[VIM] Regarding Web-APP.org WebAPP CVE Entry Details

Web-APP webapp at web-app.org
Thu Jun 28 19:01:36 UTC 2007


Hello,

As I mentioned earlier, here are the details for the CVE entries for WebAPP,
with complete facts to the best of my ability, to to help clarify which
vulnerabilities affect web-app.org vs web-app.net releases as suggested by
Brian. Please be welcome to make whatever use of this information as is
appropriate.

Individual CVEs:

CVE-2004-1742 - Directory traversal vulnerability - long resolved. Was in
Topics feature. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4,
0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1 . Patched for v0.9.9.2.

CVE-2005-0927 - Unspecified File Content Disclosure - was null byte in query
string issue - long resolved. Vulnerable: web-app.org WebAPP v0.8, 0.9,
0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2 . Patched for
v0.9.9.2.1.

CVE-2005-1557 - Multiple cross-site scripting (XSS) vulnerabilities in
WebApp Guestbook PRO - Is a mod, not part of WebAPP. Vulnerable: Only the
Mod. Not WebAPP.

CVE-2005-1628 - apage.cgi shell metacharacters - Is a mod, not part of
WebAPP. Vulnerable: Only the Mod. Not WebAPP.

CVE-2006-1427 - Multiple cross-site scripting (XSS) vulnerabilities -
Calendar XSS was first reported to an exploits site, I believe by a
disgruntled member of the web-app.org group. "CONFIRM:" has web-app.net
listed which is incorrect. Web-app.net should not be listed on that old
record as web-app.net did not exist before May 25 2006. The web-app.org
patch for this entry was May 15. Vulnerable: web-app.org WebAPP v0.8, 0.9,
0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3,
0.9.9.3.1, 0.9.9.3.2 . Patch released by web-app.org labeled "May 15
Security Patch" and located at
http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=7 .

CVE-2006-6687 - Web-App.Org and Web-App.Net Multiple Input Validation
Vulnerabilities - Dec 2006. The patch released by WebAPP Network Group
(www.web-app.net) addresses commonly used query string manipulation
exploits. There has been more found in input validation weaknesses since
that time. Shaka_Flex is sharp at finding these things but not always
specific in reporting them. Probably he was aware of much of what we have
since found - in form inputs even more so than in query strings. Vulnerable:
web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9,
0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, and 0.9.9.3.2; web-app.net WebAPP NE
v0.9.9.3.3 and 0.9.9.3.4.

CVE-2006-6688 - This is not the same as CVE-2006-6687? Has the same
web-app.net patch and same Secunia page.

CVE-2006-7186 - open list files in "profile and other functions," - here is
an anchor link to the exact post where that was found:
http://www.bantychick.com/live/?action=forum&board=shootbreeze&op=display&num=19&start=15#21 .
The referenced thread is a copy of the change log for the WebAPP Network
Group's contributions to web-app.net WebAPP NE. Listed as "cgi-lib/subs.pl
in web-app.net WebAPP before 0.9.9.3.5", which is incorrect. There is no
web-app.net 0.9.9.3.5, and although the patch was done through subs.pl, the
vulnerability is in the "other functions". Vulnerable: web-app.org WebAPP
v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2,
0.9.9.3, 0.9.9.3.1, and 0.9.9.3.2; web-app.net WebAPP NE v0.9.9.3.3.

CVE-2006-7187 - Cross-site scripting (XSS) vulnerability in
show_recent_searches - patched by web-app.org for 0.9.9.3.5 Sept 9 2006.
Appears that web-app.net released a single file patch the same day. Not
fixed in the web-app.net full release package. Vulnerable: web-app.org
WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1,
0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2; web-app.net WebAPP NE v0.9.9.3.3,
0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624 without the
single file patch applied.

CVE-2006-7188 - reading internal forum posts via search - file affected
should be "cgi-lib/search.pl". Probably web-app.net released a user-lib
patch. This was patched in web-app.org WebAPP v0.9.9.3.5 Sept 9 2006. Not
fixed in the web-app.net full release package. Vulnerable: web-app.org
WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1,
0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2; web-app.net WebAPP NE v0.9.9.3.3,
0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624 without the
single file patch applied.

CVE-2006-7189 - XSS in logs - This is part of what is listed under
CVE-2006-1427. Listed as "web-app.net WebAPP before 20060403" which is
incorrect - There was no web-app.net before 20060525. Vulnerable:
web-app.org WebAPP v0.9.9.3, 0.9.9.3.1. Patch released by web-app.org
labeled "May 15 Security Patch" and located at
http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=7 .

CVE-2006-7190 - XSS in Article Comments - This is part of what is listed
under CVE-2006-1427. Listed as "web-app.net WebAPP before 20060515" which is
incorrect - There was no web-app.net before 20060525. Vulnerable:
web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9,
0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2. Patch released by
web-app.org labeled "May 15 Security Patch" and located at
http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=7 .

CVE-2007-1174 - HTML (XSS?) in profiles - Vulnerable: web-app.org WebAPP
v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2,
0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5; web-app.net
WebAPP NE v0.9.9.3.3 and 0.9.9.3.4 of 20060901. Verified as probably fixed
in web-app.net WebAPP NE 0.9.9.3.4 of 20070222. Patch released by
web-app.org labeled "Security Patch for Profiles" at
http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=27 .

CVE-2007-1175 - Cross-site scripting (XSS) vulnerability in an admin
feature - The log viewer when HTML is entered as a spoofed user agent.
Discovered by Blackcode.
http://newbc.blackcode.com/forum/index.php?t=msg&rid=0&th=1167&goto=10145#msg_10145 .
Vulnerable:  web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7,
0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5,
0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE
2007 through at least 20070624.

CVE-2007-1176 - Multiple cross-site scripting (XSS) vulnerabilities in in
Gallery feedback, Gallery comments, Search results, Statistics log viewer -
Gallery XSS was persistent. Search results is client side and found by
Blackcode, posted at
http://newbc.blackcode.com/forum/index.php?t=msg&rid=0&th=1167&goto=10033#msg_10094 .
Statistics log viewer was same as entry CVE-2007-1175 . Vulnerable:
web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9,
0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4;
web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007
through at least 20070624.

CVE-2007-1177 - Input validation in query string, Profiles, Forum Post icon,
Edit Profile, and Gallery - Query string: basic touching up of filters, no
specific risk; Profiles: same as CVE-2007-1174; Gallery: same as
CVE-2007-1176; Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4,
0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2,
0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net
WebAPP NE 2007 through at least 20070624.

CVE-2007-1178 - Access checks in Calendar Administration, Instant Messages
Administration, Image Uploader - Calendar Admin: missing line in access
check (typo); IM admin: access checking was missing in new IMX advanced
admin features; Image uploader hidden page was missing username access
check. Vulnerable: Calendar: web-app.net WebAPP NE v0.9.9.3.4, web-app.org
WebAPP v0.9.9.3.5. Patch labeled "Calendar Mod Admin Patch" released at
http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=23 .
Instant Messages Admin: web-app.org WebAPP v0.9.9.3, 0.9.9.3.1, 0.9.9.3.2,
0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.4, 0.9.9.3.5; web-app.net
WebAPP NE 2007 through at least 20070624. Image Uploader: web-app.org WebAPP
v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2,
0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE
v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624.
All patched in web-app.org WebAPP v0.9.9.5.

CVE-2007-1179 - improper email address management in mail features - Main
problem was spammers using Recommend feature, spoofing email headers to send
to multiple addresses, when the site was set to allow this feature to be
used by guests and to allow remote submission of forms. Was reported as a
problem on one site with these settings. The fix for this implemented a
module that was also put to use on all other emailer features. Vulnerable:
web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9,
0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4;
web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007
through at least 20070624. Patched in web-app.org WebAPP v0.9.9.5.

CVE-2007-1180 - checking of referrers in certain forms - This was due to
removal of the site wide referrer check in favor of using a localized
routine for each form. This is a relatively useless check as it will not
stop determined hackers from spoofing the referrer field in their browsers.
Notes on this as per this entry's references are pertaining to addition of
the localized routine to most all of the subroutine that accept form input.
Although web-app.org does not consider this a vulnerability, it was
addressed in web-app.org WebAPP v0.9.9.5.

CVE-2007-1181 - passing Unused Informations and username through Edit
Profile forms - a form cleanup, security related as cleaned up forms are
easier to secure but no specific risk or known exploit. Although web-app.org
does not consider this a vulnerability, it was addressed in web-app.org
WebAPP v0.9.9.5.

CVE-2007-1182 - Guest editing Guest profile - like it says, unknown impact.
Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8,
0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4;
web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007
through at least 20070624. Prevented in web-app.org WebAPP v0.9.9.5.

CVE-2007-1183 - Spoofing Real Name - a harmless prank but could lead people
to believe someone was really someone else. Vulnerable: web-app.org WebAPP
v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2,
0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE
v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624.
Fixed in web-app.org WebAPP v0.9.9.5.

CVE-2007-1184 - CAPTCHA default was set to "no" - This is only a setting.
Was set to "no" during time of use of module that was not there or not
working on some servers. Changed default to "yes" after switching to a
built-in module. Although web-app.org does not consider this a
vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5.

CVE-2007-1185 - Search, Edit Profile, Recommend, and User Approval forms
using hidden inputs - Was unnecessary since it was possible for the script
to set some of the values when the form was processed. Not a risk but is
security-related. Although web-app.org does not consider this a
vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5.

CVE-2007-1186 - No censoring of Real Name - user could put porn or cuss
words there, not a risk. Although web-app.org does not consider this a
vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5.

CVE-2007-1187 - Sensitive Information via Forum Archive or Recent Searches -
Does this refer to the "Forum Archive feature made admin only" and "Made
Recent Searches viewable by administrators only" in article referenced
http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ? Forum
archive was changed from "Administrator" to "Admin" because some
administrators did not know how to use it and messed up forums. Recent
searches was made admin only because of all the porn search phrase spammers
lately. No risk with either. Although web-app.org does not consider this a
vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5.

CVE-2007-1188 - Composition and length checking on Search - could overload
server and possibly weaken server for other attempts. There were
multi-megabyte datas being submitted to search, along with long strings of
name value pairs. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4,
0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2,
0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net
WebAPP NE 2007 through at least 20070624. Addressed by web-app.org WebAPP
v0.9.9.5.

CVE-2007-1259 - Multiple unspecified vulnerabilities - The main thing here
was the menu manager - same as CVE-2007-3242. Other things were client side
XSS (CVE-2007-1828) and typo in image uploader file check (CVE-2007-1832).
Patch was web-app.org WebAPP v0.9.9.6.

CVE-2007-1489 - Admin access by Cookie modification - was only in version
0.9.9.6. Listed as 0.9.9.4 to 0.9.9.6 which is incorrect. Vulnerable:
web-app.org WebAPP v0.9.9.6.

CVE-2007-1827 - same as CVE-2007-3242.

CVE-2007-1828 - mentioned in CVE-2007-1259.

CVE-2007-1830 - same as CVE-2007-1489.

CVE-2007-1831 - Query string writing wrong data - Was in downloads and
links. They could be deleted by entering the downloads categories file name
as the single category name. Vulnerable: web-app.org WebAPP v0.8, 0.9,
0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3,
0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5; web-app.net WebAPP NE
v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624.
Patched for web-app.org WebAPP 0.9.9.6.

CVE-2007-1832 - mentioned in CVE-2007-1259.

CVE-2007-3242 - Menu Manager Sytem Commands. - Vulnerable: web-app.org
WebAPP v0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, 0.9.9.5;
web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007
prior to 20070624. Patched for web-app.org WebAPP 0.9.9.6 of 20070221.

CVE-2007-3416 - Multiple cross-site request forgery - listed as "allow
remote attackers to perform deletions as administrators"; probably from our
notes: "Administration for poll, profiles, IP bans, forums - added referrer
check to prevent accidental deletion due to XSS redirects or tricky links."
This is to avoid deletion on features that do not have a delete confirmation
page - an XSS on another page or a trick link could lead an unsuspecting
admin to accidentally delete something. This would have to be specifically
targetted against a well known person. Vulnerable: web-app.org WebAPP v0.8,
0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3,
0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6;
web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007
through at least 20070624. Patched for web-app.org WebAPP 0.9.9.7. of
20070329.

CVE-2007-3417 - Multiple cross-site scripting (XSS) vulnerabilities in
Search - Says "inject arbitrary web script or HTML via a search string,
which is not sanitized when an HREF attribute is printed by the (1)
process_search or (2) show_recent_searches function." Could this be from
web-app.org's "Search pages links URL encoded" note? That is so search works
with heavier filtering on the query string characters. Or maybe "In Search,
HTML encoding and decoding for "search again" input" ? Process search does
not pring anything, and show recent searches was made admin only, so I don't
know about this one. Maybe not a vulnerability?

CVE-2007-3418 - Display Forum Post not showing username under Real name - a
follow up to CVE-2007-1183. To show username under Real name in the display
of each forum post. Mostly a convenience item. Not a vulnerability.

CVE-2007-3419 - Checking of dat files for Edit Profile - This is a complete
check on all fields of edit profile input. Done mostly to catch attempted
hackers. One field was found possible to be altered and effect the "status"
setting of the user. Any other modifications simply corrupt the profile.
Someone would need to be an expert at encoding and know the WebAPP code and
data file format to do this. Relatively harmless. Vulnerable: web-app.org
WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1,
0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and
0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE
2007 through at least 20070624. Now is checked since web-app.org WebAPP
v0.9.9.7.

CVE-2007-3420 - Random cookie not clearing values - The user auth file was
cleared, but not the cookie. Fixing this could make further cookie
manipulation more difficult, but it is not a real risk. The cookie system
before the Random Cookie came in also left uncleared cookies. Random cookie
was implemented in web-app.org WebAPP v0.9.9.6.

CVE-2007-3421 - verification of membership on edit functions - just an extra
check. There is a new routine for checking membership, so it was easy to add
it to all relevant spots. Did cause script errors on certain things such as
the Gallery. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5,
0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2,
0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP NE
v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624.
Addressed by web-app.org WebAPP v0.9.9.7.

CVE-2007-3422 - getcgi not filtering non-printing characters, certain
printing characters that do not commonly occur in URLs, or invalid URL
encoding sequences - The URL filters were modified to allow only valid URL
characters, rather than only ruling out known exploitable characters as
before. Affected: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7,
0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5,
0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3,
0.9.9.3.4; web-app.net WebAPP NE 2007 prior to 20070222. Filtering added to
web-app.org WebAPP v0.9.9.7. web-app.net WebAPP NE 2007 should be checked
for  filter on null bytes in query string (CVE-2005-0927) subsequent to
their filter modifications to getcgi.

CVE-2007-3423 - "from" field used in Instant Message display - not necessary
to use that field and it would cause Perl warnings or errors when reading IM
from (a) an internal IM, or a message from a (b) guest or (c) removed
member. Not good to use user input for file name. Affected: web-app.org
WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1,
0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and
0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE
2007 through at least 20070624. Addressed by web-app.org WebAPP v0.9.9.7.

CVE-2007-3424 - "tocat" in move Instant Messages parameter - Must be from
referenced thread note "Instant messages move "to" folder set hard coded
value instead of using query string value." Not good to use user input for
destination folder name, albeit there is a filter on traversal. Was not
necessary to use this field since there is only one folder to which messages
can be moved at this time. Affected: web-app.org WebAPP v0.8, 0.9, 0.9.3,
0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1,
0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP
NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least
20070624. Addressed by web-app.org WebAPP v0.9.9.7.


Sincerely,
Jos Brown
WebAPP (c) web-app.org



More information about the VIM mailing list