From jericho at attrition.org Sat Oct 2 16:07:01 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 2 Oct 2010 16:07:01 -0500 (CDT) Subject: [VIM] OSVDB 67800 / CVE-2010-3205 - Textpattern dispute Message-ID: http://osvdb.org/show/osvdb/67800 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3205 This is not a vulnerability. The code in question does not execute until after separate authentication and authorization checks. Even a logged-in user with full privileges cannot get this code to include a file from outside the application. Comment submitted from: Frontier Communications of America, Inc. FRTR-71-111-192-0 (NET-71-111-192-0-1) 71.111.192.0 - 71.111.255.255 From jericho at attrition.org Thu Oct 7 17:15:18 2010 From: jericho at attrition.org (security curmudgeon) Date: Thu, 7 Oct 2010 17:15:18 -0500 (CDT) Subject: [VIM] ZDI-10-182: IBM TSM FastBack Server FXCLI_OraBR_Exec_Command Remote Code Execution Vulnerabilities In-Reply-To: References: Message-ID: : ZDI-10-182: IBM TSM FastBack Server FXCLI_OraBR_Exec_Command Remote Code Execution Vulnerabilities : http://www.zerodayinitiative.com/advisories/ZDI-10-182 : September 29, 2010 : : The specific flaw exists within FastBackServer.exe which listens by : default on TCP port 11460. The vulnerable function uses values directly : from a received packet as the size and data to several memcpy calls. By : providing crafted values this issue can lead to remote code execution : under the context of the fastback server. Can you confirm 11460 here? The rest of the advisories say 11406 for the port. From zdi-disclosures at tippingpoint.com Tue Oct 12 18:07:35 2010 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Tue, 12 Oct 2010 18:07:35 -0500 Subject: [VIM] ZDI-10-182: IBM TSM FastBack Server FXCLI_OraBR_Exec_Command Remote Code Execution Vulnerabilities In-Reply-To: References: Message-ID: 11460/tcp is correct. -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Thursday, October 07, 2010 5:15 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: Re: ZDI-10-182: IBM TSM FastBack Server FXCLI_OraBR_Exec_Command Remote Code Execution Vulnerabilities : ZDI-10-182: IBM TSM FastBack Server FXCLI_OraBR_Exec_Command Remote Code Execution Vulnerabilities : http://www.zerodayinitiative.com/advisories/ZDI-10-182 : September 29, 2010 : : The specific flaw exists within FastBackServer.exe which listens by : default on TCP port 11460. The vulnerable function uses values directly : from a received packet as the size and data to several memcpy calls. By : providing crafted values this issue can lead to remote code execution : under the context of the fastback server. Can you confirm 11460 here? The rest of the advisories say 11406 for the port. From theall at tenable.com Wed Oct 13 13:49:46 2010 From: theall at tenable.com (George A. Theall) Date: Wed, 13 Oct 2010 14:49:46 -0400 Subject: [VIM] Mambo 'com_a6mambohelpdesk' Component 'mosConfig_live_site' Remote File Include Vulnerability Message-ID: SecurityFocus created BID 44057 today for one of the local file inclusion issues reported by jos_ali_joe as part of http://packetstormsecurity.org/1010-exploits/joomlamulti-rfi.txt . This seems to duplicate the issue reported by Dr. Jr7 back in 2006 and covered by CVE-2006-3930 / BID 19198 / OSVDB 27654. Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Wed Oct 13 13:58:56 2010 From: rkeith at securityfocus.com (rkeith) Date: Wed, 13 Oct 2010 12:58:56 -0600 Subject: [VIM] Mambo 'com_a6mambohelpdesk' Component 'mosConfig_live_site' Remote File Include Vulnerability In-Reply-To: References: Message-ID: <4CB60170.8060506@securityfocus.com> Hey George, Quite right, we will retire 44057 shortly. Thanks, Rob George A. Theall wrote: > SecurityFocus created BID 44057 today for one of the local file > inclusion issues reported by jos_ali_joe as part of > http://packetstormsecurity.org/1010-exploits/joomlamulti-rfi.txt. > > This seems to duplicate the issue reported by Dr. Jr7 back in 2006 and > covered by CVE-2006-3930 / BID 19198 / OSVDB 27654. > > Rob? > > George -- Rob Keith Symantec From theall at tenable.com Thu Oct 14 11:00:17 2010 From: theall at tenable.com (George A. Theall) Date: Thu, 14 Oct 2010 12:00:17 -0400 Subject: [VIM] Bugtraq Ids 19233 vs 44071 Message-ID: Bugtraq Ids 19233 and 44071 seem to cover the same issue, apart from the fact that the discussions talk of Mambo versus Joomla!. Since the issue is in a third-party component that works in either CMS, shouldn't the issue be covered by just one BID? Btw, I wouldn't be surprised if some of the other issues reported by jos_ali_joe as part of http://packetstormsecurity.org/1010-exploits/joomlamulti-rfi.txt are dups. Is anyone looking into them? Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Thu Oct 14 11:09:22 2010 From: rkeith at securityfocus.com (rkeith) Date: Thu, 14 Oct 2010 10:09:22 -0600 Subject: [VIM] Bugtraq Ids 19233 vs 44071 In-Reply-To: References: Message-ID: <4CB72B32.5090802@securityfocus.com> Hey George, We'll look into that one, but most likely it is a duplicate. Some of the others are definitely duplicates. This is what we found in our initial search: BID 19222. [+] Dork : inurl:index.php?option=?com_mambatstaff? > > --------------------------------------------------------------------------- > > [$] ExPLo!T : http://www.example.com/components/com_mambatstaff/mambatstaff.php?mosConfig_absolute_path=[IndonesianCoder] BID 19574 --------------------------------------------------------------------------- [+] Dork : inurl:index.php?option=?com_mambelfish? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/administrator/components/com_mambelfish/mambelfish.class.php?mosConfig_absolute_path=[IndonesianCoder] BID 19502 --------------------------------------------------------------------------- [+] Dork : inurl:index.php?option=?com_mmp? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/administrator/components/com_mmp/help.mmp.php?mosConfig_absolute_path=[IndonesianCoder] BID 19124 --------------------------------------------------------------------------- [+] Dork : inurl:index.php?option=?com_moodle? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/components/com_moodle/moodle.php?mosConfig_absolute_path=[IndonesianCoder] BID 19122 --------------------------------------------------------------------------- [+] Dork : inurl:index.php?option=?com_mospray? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/components/com_mospray/scripts/admin.php?basedir=[IndonesianCoder] BID 19138 --------------------------------------------------------------------------- [+] Dork : inurl:index.php?option=?com_pcchess? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/components/com_pcchess/include.pcchess.php?mosConfig_absolute_path=[IndonesianCoder] BID 19505 --------------------------------------------------------------------------- [+] Dork : inurl:index.php?option=?com_peoplebook? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/administrator/components/com_peoplebook/param.peoplebook.php?mosConfig_absolute_path=[IndonesianCoder] BID 18968 --------------------------------------------------------------------------- [+] Dork : inurl:index.php?option=?com_performs? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/components/com_performs/performs.php?mosConfig_absolute_path=[IndonesianCoder] BID 19100 --------------------------------------------------------------------------- [+] Dork : inurl:index.php?option=?com_multibanners? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/administrator/components/com_multibanners/extadminmenus.class.php?mosConfig_absolute_path=[IndonesianCoder] BID 23129 [+] Dork : inurl:index.php?option=?com_admin? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/components/com_simpleboard/file_upload.php?sbp=[IndonesianCoder] BID 19492 [+] Dork : inurl:index.php?option=?com_webring? --------------------------------------------------------------------------- [$] ExPLo!T : http://www.example.com/administrator/components/com_webring/admin.webring.docs.php?component_dir=[IndonesianCoder] -Rob George A. Theall wrote: > Bugtraq Ids 19233 and 44071 seem to cover the same issue, apart from the > fact that the discussions talk of Mambo versus Joomla!. Since the issue > is in a third-party component that works in either CMS, shouldn't the > issue be covered by just one BID? > > Btw, I wouldn't be surprised if some of the other issues reported by > jos_ali_joe as part of > http://packetstormsecurity.org/1010-exploits/joomlamulti-rfi.txt are > dups. Is anyone looking into them? Rob? > > > George From theall at tenable.com Thu Oct 14 19:25:40 2010 From: theall at tenable.com (George A. Theall) Date: Thu, 14 Oct 2010 20:25:40 -0400 Subject: [VIM] Bugtraq Ids 19233 vs 44071 In-Reply-To: <4CB72B32.5090802@securityfocus.com> References: <4CB72B32.5090802@securityfocus.com> Message-ID: <025ACE5D-07C8-4CDA-AD29-951CBBE3D86B@tenable.com> On Oct 14, 2010, at 12:09 PM, rkeith wrote: > We'll look into that one, but most likely it is a duplicate. Some of > the others are definitely duplicates. > This is what we found in our initial search: Add to your list: - 44063, a duplicate of 19553 (Reporter component). - 44065, a duplicate of 18924 (SMF Forum component) As for 44060, that was reported back in 2006 and covered by OSVDB 32535. It also seems like it might be bogus; ie, http://archives.neohapsis.com/archives/bugtraq/2006-11/0139.html It doesn't seem that SecurityFocus created a BID for that earlier report. Did your earlier research indicate it was indeed bogus? And has something changed this time? George -- theall at tenablesecurity.com From theall at tenable.com Thu Oct 14 19:31:18 2010 From: theall at tenable.com (George A. Theall) Date: Thu, 14 Oct 2010 20:31:18 -0400 Subject: [VIM] Wireshark ASN.1 BER Dissector DoS Message-ID: <12E8A478-9F57-47E9-94C3-0F44C9FDAF82@tenable.com> And while I have your attention, Rob, what are the differences between: - BID 43197, which concerns a stack overflow / null pointer dereference in the ASN.1/BER dissector in Wireshark 1.4.0 discovered by penetration test team Of NCNIPC (China) (http://archives.neohapsis.com/archives/bugtraq/2010-09/0088.html ) - BID 43923, which corresponds to the wnpa-sec-2010-11 and wnpa- sec-2010-12 advisories. George -- theall at tenablesecurity.com From rkeith at securityfocus.com Fri Oct 15 11:34:16 2010 From: rkeith at securityfocus.com (rkeith) Date: Fri, 15 Oct 2010 10:34:16 -0600 Subject: [VIM] Wireshark ASN.1 BER Dissector DoS In-Reply-To: <12E8A478-9F57-47E9-94C3-0F44C9FDAF82@tenable.com> References: <12E8A478-9F57-47E9-94C3-0F44C9FDAF82@tenable.com> Message-ID: <4CB88288.9030201@securityfocus.com> Hey George, An oversight on out part not catching the relation. We will retire 43923 as a duplicate shortly. Thanks again, Rob George A. Theall wrote: > And while I have your attention, Rob, what are the differences between: > > - BID 43197, which concerns a stack overflow / null pointer dereference > in the ASN.1/BER dissector in Wireshark 1.4.0 discovered by penetration > test team Of NCNIPC (China) > (http://archives.neohapsis.com/archives/bugtraq/2010-09/0088.html) > > - BID 43923, which corresponds to the wnpa-sec-2010-11 and > wnpa-sec-2010-12 advisories. > > > George -- Rob Keith Symantec From rkeith at securityfocus.com Fri Oct 15 12:24:15 2010 From: rkeith at securityfocus.com (rkeith) Date: Fri, 15 Oct 2010 11:24:15 -0600 Subject: [VIM] Bugtraq Ids 19233 vs 44071 In-Reply-To: <025ACE5D-07C8-4CDA-AD29-951CBBE3D86B@tenable.com> References: <4CB72B32.5090802@securityfocus.com> <025ACE5D-07C8-4CDA-AD29-951CBBE3D86B@tenable.com> Message-ID: <4CB88E3F.6080806@securityfocus.com> Hey George, Indeed, those will also be retired as duplicates. We will be retiring 44060 as a false report shortly as well. Thanks, Rob George A. Theall wrote: > > On Oct 14, 2010, at 12:09 PM, rkeith wrote: > >> We'll look into that one, but most likely it is a duplicate. Some of >> the others are definitely duplicates. >> This is what we found in our initial search: > > Add to your list: > > - 44063, a duplicate of 19553 (Reporter component). > > - 44065, a duplicate of 18924 (SMF Forum component) > > As for 44060, that was reported back in 2006 and covered by OSVDB 32535. > It also seems like it might be bogus; ie, > > http://archives.neohapsis.com/archives/bugtraq/2006-11/0139.html > > It doesn't seem that SecurityFocus created a BID for that earlier > report. Did your earlier research indicate it was indeed bogus? And has > something changed this time? > > George From theall at tenable.com Thu Oct 21 20:28:13 2010 From: theall at tenable.com (George A. Theall) Date: Thu, 21 Oct 2010 21:28:13 -0400 Subject: [VIM] 2FLY Gift Delivery System 'gameid' Parameter SQL Injection Vulnerability Message-ID: Rob, isn't the newly-created BID 44312 a dup of 36044? Both seem to correspond to an issue reported by Securitylab.ir in August 2009: http://packetstormsecurity.org/0908-exploits/discuz60-sql.txt The only difference I see is that the newer entry truncates the PoC. George -- theall at tenablesecurity.com From rkeith at securityfocus.com Fri Oct 22 10:42:45 2010 From: rkeith at securityfocus.com (rkeith) Date: Fri, 22 Oct 2010 09:42:45 -0600 Subject: [VIM] 2FLY Gift Delivery System 'gameid' Parameter SQL Injection Vulnerability In-Reply-To: References: Message-ID: <4CC1B0F5.7000606@securityfocus.com> Hey George, Looks like, yep. We will retire the new one shortly. Thanks, Rob George A. Theall wrote: > Rob, isn't the newly-created BID 44312 a dup of 36044? Both seem to > correspond to an issue reported by Securitylab.ir in August 2009: > > http://packetstormsecurity.org/0908-exploits/discuz60-sql.txt > > The only difference I see is that the newer entry truncates the PoC. > > George From theall at tenable.com Sat Oct 23 19:47:06 2010 From: theall at tenable.com (George A. Theall) Date: Sat, 23 Oct 2010 20:47:06 -0400 Subject: [VIM] phpfreeBB Multiple SQL Injection Vulnerabilities Message-ID: <93DE7A77-1060-4288-9DE1-F08761309F0E@tenable.com> SecurityFocus created Bugtraq 44272 recently to cover SQL injection vulnerabilities reported by Moudi in August 2009: http://packetstormsecurity.org/0908-exploits/phpfreebb-sql.txt . Reportedly 'index.php' and 'permalink.php' are the two files affected. Yet if you grab a copy of the software (eg,http://switch.dl.sourceforge.net/project/phpfreebb/phpfreebb/1.0/bb.zip) and look inside, neither file exists. This may be simply a cut-and-paste mistake on Moudi's part, but the issue definitely is not in phpfreeBB. George -- theall at tenablesecurity.com From theall at tenable.com Sun Oct 24 21:30:35 2010 From: theall at tenable.com (George A. Theall) Date: Sun, 24 Oct 2010 22:30:35 -0400 Subject: [VIM] Amlib Library Management System 'webquery.dll' Stack Buffer Overflow Vulnerability Message-ID: Bugtraq ids 42152 and 42293... are there any differences between them, Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Mon Oct 25 11:19:21 2010 From: rkeith at securityfocus.com (rkeith) Date: Mon, 25 Oct 2010 10:19:21 -0600 Subject: [VIM] Amlib Library Management System 'webquery.dll' Stack Buffer Overflow Vulnerability In-Reply-To: References: Message-ID: <4CC5AE09.5050004@securityfocus.com> hey George, There are some subtle differences in what is affected, however, they both appear to be based on the same exploit. We'll retire 42293 shortly as a duplicate. Rob George A. Theall wrote: > Bugtraq ids 42152 and 42293... are there any differences between them, Rob? > > > George From theall at tenable.com Mon Oct 25 14:31:35 2010 From: theall at tenable.com (George A. Theall) Date: Mon, 25 Oct 2010 15:31:35 -0400 Subject: [VIM] Zoki Catalog 'search' Form SQL Injection Vulnerability Message-ID: <1394CBF0-7E13-488B-85E2-446DEAACD72B@tenable.com> Bugtraq ids 44137 and 44398 were both created in the past week and seem to cover the issue reported in June 2009: http://www.securityfocus.com/archive/1/504311 Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Mon Oct 25 14:52:06 2010 From: rkeith at securityfocus.com (rkeith) Date: Mon, 25 Oct 2010 13:52:06 -0600 Subject: [VIM] Zoki Catalog 'search' Form SQL Injection Vulnerability In-Reply-To: <1394CBF0-7E13-488B-85E2-446DEAACD72B@tenable.com> References: <1394CBF0-7E13-488B-85E2-446DEAACD72B@tenable.com> Message-ID: <4CC5DFE6.7000703@securityfocus.com> Quite right, BID 44398 is being retired. -Rob George A. Theall wrote: > Bugtraq ids 44137 and 44398 were both created in the past week and seem > to cover the issue reported in June 2009: > > http://www.securityfocus.com/archive/1/504311 > > Rob? > > > George From theall at tenable.com Wed Oct 27 08:11:55 2010 From: theall at tenable.com (George A. Theall) Date: Wed, 27 Oct 2010 09:11:55 -0400 Subject: [VIM] Joomla! Projects 'com_projects' Component SQL Injection and Local File Include Vulnerabilities Message-ID: <65489B50-14C3-4252-AFF6-12C6A143AB43@tenable.com> So BID 44456 covers a couple of issues reported by jos_ali_joe, presumably from the blog post at . SecurityFocus says one of the issue is a local file inclusion involving the 'tabla' parameter to the 'agregar_info.php' script, and indeed jos_ali_joe includes that. The PoC, though, appears to be taken nearly verbatim from JosS' advisory about GradMan from 2008 -- http://www.securityfocus.com/archive/1/486444 -- and appears in a section of the blog post that starts: [+] Exploit: LFI = = = = = = = = = = = = ======================================================================== http://localhost/index.php?option=com_projects&controller=[ LFI ] = = = = = = = = = = = = ======================================================================== I'm not clear if this is a cut-and-paste error or there are two separate issues at play. It might help if I could find the supposedly affected component, but I failed to turn up any info about it, including from CodeGravity's web site. Has anyone else looked into this yet? George -- theall at tenablesecurity.com