From gtheall at tenable.com Fri Aug 2 15:35:41 2013 From: gtheall at tenable.com (George Theall) Date: Fri, 2 Aug 2013 20:35:41 +0000 Subject: [VIM] WordPress Better WP Security Plugin HTML Injection Vulnerability Message-ID: Narayan / Venkat / Rob : what difference is there between BIDs 61562 and 61518? Both credit Richard Warren and involve an XSS vulnerability addressed in Better WP Security 3.5.4. The plugin's change log (http://www.wordpress.org/plugins/better-wp-security/changelog/) only lists one XSS issue: ? Fixed an XSS vulnerability in the logevent function. Fix by Richard Warren George -- theall at tenable.com From henri at nerv.fi Sat Aug 3 20:56:23 2013 From: henri at nerv.fi (Henri Salo) Date: Sun, 4 Aug 2013 04:56:23 +0300 Subject: [VIM] WordPress Better WP Security Plugin HTML Injection Vulnerability In-Reply-To: References: Message-ID: <20130804015623.GB18750@kludge.henri.nerv.fi> On Fri, Aug 02, 2013 at 08:35:41PM +0000, George Theall wrote: > Narayan / Venkat / Rob : what difference is there between BIDs 61562 and 61518? Both credit Richard Warren and involve an XSS vulnerability addressed in Better WP Security 3.5.4. The plugin's change log (http://www.wordpress.org/plugins/better-wp-security/changelog/) only lists one XSS issue: > > ? Fixed an XSS vulnerability in the logevent function. Fix by Richard Warren > > George > -- > theall at tenable.com I can do diffing for commits if needed. Does this already have CVE identifier? There is at least issues: http://osvdb.org/84737 http://osvdb.org/84738 http://osvdb.org/95884 --- Henri Salo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From gtheall at tenable.com Wed Aug 14 12:51:31 2013 From: gtheall at tenable.com (George Theall) Date: Wed, 14 Aug 2013 17:51:31 +0000 Subject: [VIM] Dovecot 'LIST' Command Denial of Service Vulnerability Message-ID: <52FDF4BE-559A-49C9-9FC7-713A333EB2F2@tenable.com> Narayan / Venkat / Rob : Why does the newly issued BID 61763 reference CVE-2013-2111? According to http://www.openwall.com/lists/oss-security/2013/05/24/1, that CVE was assigned for the APPEND parameter DoS fixed in Dovecot 2.2.2 and is referenced already in BID 60052. Also, is this new BID even for an issue that's a vulnerability? See, for example, http://www.openwall.com/lists/oss-security/2013/08/14/6. George -- theall at tenable.com From Dinesh_Theerthagiri at symantec.com Wed Aug 14 13:25:18 2013 From: Dinesh_Theerthagiri at symantec.com (Dinesh Theerthagiri) Date: Wed, 14 Aug 2013 11:25:18 -0700 Subject: [VIM] Dovecot 'LIST' Command Denial of Service Vulnerability In-Reply-To: <52FDF4BE-559A-49C9-9FC7-713A333EB2F2@tenable.com> References: <52FDF4BE-559A-49C9-9FC7-713A333EB2F2@tenable.com> Message-ID: <86E9E90EE35E9041B100B9ED1D5C8B57451B2C61B6@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Hey, You are right BID 61763 has a wrong CVE number (CVE-2013-2111). Now we corrected by removing the CVE number. We consider 'LIST' command as DOS vulnerability because of below reference: http://www.dovecot.org/list/dovecot-news/2013-August/000261.html Thanks, T.Dinesh -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: 14 August 2013 23:22 To: Vulnerability Information Managers Subject: [VIM] Dovecot 'LIST' Command Denial of Service Vulnerability Narayan / Venkat / Rob : Why does the newly issued BID 61763 reference CVE-2013-2111? According to http://www.openwall.com/lists/oss-security/2013/05/24/1, that CVE was assigned for the APPEND parameter DoS fixed in Dovecot 2.2.2 and is referenced already in BID 60052. Also, is this new BID even for an issue that's a vulnerability? See, for example, http://www.openwall.com/lists/oss-security/2013/08/14/6. George -- theall at tenable.com From gtheall at tenable.com Wed Aug 14 14:47:38 2013 From: gtheall at tenable.com (George Theall) Date: Wed, 14 Aug 2013 19:47:38 +0000 Subject: [VIM] Dovecot 'LIST' Command Denial of Service Vulnerability In-Reply-To: <86E9E90EE35E9041B100B9ED1D5C8B57451B2C61B6@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> References: <52FDF4BE-559A-49C9-9FC7-713A333EB2F2@tenable.com> <86E9E90EE35E9041B100B9ED1D5C8B57451B2C61B6@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Message-ID: <090DC720-AA9F-4A93-8D6F-FB38C585A90F@tenable.com> On Aug 14, 2013, at 2:25 PM, Dinesh Theerthagiri wrote: > Hey, > > You are right BID 61763 has a wrong CVE number (CVE-2013-2111). Now we corrected by removing the CVE number. Thanks > We consider 'LIST' command as DOS vulnerability because of below reference: > http://www.dovecot.org/list/dovecot-news/2013-August/000261.html Unfortunately, that doesn't provide details about what exactly is crashing. According to http://www.openwall.com/lists/oss-security/2013/08/14/6, an attacker can only cause his own session to crash (at least unless Dovecot was configured in a non-recommended way). So how is that a vulnerability? > > > > Thanks, > T.Dinesh > > -----Original Message----- > From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall > Sent: 14 August 2013 23:22 > To: Vulnerability Information Managers > Subject: [VIM] Dovecot 'LIST' Command Denial of Service Vulnerability > > Narayan / Venkat / Rob : Why does the newly issued BID 61763 reference CVE-2013-2111? According to http://www.openwall.com/lists/oss-security/2013/05/24/1, that CVE was assigned for the APPEND parameter DoS fixed in Dovecot 2.2.2 and is referenced already in BID 60052. > > Also, is this new BID even for an issue that's a vulnerability? See, for example, http://www.openwall.com/lists/oss-security/2013/08/14/6. > > George > -- > theall at tenable.com > George -- theall at tenable.com From henri at nerv.fi Thu Aug 15 00:16:02 2013 From: henri at nerv.fi (Henri Salo) Date: Thu, 15 Aug 2013 08:16:02 +0300 Subject: [VIM] Dovecot 'LIST' Command Denial of Service Vulnerability In-Reply-To: <86E9E90EE35E9041B100B9ED1D5C8B57451B2C61B6@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> References: <52FDF4BE-559A-49C9-9FC7-713A333EB2F2@tenable.com> <86E9E90EE35E9041B100B9ED1D5C8B57451B2C61B6@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Message-ID: <20130815051602.GE25986@kludge.henri.nerv.fi> On Wed, Aug 14, 2013 at 11:25:18AM -0700, Dinesh Theerthagiri wrote: > You are right BID 61763 has a wrong CVE number (CVE-2013-2111). Now we corrected by removing the CVE number. > > We consider 'LIST' command as DOS vulnerability because of below reference: > http://www.dovecot.org/list/dovecot-news/2013-August/000261.html > > Thanks, > T.Dinesh Please see Timo's reply in oss-security http://openwall.com/lists/oss-security/2013/08/14/6 I don't think this requires CVE or other security vulnerability handling. --- Henri Salo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From Dinesh_Theerthagiri at symantec.com Thu Aug 15 04:13:55 2013 From: Dinesh_Theerthagiri at symantec.com (Dinesh Theerthagiri) Date: Thu, 15 Aug 2013 02:13:55 -0700 Subject: [VIM] Dovecot 'LIST' Command Denial of Service Vulnerability In-Reply-To: <20130815051602.GE25986@kludge.henri.nerv.fi> References: <52FDF4BE-559A-49C9-9FC7-713A333EB2F2@tenable.com> <86E9E90EE35E9041B100B9ED1D5C8B57451B2C61B6@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> <20130815051602.GE25986@kludge.henri.nerv.fi> Message-ID: <86E9E90EE35E9041B100B9ED1D5C8B57451B2C634C@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Henri and George, We looked at Timo's reply http://openwall.com/lists/oss-security/2013/08/14/6 , it don't have security impact. On this confirmation we have retired BID 61763. Thanks for Henri and George for correcting us. -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of Henri Salo Sent: 15 August 2013 10:46 To: Vulnerability Information Managers Subject: Re: [VIM] Dovecot 'LIST' Command Denial of Service Vulnerability On Wed, Aug 14, 2013 at 11:25:18AM -0700, Dinesh Theerthagiri wrote: > You are right BID 61763 has a wrong CVE number (CVE-2013-2111). Now we corrected by removing the CVE number. > > We consider 'LIST' command as DOS vulnerability because of below reference: > http://www.dovecot.org/list/dovecot-news/2013-August/000261.html > > Thanks, > T.Dinesh Please see Timo's reply in oss-security http://openwall.com/lists/oss-security/2013/08/14/6 I don't think this requires CVE or other security vulnerability handling. --- Henri Salo From jericho at attrition.org Thu Aug 15 16:01:33 2013 From: jericho at attrition.org (security curmudgeon) Date: Thu, 15 Aug 2013 16:01:33 -0500 (CDT) Subject: [VIM] ZDI-13-132 and a CVE? Message-ID: ZDI Folks, Could you ping Oracle to see which CVE this matches up with, assuming it does? http://www.zerodayinitiative.com/advisories/ZDI-13-132/ Thanks! .b From zdi-disclosures at tippingpoint.com Fri Aug 16 09:37:13 2013 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Fri, 16 Aug 2013 09:37:13 -0500 Subject: [VIM] ZDI-13-132 and a CVE? In-Reply-To: References: Message-ID: <520E3919.4080406@hp.com> Hello, This was released as a "security in depth" bulletin. As such it does not have a CVE assigned. This is also true of ZDI--13-193 for Microsoft (although they call it "defense in depth"). Regards The ZDI Team On 8/15/2013 4:01 PM, security curmudgeon wrote: > > ZDI Folks, > > Could you ping Oracle to see which CVE this matches up with, assuming > it does? > > http://www.zerodayinitiative.com/advisories/ZDI-13-132/ > > Thanks! > > .b From henri at nerv.fi Sat Aug 17 01:25:01 2013 From: henri at nerv.fi (Henri Salo) Date: Sat, 17 Aug 2013 09:25:01 +0300 Subject: [VIM] ZDI-13-132 and a CVE? In-Reply-To: <520E3919.4080406@hp.com> References: <520E3919.4080406@hp.com> Message-ID: <20130817062501.GA13565@kludge.henri.nerv.fi> On Fri, Aug 16, 2013 at 09:37:13AM -0500, ZDI Disclosures wrote: > Hello, > > This was released as a "security in depth" bulletin. As such it does > not have a CVE assigned. > > This is also true of ZDI--13-193 for Microsoft (although they call > it "defense in depth"). > > Regards > The ZDI Team Details of the issue: """ This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Java. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the java.security.KeyStore class. The issue lies in the execution of a user-supplied callback in a privileged context. An attacker can leverage this vulnerability to execute code under the context of the current process. """ and Oracle page is saying: """ A Critical Patch Update is a collection of patches for multiple security vulnerabilities. """ This definitely sounds like it needs a CVE or multiple CVEs. In my opinion security in depth does not mean it's not a fix for a vulnerability. Other opinions/comments? --- Henri Salo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From jericho at attrition.org Sun Aug 18 00:47:29 2013 From: jericho at attrition.org (security curmudgeon) Date: Sun, 18 Aug 2013 00:47:29 -0500 (CDT) Subject: [VIM] ZDI-13-132 and a CVE? In-Reply-To: <20130817062501.GA13565@kludge.henri.nerv.fi> References: <520E3919.4080406@hp.com> <20130817062501.GA13565@kludge.henri.nerv.fi> Message-ID: : > On Fri, Aug 16, 2013 at 09:37:13AM -0500, ZDI Disclosures wrote: : > This was released as a "security in depth" bulletin. As such it does : > not have a CVE assigned. : > : > This is also true of ZDI--13-193 for Microsoft (although they call : > it "defense in depth"). On Sat, 17 Aug 2013, Henri Salo wrote: : The specific flaw exists within the java.security.KeyStore class. The issue lies : in the execution of a user-supplied callback in a privileged context. An : attacker can leverage this vulnerability to execute code under the context of : the current process. : This definitely sounds like it needs a CVE or multiple CVEs. In my : opinion security in depth does not mean it's not a fix for a : vulnerability. Other opinions/comments? Agreed. ZDI has a solid history of releasing quality material, and no wildly inaccurate vuln reports. If ZDI releases an advisory that implies code execution, and Oracle dismisses it with "defense in depth", then I fully believe Oracle either doesn't understand the issue, or is intentionally downplaying it. Oracle has an occasional history of not handling researcher disclosures the best, and has a solid history of not understanding vulnerability impacts, as evidence by their frequently inaccurate CVSS scoring. ZDI, please consider pressing Oracle on this matter. Even if you don't, I believe that this, and any other issue like this (as I think there were others where a CVE wasn't issued) deserve a CVE ID. From zdi-disclosures at tippingpoint.com Wed Aug 28 09:56:52 2013 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Wed, 28 Aug 2013 09:56:52 -0500 Subject: [VIM] ZDI-13-132 and a CVE? In-Reply-To: References: <520E3919.4080406@hp.com> <20130817062501.GA13565@kludge.henri.nerv.fi> Message-ID: <521E0FB4.3030401@hp.com> Hello, We have pushed both Oracle and Microsoft for CVEs on their "security/defense-in-depth" advisories to no avail. We consider the matter closed between ZDI and these vendors. Regards The ZDI Team On 8/18/2013 12:47 AM, security curmudgeon wrote: > > : > On Fri, Aug 16, 2013 at 09:37:13AM -0500, ZDI Disclosures wrote: > > : > This was released as a "security in depth" bulletin. As such it does > : > not have a CVE assigned. > : > > : > This is also true of ZDI--13-193 for Microsoft (although they call > : > it "defense in depth"). > > On Sat, 17 Aug 2013, Henri Salo wrote: > > : The specific flaw exists within the java.security.KeyStore class. The issue lies > : in the execution of a user-supplied callback in a privileged context. An > : attacker can leverage this vulnerability to execute code under the context of > : the current process. > > : This definitely sounds like it needs a CVE or multiple CVEs. In my > : opinion security in depth does not mean it's not a fix for a > : vulnerability. Other opinions/comments? > > Agreed. > > ZDI has a solid history of releasing quality material, and no wildly > inaccurate vuln reports. If ZDI releases an advisory that implies code > execution, and Oracle dismisses it with "defense in depth", then I fully > believe Oracle either doesn't understand the issue, or is intentionally > downplaying it. Oracle has an occasional history of not handling > researcher disclosures the best, and has a solid history of not > understanding vulnerability impacts, as evidence by their frequently > inaccurate CVSS scoring. > > ZDI, please consider pressing Oracle on this matter. Even if you don't, I > believe that this, and any other issue like this (as I think there were > others where a CVE wasn't issued) deserve a CVE ID. > -------------- next part -------------- An HTML attachment was scrubbed... URL: