From jericho at attrition.org Wed Jun 6 18:55:51 2012 From: jericho at attrition.org (security curmudgeon) Date: Wed, 6 Jun 2012 18:55:51 -0500 (CDT) Subject: [VIM] wrong reference in DSA-2482-1 Message-ID: http://www.debian.org/security/2012/dsa-2482 Security database references: In the Debian bugtracking system: Bug 664032. In Mitre's CVE dictionary: CVE-2012-2653. Bug 664032 seems appropriate, however the CVE seems incorrect. The bug report uses CVE-2012-1177. Further, 2012-2653 appears to be an issue in arpwatch: http://security-tracker.debian.org/tracker/CVE-2012-2653 http://security-tracker.debian.org/tracker/CVE-2012-1177 From corsac at debian.org Thu Jun 7 03:03:48 2012 From: corsac at debian.org (Yves-Alexis Perez) Date: Thu, 07 Jun 2012 10:03:48 +0200 Subject: [VIM] wrong reference in DSA-2482-1 In-Reply-To: References: Message-ID: <1339056228.7073.1.camel@scapa> On mer., 2012-06-06 at 18:55 -0500, security curmudgeon wrote: > http://www.debian.org/security/2012/dsa-2482 > > Security database references: > In the Debian bugtracking system: Bug 664032. > In Mitre's CVE dictionary: CVE-2012-2653. > > > Bug 664032 seems appropriate, however the CVE seems incorrect. The bug > report uses CVE-2012-1177. Further, 2012-2653 appears to be an issue in > arpwatch: > > http://security-tracker.debian.org/tracker/CVE-2012-2653 > http://security-tracker.debian.org/tracker/CVE-2012-1177 Thanks for reporting. The information in the tracker is correct, the DSA mail had a problem. I'm CC:ing www people so they can fix the problem on the website. Regards, -- Yves-Alexis -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From spaillard at debian.org Thu Jun 7 14:52:14 2012 From: spaillard at debian.org (Simon Paillard) Date: Thu, 7 Jun 2012 21:52:14 +0200 Subject: [VIM] wrong reference in DSA-2482-1 In-Reply-To: <1339056228.7073.1.camel@scapa> References: <1339056228.7073.1.camel@scapa> Message-ID: <20120607195214.GT16096@glenfiddich.mraw.org> Hi, On Thu, Jun 07, 2012 at 10:03:48AM +0200, Yves-Alexis Perez wrote: > On mer., 2012-06-06 at 18:55 -0500, security curmudgeon wrote: > > http://www.debian.org/security/2012/dsa-2482 > > > > Security database references: > > In the Debian bugtracking system: Bug 664032. > > In Mitre's CVE dictionary: CVE-2012-2653. > > > > Bug 664032 seems appropriate, however the CVE seems incorrect. The bug > > report uses CVE-2012-1177. Further, 2012-2653 appears to be an issue in > > arpwatch: > > > > http://security-tracker.debian.org/tracker/CVE-2012-2653 > > http://security-tracker.debian.org/tracker/CVE-2012-1177 > > The information in the tracker is correct, the DSA mail had a problem. > I'm CC:ing www people so they can fix the problem on the website. Fixed by taffit some hours ago. -- Simon Paillard From daniel at opensecurityfoundation.org Fri Jun 8 12:34:01 2012 From: daniel at opensecurityfoundation.org (Daniel Moeller) Date: Fri, 8 Jun 2012 11:34:01 -0600 Subject: [VIM] Question regarding ZDI-12-017's CVE Message-ID: Does http://www.zerodayinitiative.com/advisories/ZDI-12-017/ have an associated CVE now? I'm having some trouble associating it with the entries Oracle lists with enough confidence. Thanks for your help, Daniel OSVDB.org -------------- next part -------------- An HTML attachment was scrubbed... URL: From zdi-disclosures at tippingpoint.com Mon Jun 11 13:52:18 2012 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Mon, 11 Jun 2012 19:52:18 +0100 Subject: [VIM] Question regarding ZDI-12-017's CVE In-Reply-To: References: Message-ID: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE28@GVW1339EXA.americas.hpqcorp.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Oracle does not always provide us with the associated CVE #. We have not received one for this case. Thank you, The ZDI Team From: Daniel Moeller [mailto:daniel at opensecurityfoundation.org] Sent: Friday, June 08, 2012 12:34 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: Question regarding ZDI-12-017's CVE Does http://www.zerodayinitiative.com/advisories/ZDI-12-017/ have an associated CVE now? I'm having some trouble associating it with the entries Oracle lists with enough confidence. Thanks for your help, Daniel OSVDB.org -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT9Y+XlVtgMGTo1scAQIQ9wf/TyLGqW5TzcV1ymagbFk/Gn8GQS7xlpHY EzjhCn9paTvdetPmgozkPdCX/N98Bg96U61RkICWZx1vxWyIVIltWKN+zEc2GF8b 1URR77KdGD21mF+zXtS4CgszJ1j3Q7SCc+rOcoBCa1D/FLCUc0MY9fVHxgc5lymw 0jQlydiqfEKERCDDc3MmGSCOOSG5S5eyXNX1gV/C3imraWrpXAfzfqnp+DI8wW57 afP5mN0OnrCbEx/4VlMcRiSgBBApC6ibYUno2SgJ+CqX0Zzg4oHrKIVNIjdjZRux 4L++pQ0wUikrOjX3j7EMjlmIVWO3A7oZ7/R+HIqVZflIPiFuc7JGFg== =sbGG -----END PGP SIGNATURE----- From jericho at attrition.org Mon Jun 11 13:55:49 2012 From: jericho at attrition.org (security curmudgeon) Date: Mon, 11 Jun 2012 13:55:49 -0500 (CDT) Subject: [VIM] Question regarding ZDI-12-017's CVE In-Reply-To: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE28@GVW1339EXA.americas.hpqcorp.net> References: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE28@GVW1339EXA.americas.hpqcorp.net> Message-ID: On Mon, 11 Jun 2012, ZDI Disclosures wrote: : Oracle does not always provide us with the associated CVE #. We have not : received one for this case. According to the main guy who coordinates their advisories, if the researcher asks for the CVE association, Oracle will give it. However, if a third party asks for it, they will not divulge the CVE association. Ridiculous policy, and I have challenged them on it many times, but it prevents us from finding out. Any chance you could ask them? Thanks! From zdi-disclosures at tippingpoint.com Mon Jun 11 14:06:46 2012 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Mon, 11 Jun 2012 20:06:46 +0100 Subject: [VIM] Question regarding ZDI-12-017's CVE In-Reply-To: References: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE28@GVW1339EXA.americas.hpqcorp.net> Message-ID: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE2A@GVW1339EXA.americas.hpqcorp.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Thank you for the insight. I did not know this. I had just pinged Oracle for CVE's related to tomorrow's patches they are releasing. I will go ahead and ask for this one as well. Any others that ZDI was a part of that you'd like Oracle CVE's for? Regards, The ZDI Team - -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Monday, June 11, 2012 1:56 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: Re: [VIM] Question regarding ZDI-12-017's CVE On Mon, 11 Jun 2012, ZDI Disclosures wrote: : Oracle does not always provide us with the associated CVE #. We have not : received one for this case. According to the main guy who coordinates their advisories, if the researcher asks for the CVE association, Oracle will give it. However, if a third party asks for it, they will not divulge the CVE association. Ridiculous policy, and I have challenged them on it many times, but it prevents us from finding out. Any chance you could ask them? Thanks! -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT9ZBwlVtgMGTo1scAQKSVgf7B2lqvPwhnpPgNVajqFSCQqJoir6aXVrw p4NB92zhfscGcjnSM4IOpkSHayIvkQ3SkTAbt1RVIRYH+Brlb8VtQO/EfLb8BOp5 ELm+8V/jD2/U/XWUtQiFJKXG1hziwOiFIFy330fgghS8Ir/R4JX4OqGbJMhRM8dt z8RJYdD/cUuHvV0U88Z56GncadkzAPUePr5zYq/29oE29LMcDjxzewVDXhnD/l7j jRq5zI0mBWNeGkoKzgo3hsUBu6tp5brACN/uE9ePQqkTPRHILA/5azfudY36wzq7 LiyT6Jz9YHGQuGFvq12Gq7dDD5i2Sak3xCfj1mOyBHCcYk1cebNCkw== =JitA -----END PGP SIGNATURE----- From theall at tenable.com Mon Jun 11 16:42:16 2012 From: theall at tenable.com (George A. Theall) Date: Mon, 11 Jun 2012 17:42:16 -0400 Subject: [VIM] Oracle MySQL CVE-2012-2122 User Login Security Bypass Vulnerability Message-ID: <11A97F43-B79D-455B-BFEF-9CCC5E172A77@tenable.com> Can someone explain what the differences are between BIDs 53911 and 53922, both of which were created today for CVE-2012-2122? Rob? George -- theall at tenablesecurity.com From jericho at attrition.org Mon Jun 11 18:34:34 2012 From: jericho at attrition.org (security curmudgeon) Date: Mon, 11 Jun 2012 18:34:34 -0500 (CDT) Subject: [VIM] Question regarding ZDI-12-017's CVE In-Reply-To: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE2A@GVW1339EXA.americas.hpqcorp.net> References: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE28@GVW1339EXA.americas.hpqcorp.net> <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE2A@GVW1339EXA.americas.hpqcorp.net> Message-ID: : Thank you for the insight. I did not know this. : : I had just pinged Oracle for CVE's related to tomorrow's patches they : are releasing. I will go ahead and ask for this one as well. Any others : that ZDI was a part of that you'd like Oracle CVE's for? I don't think so at this time, but this comes up every patch cycle (just not specific to ZDI). We appreciate you and other researchers asking for the association. To this date, we still have 3rd party advisories on Oracle that we cannot associate with a CVE, some going back as far as 2007 if memory serves. From venkat_kantha at securityfocus.com Tue Jun 12 11:49:54 2012 From: venkat_kantha at securityfocus.com (venkat) Date: Tue, 12 Jun 2012 22:19:54 +0530 Subject: [VIM] Oracle MySQL CVE-2012-2122 User Login Security Bypass Vulnerability In-Reply-To: <11A97F43-B79D-455B-BFEF-9CCC5E172A77@tenable.com> References: <11A97F43-B79D-455B-BFEF-9CCC5E172A77@tenable.com> Message-ID: <4FD77332.9010404@securityfocus.com> Hey, an error on our part, the duplicate has been removed. Thanks, Venkat On 12/06/12 03:12, George A. Theall wrote: > Can someone explain what the differences are between BIDs 53911 and 53922, both of which were created today for CVE-2012-2122? Rob? > > > George From zdi-disclosures at tippingpoint.com Mon Jun 18 10:59:03 2012 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Mon, 18 Jun 2012 15:59:03 +0000 Subject: [VIM] Question regarding ZDI-12-017's CVE In-Reply-To: References: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE28@GVW1339EXA.americas.hpqcorp.net> <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE2A@GVW1339EXA.americas.hpqcorp.net> Message-ID: <04F9AFDCA6560B42B91DB1A429B7D0DE8AEE@G1W3644.americas.hpqcorp.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, I have sent an additional request to Oracle as I note we have 9 published advisories without CVE#s from them. I hope they will respond in a timely manner and I will forward on the CVEs as soon as I receive them Thank you, The ZDI Team - -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Monday, June 11, 2012 6:35 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: RE: [VIM] Question regarding ZDI-12-017's CVE : Thank you for the insight. I did not know this. : : I had just pinged Oracle for CVE's related to tomorrow's patches they : are releasing. I will go ahead and ask for this one as well. Any others : that ZDI was a part of that you'd like Oracle CVE's for? I don't think so at this time, but this comes up every patch cycle (just not specific to ZDI). We appreciate you and other researchers asking for the association. To this date, we still have 3rd party advisories on Oracle that we cannot associate with a CVE, some going back as far as 2007 if memory serves. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT99QNVVtgMGTo1scAQIsjwgAp13gEVHkvk9yUG7HE1mYBw05benHAkpc e28lZa8W5mzaKYmZsJ7Lt9iHfjA/vEXnl/wemn2hRG2E8pOe3rnX8yKuxxCLY0bD bMXLPD+lc0+lVAUy4bmSFDbMB4/fY4Sls/9T4fug/OkzXNToV/AdFXcYD8LgA378 fTGsoNd++w8ujT2NWQxOCKWyKkx3lzydiSyI6A8Y+pXb4KMrXdMeidWrB4rpEpj1 RV8EXqmxp6+tFKogK0j/SDN7R3QfUKCGwNGPI+fsLXdlAB4cwOqwg3X58RghJxNh dHWZFINs+i+eoHWGUmgZrsYuv9NY4uxmhBCVTvz111SEk+/XfM7I/Q== =930j -----END PGP SIGNATURE----- From jericho at attrition.org Tue Jun 19 03:26:48 2012 From: jericho at attrition.org (security curmudgeon) Date: Tue, 19 Jun 2012 03:26:48 -0500 (CDT) Subject: [VIM] Bugtraq ID# 53694 is invalid/fake (fwd) Message-ID: Posting here for public archiving. ---------- Forwarded message ---------- From: BabyGekko Support To: l3br1z Cc: bugtraq at securityfocus.com, bugtraq2 at securityfocus.com, OSVDB Moderators Date: Sun, 17 Jun 2012 18:06:29 -0600 Subject: Re: [OSVDB Mods] Bugtraq ID# 53694 is invalid/fake Hello l3br1z, I'm not mad. What I'm saying is you need to understand the function and what it does before jumping into conclusion. My forum is always open (and you are more than welcome to publish whatever finding you have). Again, take a look at TinyMCE compressor as an example. I have taken a look at your past exploits, and while some XSS that you've published are correct, many of your conclusion about remote file uploads were incorrect. Verifying your result with the vendor is important because the result isn't always correct. Running a source code analyzer and publishing it without verification isn't going to make you "31337". It also reduces your credibility and people will less likely trust your result. When you're really good at what you do, you can actually make money from it instead of just running around and publishing arbitrary result of whatever source code analyzer gives you. Source code analyzers are worth a dime a dozen. I'd say pick up some book about CS in general, learn the data structure, then you'll be a good security researcher who gets paid a lot of money in the future. Best regards and good luck to all your future endeavours. On 2012-06-16, at 6:36 AM, l3br1z wrote: > Hello Man :D > > Ok Bro > > I will provide a Proof Of Concept Soon :D > > And I Will test your version on iis :D > > rg > > And If I Mad You , I'm sorry :( > > I'm From Lebanon > > My English Is not good :P > > > > On Fri, Jun 15, 2012 at 6:51 PM, BabyGekko Support wrote: > Hello l3br1z, > > The function is designed to load the js.gz in /js directory. Also - one more thing - you need to take a look at http://www.tinymce.com/wiki.php/Compressors:PHP > > Mine works in a similar function. > > 1) You did not provide a proof of concept. Please provide a proof of concept - you can test http://gekkocms.babygekko.com > 2) Unlike real researchers who contacted me about other issues (and I respectfully published their research), they either contacted me via public forum or they emailed me. You did not show any respect for a software author, and you also did not provide a proof of concept. You need to learn how to read source code. > > I have no other file or "somefile.php" with cmd as parameter. Please provide a proof of concept via http://gekkocms.babygekko.com if you can read outside of /js directory. The function is designed to load anything with .js.gz extension. I don't have any file that has another readfile function. You're more than welcome to test the IIS version of babygekko CMS as well: http://www.microsoft.com/web/gallery/babygekko.aspx > > http://localhost/somefile.php?cmd=./somefile.php > > http://www.securityfocus.com/archive/1/description#0.1.8 > What is the proper protocol to report a security vulnerability? > A sensible protocol to follow while reporting a security vulnerability is as follows: > > - Contact the product's vendor or maintainer and give them a one week period to respond. If they don't respond post to the list. > - If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. This will depend on the vulnerability and the product. It's up to you to make and estimate. If they don't respond in time post to the list. > - If they contact you asking for more time consider extending the deadline in good faith. If they continually fail to meet the deadline post to the list. > When is it advisable to post to the list without contacting the vendor? > - When the product is no longer actively supported. > - When you believe the vulnerability to be actively exploited and not informing the community as soon as possible would cause more harm then good. > > I have no fix to be released because this isn't a vulnerability. It does what it's supposed to do and it won't load other file outside of that directory. Good luck with your study of source code analyzer :) > > > On 2012-06-15, at 1:58 PM, l3br1z wrote: > >> Hello >> >> I'm l3br1'z >> >> man look to your code here >> >> $filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // >> sanitize, prevent path traversal >> $etag = sprintf('bbgk%u',crc32($ >> filename)); >> header("Content-type: text/javascript; charset: UTF-8"); >> if(isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) || >> isset($_SERVER['HTTP_IF_NONE_MATCH'])) >> { >> if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] || str_replace('"', '', >> stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])) == $etag) >> { >> header('HTTP/1.1 304 Not Modified'); >> exit(); >> } >> } else >> if (file_exists (SITE_PATH.'/js/'.$filename.'.js.gz')) >> { >> header("Vary: Accept-Encoding"); >> header("Cache-Control: public, max-age=".(144000 * 24)); >> header("Pragma: public"); >> header("Expires: Tue, 30 Aug 2037 20:00:00 GMT"); >> header("Content-Encoding: gzip"); >> header("ETag: \"{$etag}\""); >> readfile(SITE_PATH.'/js/'.$filename.'.js.gz'); >> } else >> { >> echo ("alert('{$filename} could not be loaded');"); >> } >> ?> >> >> >> $filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // >> >> we have GET Js >> >> Well Lets See Below This Code :D >> >> readfile(SITE_PATH.'/js/'.$ >> filename.'.js.gz'); >> if (file_exists (SITE_PATH.'/js/'.$filename.'. >> js.gz')) >> >> we have 2 func danger here :D >> >> 1st 1 is readfile >> >> E.g ( readfile($_GET['cmd']); ) >> >> Will be >> >> http://localhost/somefile.php?cmd=./somefile.php >> >> will read this code easly :D >> >> and the func file_exists >> >> file exists like show_source if you know security Parameter :D >> >> And look to this : >> header("Vary: Accept-Encoding"); >> header("Cache-Control: public, max-age=".(144000 * 24)); >> header("Pragma: public"); >> header("Expires: Tue, 30 Aug 2037 20:00:00 GMT"); >> header("Content-Encoding: gzip"); >> header("ETag: \"{$etag}\""); >> readfile(SITE_PATH.'/js/'.$ >> filename.'.js.gz'); >> >> will download the file as .js.gz >> >> >> http://gekkocms.babygekko.com/js/js_gzip.php?js=..%2Fconfig.inc.php >> http://gekkocms.babygekko.com/js/js_gzip.php?js=../config.inc.php >> >> your p0c here not work :D >> >> cz we have >> >> readfile(SITE_PATH.'/js/'.$ >> filename.'.js.gz'); >> >> js.gz >> >> the url will not download file >> >> cz we don't have file named >> >> config.inc.php.js.gz >> >> :D >> >> we will use the p0c from cmd :D >> >> rg >> >> Take Some Lessons Man :) >> >> >> >> >> >> >> On Thu, Jun 14, 2012 at 11:57 AM, Information Booth wrote: >> This is in regards to: >> >> http://www.securityfocus.com/bid/53694 >> >> This is an uncoordinated release, the author did not make any attempt >> to notify us either by email or the public forum. The non-working >> exploit seems to have been copied and pasted with RIPS source code >> analyzer and the author didn't even bother tho test our understand the >> code. A real hacker can read source code, not run a RIPS source code >> analyzer and publish the finding without due diligence. >> >> This is the result: >> Try : alert('..config.inc.php could not be loaded'); >> >> 1) The "/" or %2F won't be accepted. $filename = >> preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // sanitize, prevent >> path traversal >> 2) It will only read js.gz file (I see attempts to load /etc/passwd >> but that doesn't make sense - I don't think he knows/understand how to >> read source code) - readfile(SITE_PATH.'/js/'.$ >> filename.'.js.gz'); The bad chars will be stripped anyway ... >> 3) Test: >> http://gekkocms.babygekko.com/js/js_gzip.php?js=..%2Fconfig.inc.php >> http://gekkocms.babygekko.com/js/js_gzip.php?js=../config.inc.php >> >> The js_gzip.php was included as of v1.1.5a >> >> Also older versions on my website: >> >> http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.4.zip >> http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip >> http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip >> http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5c.zip >> >> I am fine with people publishing vulnerabilities to make code more >> secure. What I'm unhappy is how some wannabe script kiddiot can just >> download source code analyzers/scanners and publish things WITHOUT any >> prior test and WITHOUT contacting vendors. I have had people publish >> their findings in my forum and I'm fine. But not when they don't at >> least test or contact me and then later turns out to be a false alarm. >> >> Here's a copy & paste from v1.1.5a (old version - the same) >> /js/js_gzip.php >> >> //++++++++++++++++++++++++++++ >> ++++++++++++++++++++++++++++++++++++++++++++++// >> // Baby Gekko content management system - Copyright (C) Baby Gekko. >> // This is a SHARED SOURCE, NOT OPEN SOURCE (GPL). >> // You may use this software commercially, but you are not allowed to >> create a fork or create a derivative of this software >> // Please read the license for details >> //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++// >> include ('../config.inc.php'); >> error_reporting(0); >> >> $filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // >> sanitize, prevent path traversal >> $etag = sprintf('bbgk%u',crc32($filename)); >> header("Content-type: text/javascript; charset: UTF-8"); >> if(isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) || >> isset($_SERVER['HTTP_IF_NONE_MATCH'])) >> { >> if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] || str_replace('"', '', >> stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])) == $etag) >> { >> header('HTTP/1.1 304 Not Modified'); >> exit(); >> } >> } else >> if (file_exists (SITE_PATH.'/js/'.$filename.'.js.gz')) >> { >> header("Vary: Accept-Encoding"); >> header("Cache-Control: public, max-age=".(144000 * 24)); >> header("Pragma: public"); >> header("Expires: Tue, 30 Aug 2037 20:00:00 GMT"); >> header("Content-Encoding: gzip"); >> header("ETag: \"{$etag}\""); >> readfile(SITE_PATH.'/js/'.$filename.'.js.gz'); >> } else >> { >> echo ("alert('{$filename} could not be loaded');"); >> } >> ?> >> >> >> >> -- >> Proud To Be Lebanese :D >> >> I Will Miss You My Friends : b0x, Virus-Ra3ch, Damane2011, Hacker-1420, The Injector, N4ss1m, Sec4ever, B07 M4S73R, Stalk3r, Hacker-Dz, Mr.XKILLeR, The Viper, Th3 Killer Dz, Over-X <3, And All My Friends. >> >> Sec4ever.com. >> > > > > > -- > Proud To Be Lebanese :D > > I Will Miss You My Friends : b0x, Virus-Ra3ch, Damane2011, Hacker-1420, The Injector, N4ss1m, Sec4ever, B07 M4S73R, Stalk3r, Hacker-Dz, Mr.XKILLeR, The Viper, Th3 Killer Dz, Over-X <3, And All My Friends. > > Sec4ever.com. > _______________________________________________ Moderators mailing list Moderators at osvdb.org http://lists.osvdb.org/mailman/listinfo/moderators From coley at rcf-smtp.mitre.org Wed Jun 20 09:22:22 2012 From: coley at rcf-smtp.mitre.org (Steven M. Christey) Date: Wed, 20 Jun 2012 10:22:22 -0400 (EDT) Subject: [VIM] OpenSUSE Hermes links Message-ID: I'm finding that many hermes.opensuse.org links seem to return blank content. Looks like opensuse.org "retires" these links after a short period of time? Is anybody else encountering this? - Steve From che at secunia.com Thu Jun 21 01:37:09 2012 From: che at secunia.com (Carsten Eiram) Date: Thu, 21 Jun 2012 06:37:09 +0000 Subject: [VIM] OpenSUSE Hermes links In-Reply-To: References: Message-ID: We've noticed the same thing for a longer period of time and have now stopped including hermes links whenever we can find other references, which we consider "stable". -- Med venlig hilsen / Kind regards Carsten H. Eiram Chief Security Specialist Follow us on twitter http://twitter.com/secunia http://twitter.com/carsteneiram Secunia Mikado House Rued Langgaards Vej 8 2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 > -----Original Message----- > From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On > Behalf Of Steven M. Christey > Sent: 20. juni 2012 16:22 > To: vim at attrition.org > Subject: [VIM] OpenSUSE Hermes links > > > I'm finding that many hermes.opensuse.org links seem to return blank > content. Looks like opensuse.org "retires" these links after a short period of > time? Is anybody else encountering this? > > - Steve From jericho at attrition.org Thu Jun 21 13:56:48 2012 From: jericho at attrition.org (security curmudgeon) Date: Thu, 21 Jun 2012 13:56:48 -0500 (CDT) Subject: [VIM] Question regarding ZDI-12-017's CVE In-Reply-To: <04F9AFDCA6560B42B91DB1A429B7D0DE8AEE@G1W3644.americas.hpqcorp.net> References: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE28@GVW1339EXA.americas.hpqcorp.net> <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE2A@GVW1339EXA.americas.hpqcorp.net> <04F9AFDCA6560B42B91DB1A429B7D0DE8AEE@G1W3644.americas.hpqcorp.net> Message-ID: : I have sent an additional request to Oracle as I note we have 9 : published advisories without CVE#s from them. I hope they will respond : in a timely manner and I will forward on the CVEs as soon as I receive : them Excellent! Given how many advisories you guys release, may be worth your time to inquire with CVE about becoming a CNA. If you could assign a CVE at the time of research and include it when contacting the vendor, it would be very helpful for all parties. I mention this because I ran into a big group of advisories (~ Feb, 2011) that did not have them. The common theme was that each issue was being published after 180 days of no patch, as per your policy. From zdi-disclosures at tippingpoint.com Thu Jun 21 14:52:43 2012 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Thu, 21 Jun 2012 19:52:43 +0000 Subject: [VIM] Question regarding ZDI-12-017's CVE In-Reply-To: References: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE28@GVW1339EXA.americas.hpqcorp.net> <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE2A@GVW1339EXA.americas.hpqcorp.net> <04F9AFDCA6560B42B91DB1A429B7D0DE8AEE@G1W3644.americas.hpqcorp.net> Message-ID: <04F9AFDCA6560B42B91DB1A429B7D0DE8B6A@G1W3644.americas.hpqcorp.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hello, Great idea. We are always looking for ways to improve our program. This certainly makes sense to explore as it would be most helpful to all parties involved. Your timing is impeccable. I just received the response from Oracle with the missing CVEs. We will update the website with these as well but that will take some time. Until then, I have included them below for your records as well. Let me know if you need any additional CVEs from our disclosures. Regards, The ZDI Team ORACLE CVE's > ZDI-12-083; ZDI-12-082; ZDI-12-081 > No CVE. Blacklisted binaries signed by Sun > ZDI-12-074 - --> CVE-2012-1709 > > ZDI-12-073 - --> CVE-2012-1710 > > ZDI-12-039 - --> CVE-2012-0500 > ZDI-12-038 - --> CVE-2012-0508 > ZDI-12-037 - --> CVE-2012-0500 > ZDI-12-032 - --> CVE-2012-0498 > ZDI-12-017 - --> CVE-2012-0110 - -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Thursday, June 21, 2012 1:57 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: RE: [VIM] Question regarding ZDI-12-017's CVE : I have sent an additional request to Oracle as I note we have 9 : published advisories without CVE#s from them. I hope they will respond : in a timely manner and I will forward on the CVEs as soon as I receive : them Excellent! Given how many advisories you guys release, may be worth your time to inquire with CVE about becoming a CNA. If you could assign a CVE at the time of research and include it when contacting the vendor, it would be very helpful for all parties. I mention this because I ran into a big group of advisories (~ Feb, 2011) that did not have them. The common theme was that each issue was being published after 180 days of no patch, as per your policy. -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+N7f1VtgMGTo1scAQJzrAf+NmatXFzcPGODJGfaOxmoy7wGCoy2sNA/ 6hPLTU12rqjkdT2QUqefyQNBpfKNstjXkVyE+jRhYrvRZvqSCcgODc5WKrUqRAuT m7D+b2k/UrBLm4B2PYMwcC2j5Bd9NHIfXdJh1yvXbXG6whz8JYaaMV3HaihbmCc9 CUgwDv3oFkUmD05cY8XAIfmR5I7m53gD5bC32Zh/CSzY6aZNYL43GhtvHGXH8UE+ Q7bffVqzwDicHBtNf/eslOoxX5PxMVNMbdZHigbw4FeReObKptKCcjdgqbLLBbLb /8aj+gXbzrdY7/d0muq1urRBe+I4NjDnyt1oW0+rMajq14m1uESx2g== =vP3Q -----END PGP SIGNATURE----- From jericho at attrition.org Thu Jun 21 14:57:37 2012 From: jericho at attrition.org (security curmudgeon) Date: Thu, 21 Jun 2012 14:57:37 -0500 (CDT) Subject: [VIM] Question regarding ZDI-12-017's CVE In-Reply-To: <04F9AFDCA6560B42B91DB1A429B7D0DE8B6A@G1W3644.americas.hpqcorp.net> References: <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE28@GVW1339EXA.americas.hpqcorp.net> <2BAA25C4BB07FB4B84BFEA8CE82E1A20A32537DE2A@GVW1339EXA.americas.hpqcorp.net> <04F9AFDCA6560B42B91DB1A429B7D0DE8AEE@G1W3644.americas.hpqcorp.net> <04F9AFDCA6560B42B91DB1A429B7D0DE8B6A@G1W3644.americas.hpqcorp.net> Message-ID: : Your timing is impeccable. I just received the response from Oracle with : the missing CVEs. We will update the website with these as well but : that will take some time. Until then, I have included them below for : your records as well. I will make sure we have them matched up on OSVDB this evening. : Let me know if you need any additional CVEs from our disclosures. Thanks! From jericho at attrition.org Fri Jun 22 18:56:54 2012 From: jericho at attrition.org (security curmudgeon) Date: Fri, 22 Jun 2012 18:56:54 -0500 (CDT) Subject: [VIM] A few more CVE questions Message-ID: http://www.zerodayinitiative.com/advisories/ZDI-12-081/ http://www.zerodayinitiative.com/advisories/ZDI-12-082/ http://www.zerodayinitiative.com/advisories/ZDI-12-083/ Thanks! From zdi-disclosures at tippingpoint.com Mon Jun 25 13:36:05 2012 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Mon, 25 Jun 2012 18:36:05 +0000 Subject: [VIM] A few more CVE questions In-Reply-To: References: Message-ID: <04F9AFDCA6560B42B91DB1A429B7D0DE8ECE@G1W3644.americas.hpqcorp.net> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Hello, We had included these in the previous email but they were easily missed. These three were not assigned CVEs as the binaries were signed by Sun prior to acquisition so Oracle has "blacklisted" them. > ZDI-12-083; ZDI-12-082; ZDI-12-081 > No CVE. Blacklisted binaries signed by Sun Let us know if you have additional questions Regards, The ZDI Team - -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Friday, June 22, 2012 6:57 PM To: ZDI Disclosures Cc: vim at attrition.org Subject: A few more CVE questions http://www.zerodayinitiative.com/advisories/ZDI-12-081/ http://www.zerodayinitiative.com/advisories/ZDI-12-082/ http://www.zerodayinitiative.com/advisories/ZDI-12-083/ Thanks! -----BEGIN PGP SIGNATURE----- Version: PGP Desktop 10.2.0 (Build 1950) Charset: utf-8 wsBVAwUBT+ivgwpqzihWMQCjAQh2twf/T9SllvHRuzOX2DQNMqJlGGy5dJwwbz8i 9UuqoZYgPE3qj7CVEGHFqouAL2RWZBKAZEXpcO57lnjbL0OuNBbRvnhKOOLkiqvI 3FmdywVRREOY1f/QE7+oBS9Z+9lrSeOmH2HeSTUkgfPUjrAmsyG81aL6onMfJbna b5t8hd9Cznkgm900RUBbHzVoynr9IjKqTGyLiQnTgnzG6QH2cwr9XUS4ko5WvDm6 f10PVI8pLfJ/0FnXJS7EcOWJUzZxTAB1IHWssMeI+UqQFyKjhzdTMxfhxZ7Yfedv BW9FQcJAcgo9Ww9/zlyoJkcfCmT7TktHRYktz1Xt2B2Q8Xpd0Axt1A== =lBFP -----END PGP SIGNATURE-----