From gtheall at tenable.com Tue Jul 15 19:00:57 2014 From: gtheall at tenable.com (George Theall) Date: Wed, 16 Jul 2014 00:00:57 +0000 Subject: [VIM] SQL Buddy 'login.php' Multiple Cross Site Scripting Vulnerabilities Message-ID: <390D8B80-9960-4370-AF8F-FC9B6CC70D30@tenable.com> Himanshu / Dinesh / Narayan / Venkat / Rob : what exactly are the differences between the BID that was created today for SQL Buddy (68534) and 52066? The former appears to correspond to http://packetstormsecurity.com/files/127454/Sqlbuddy-1.3.2-1.3.3-Cross-Site-Scripting.html and in turn, be a rehash of Zero Science Lab?s advisory from over two years ago ? http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5074.php ("SQL Buddy suffers from a XSS vulnerability when parsing user input to the 'DATABASE', 'HOST' and 'USER' parameters via POST method in ?login.php??). George -- theall at tenable.com From gtheall at tenable.com Tue Jul 15 19:23:27 2014 From: gtheall at tenable.com (George Theall) Date: Wed, 16 Jul 2014 00:23:27 +0000 Subject: [VIM] HP OneView CVE-2014-2602 Unspecified Remote Privilege Escalation Vulnerability Message-ID: <9F9CAFD1-F426-4F16-ABFE-3E5449929F4B@tenable.com> Himanshu / Dinesh / Narayan / Venkat / Rob : I?m also confused by BIDs 67197 and 67203. Both reference CVE-2014-2602. And they appear to map to HP?s HPSBGN03034 advisory (https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04273152), which concerns a single vulnerability. So why have two BIDs? George -- theall at tenable.com From coley at mitre.org Sat Jul 19 12:16:58 2014 From: coley at mitre.org (Steven M. Christey) Date: Sat, 19 Jul 2014 13:16:58 -0400 (EDT) Subject: [VIM] OctavoCMS (CVE-2014-4331) is not always site-specific Message-ID: We received an inquiry from OSVDB about CVE-2014-4331, in which it appeared that OctavoCMS is a site-specific/hosted solution only. We investigated further. Based on http://www.3gwebdesign.com/solutions/cms.edesign.terms.php, there might be some (rare) cases in which OctavoCMS could have been installed on customer-controlled systems in 2012 or earlier: "Whilst FTP access and the installation on a clients server is not standard, an additional cost can be added to allow for this and the encrypting of the sites PHP files, arranged prior to a project commencement. Since 2012, Octavo 'has' to be on our servers." In light of this discovery, we are treating OctavoCMS as a (sometimes) customer-controlled product and thus within CVE's scope. - Steve From jericho at attrition.org Mon Jul 21 17:57:01 2014 From: jericho at attrition.org (security curmudgeon) Date: Mon, 21 Jul 2014 17:57:01 -0500 (CDT) Subject: [VIM] VDB Meet Up in Las Vegas Message-ID: VIM people, Some of us will be doing our near-annual VDB meetup in Las Vegas in a few weeks. I've asked around to a few that usually show in order to figure out a decent time/place. This year: Burger Bar @ Mandalay Bay Thursday, Aug 7th (2nd day of BH Briefings) 1PM We chose this location since BH is there and DEFCON is just getting started that day. We're opting for lunch because a lot of parties and dinners happen that night already. The last 'good' talk I have been told ends at 12:45 and some other 'good' talks start at 2:15. For those not goign to BH we can hang around longer, or move to a random bar to continue discussion and debate. Since this may involve quite a few people, we need to know ahead of time who plans to show so I can get a reservation. Please RSVP (offlist preferred) to me that you intend to show up. Thanks! .b From gtheall at tenable.com Mon Jul 21 19:47:53 2014 From: gtheall at tenable.com (George Theall) Date: Tue, 22 Jul 2014 00:47:53 +0000 Subject: [VIM] IBM GCM16/32 v1.20.0.22575 vulnerabilities Message-ID: In a post to Full Disclosure (http://seclists.org/fulldisclosure/2014/Jul/113), Alejandro Alvarez today references CVE-2014-2085 for a remote code execution vulnerability in IBM GCM KVM switch. That?s been rejected by Mitre and the underlying issue merged into CVE-2014-2084 "because it is the same type of vulnerability and affects the same versions.? And CVE-2014-2084 is for multiple information disclosure vulnerabilities in Skybox View Appliances. It looks like SecurityFocus merged the IBM GCM KVM switch issue into BID 67352 today. Other than referencing CVE-2014-2085, the issues covered by the BID seem totally unrelated to the RCE reported today by Alvarez. Himanshu / Dinesh / Narayan / Venkat / Rob : would you explain the thinking behind this merge? George -- theall at tenable.com From Himanshu_Mehta at symantec.com Tue Jul 22 06:10:07 2014 From: Himanshu_Mehta at symantec.com (Himanshu Mehta) Date: Tue, 22 Jul 2014 04:10:07 -0700 Subject: [VIM] IBM GCM16/32 v1.20.0.22575 vulnerabilities In-Reply-To: References: Message-ID: <1587858E792C6C48ADD97BCB156E8ED031F8655DF9@APJ1XCHEVSPIN31.SYMC.SYMANTEC.COM> Hi George, BID: 67352 was updated according to the CVE mentioned in Full Disclosure (http://seclists.org/fulldisclosure/2014/Jul/113). We cross-checked now and updated accordingly. Thanks for bringing this to our notice. Regards, Himanshu Mehta -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: Tuesday, July 22, 2014 6:18 AM To: Vulnerability Information Managers Subject: [VIM] IBM GCM16/32 v1.20.0.22575 vulnerabilities In a post to Full Disclosure (http://seclists.org/fulldisclosure/2014/Jul/113), Alejandro Alvarez today references CVE-2014-2085 for a remote code execution vulnerability in IBM GCM KVM switch. That's been rejected by Mitre and the underlying issue merged into CVE-2014-2084 "because it is the same type of vulnerability and affects the same versions." And CVE-2014-2084 is for multiple information disclosure vulnerabilities in Skybox View Appliances. It looks like SecurityFocus merged the IBM GCM KVM switch issue into BID 67352 today. Other than referencing CVE-2014-2085, the issues covered by the BID seem totally unrelated to the RCE reported today by Alvarez. Himanshu / Dinesh / Narayan / Venkat / Rob : would you explain the thinking behind this merge? George -- theall at tenable.com From Himanshu_Mehta at symantec.com Wed Jul 23 08:54:22 2014 From: Himanshu_Mehta at symantec.com (Himanshu Mehta) Date: Wed, 23 Jul 2014 06:54:22 -0700 Subject: [VIM] SQL Buddy 'login.php' Multiple Cross Site Scripting Vulnerabilities In-Reply-To: <390D8B80-9960-4370-AF8F-FC9B6CC70D30@tenable.com> References: <390D8B80-9960-4370-AF8F-FC9B6CC70D30@tenable.com> Message-ID: <1587858E792C6C48ADD97BCB156E8ED031F88FD3C0@APJ1XCHEVSPIN31.SYMC.SYMANTEC.COM> Hi, It was reported again recently by different reporter and reference was also missing for old report. BID: 68534 is retired as a duplicate of BID: 52066. Thanks, Himanshu -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: Wednesday, July 16, 2014 5:31 AM To: Vulnerability Information Managers Subject: [VIM] SQL Buddy 'login.php' Multiple Cross Site Scripting Vulnerabilities Himanshu / Dinesh / Narayan / Venkat / Rob : what exactly are the differences between the BID that was created today for SQL Buddy (68534) and 52066? The former appears to correspond to http://packetstormsecurity.com/files/127454/Sqlbuddy-1.3.2-1.3.3-Cross-Site-Scripting.html and in turn, be a rehash of Zero Science Lab's advisory from over two years ago - http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5074.php ("SQL Buddy suffers from a XSS vulnerability when parsing user input to the 'DATABASE', 'HOST' and 'USER' parameters via POST method in 'login.php'"). George -- theall at tenable.com From Himanshu_Mehta at symantec.com Wed Jul 23 08:55:40 2014 From: Himanshu_Mehta at symantec.com (Himanshu Mehta) Date: Wed, 23 Jul 2014 06:55:40 -0700 Subject: [VIM] HP OneView CVE-2014-2602 Unspecified Remote Privilege Escalation Vulnerability In-Reply-To: <9F9CAFD1-F426-4F16-ABFE-3E5449929F4B@tenable.com> References: <9F9CAFD1-F426-4F16-ABFE-3E5449929F4B@tenable.com> Message-ID: <1587858E792C6C48ADD97BCB156E8ED031F88FD3C1@APJ1XCHEVSPIN31.SYMC.SYMANTEC.COM> Hi, Sometimes there is delay in BID alerts, so we published it twice by mistake. BID: 67203 is retired as a duplicate of BID: 67197. Thanks, Himanshu -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: Wednesday, July 16, 2014 5:53 AM To: Vulnerability Information Managers Subject: [VIM] HP OneView CVE-2014-2602 Unspecified Remote Privilege Escalation Vulnerability Himanshu / Dinesh / Narayan / Venkat / Rob : I'm also confused by BIDs 67197 and 67203. Both reference CVE-2014-2602. And they appear to map to HP's HPSBGN03034 advisory (https://h20564.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04273152), which concerns a single vulnerability. So why have two BIDs? George -- theall at tenable.com From gtheall at tenable.com Thu Jul 31 19:48:15 2014 From: gtheall at tenable.com (George Theall) Date: Fri, 1 Aug 2014 00:48:15 +0000 Subject: [VIM] WordPress A Page Flip Book Plugin 'pageflipbook.php' Local File Include Vulnerability Message-ID: Himanshu / Dinesh / Narayan / Venkat / Rob : I noticed that SecurityFocus recently created BID 68959 for a local file inclusion vulnerability in the WordPress A Page Flip Book plugin, presumably based on Henri Salo?s post at http://www.openwall.com/lists/oss-security/2014/07/30/2. Henri?s post in turn references a post from Charlie Eriksen over two years ago ? http://ceriksen.com/2012/07/10/wordpress-a-page-flip-book-plugin-local-file-inclusion-vulnerability/ I?m at a loss to understand how this new BID differs from BID 54368, which was created shortly after Charlie?s blog post came out originally. There?s a slight difference in the name of the plugin in the BIDs, but otherwise we?re looking at the same affected script, same affected parameter, same timeframe of discovery, even the same discoverer if you do a tiny bit of digging. This seems like a pretty obvious dup, doesn?t it? George -- theall at tenable.com