2010/0014 SQL injection vulnerability in the JoomlaBamboo (JB) Simpla Admin template for Joomla! allows remote attackers to execute arbitrary SQL commands via the id parameter in an article action to the com_content component, reachable through index.php. From coley at linus.mitre.org Wed Feb 3 01:29:31 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 2 Feb 2010 20:29:31 -0500 (EST) Subject: [VIM] disputed: CVE-2010-0158 JoomlaBamboo (JB) Simpla Admin SQL injection In-Reply-To: References: Message-ID: dispute posted by vendor: http://www.joomlabamboo.com/blog/template-news/simpla-is-safe He also committed to the following statement: JoomlaBamboo has investigated this report, and it is incorrect. There is no SQL injection vulnerability involving the id parameter in an article view, and there never was. JoomlaBamboo customers have no reason to be concerned about this report. - Steve From jericho at attrition.org Wed Feb 10 08:53:28 2010 From: jericho at attrition.org (security curmudgeon) Date: Wed, 10 Feb 2010 08:53:28 +0000 (UTC) Subject: [VIM] ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability In-Reply-To: References: Message-ID: On Tue, 9 Feb 2010, ZDI Disclosures wrote: : ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-016 : February 9, 2010 : : -- CVE ID: : CVE-2010-0027 : : -- Affected Products: : Microsoft Windows XP : : -- Vendor Response: : Microsoft has issued an update to correct this vulnerability. More : details can be found at: : : http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx : : -- Disclosure Timeline: : 2009-07-20 - Vulnerability reported to vendor : 2010-02-09 - Coordinated public release of advisory This CVE crosses with MS10-002 / 978207, tracked by OSVDB 61909 "Microsoft IE Unspecified Crafted URL Handling Arbitrary Code Execution". Per previous disclosure, this was reported to MS on 2009-11-15. Your advisory says this affects Windows XP, not MSIE specifically, and crosses to MS10-007. Can you clarify please? From zdi-disclosures at tippingpoint.com Wed Feb 10 18:50:14 2010 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Wed, 10 Feb 2010 12:50:14 -0600 Subject: [VIM] ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability In-Reply-To: Message-ID: Jericho, The crux of this issue was never fully identified on our behalf, we simply tracked it down to the point that we knew it was reachable from ShellExecute(). We're not entirely sure why Microsoft chose to split the patch across two months but we were told by them to wait until this month to release our advisory. The issue can be triggered from a variety of vectors, the most interesting to an attacker being MSIE. It is NOT however only exposed through IE. We just updated the web advisory to reflect all affected operating systems which in addition to XP include 2000 and 2003. We suspect that Microsoft first addressed the IE vector last month and the actual bug this month. Hope that helps. Kate -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Wednesday, February 10, 2010 2:53 AM To: ZDI Disclosures Cc: vim at attrition.org Subject: Re: ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability On Tue, 9 Feb 2010, ZDI Disclosures wrote: : ZDI-10-016: Microsoft Windows ShellExecute Improper Sanitization Code Execution Vulnerability : http://www.zerodayinitiative.com/advisories/ZDI-10-016 : February 9, 2010 : : -- CVE ID: : CVE-2010-0027 : : -- Affected Products: : Microsoft Windows XP : : -- Vendor Response: : Microsoft has issued an update to correct this vulnerability. More : details can be found at: : : http://www.microsoft.com/technet/security/bulletin/MS10-007.mspx : : -- Disclosure Timeline: : 2009-07-20 - Vulnerability reported to vendor : 2010-02-09 - Coordinated public release of advisory This CVE crosses with MS10-002 / 978207, tracked by OSVDB 61909 "Microsoft IE Unspecified Crafted URL Handling Arbitrary Code Execution". Per previous disclosure, this was reported to MS on 2009-11-15. Your advisory says this affects Windows XP, not MSIE specifically, and crosses to MS10-007. Can you clarify please? From theall at tenablesecurity.com Fri Feb 12 15:20:28 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 12 Feb 2010 10:20:28 -0500 Subject: [VIM] RSA SecurID XSS Vulnerability Message-ID: FYI, Exploit DB 11405 / Bugtraq ID 38207 would seem to be a dup of an issue reported in early 2008 by quentin berdugo as well as ProCheckUp and covered already by CVE-2008-1470 / Bugtraq 28277. Also, ProCheckUp pointed out its relationship with Bugtraq 13168 from 2005. George -- theall at tenablesecurity.com From jericho at attrition.org Sat Feb 27 08:48:59 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 27 Feb 2010 08:48:59 +0000 (UTC) Subject: [VIM] Joomla! developer: Being "The Vendor" for Security Issues In-Reply-To: References: Message-ID: late response.. On Sun, 6 Sep 2009, Steven M. Christey wrote: : This is basically a commentary on typical VDB practices shared by most : of us. The Joomla! folks have a couple solid points, especially on : proper distinction of third-party extensions from core, and their desire : for accuracy. : : http://community.joomla.org/blogs/community/1029-on-being-qthe-vendorq.html : : I'm thinking on a constructive response. The apparent practice of : removing vulnerable extensions from their directory is probably : adversely affecting all of us - certainly CVE, who tries to verify that : an extension is not just site-specific before we create an entry. I noticed this kind of issue pretty early on and directed how OSVDB handles it. Since our data set isn't 50% complete, vendor information is not added for many entries. As a result, the only real and consistant distinction we can make is in the title. This goes for Joomla! and any other software with third-party plugins. Vendor: Joomla! ... Third-party: X Plugin for Joomla! .. It's subtle but the best we can do for now.