From jericho at attrition.org Fri Dec 2 21:55:23 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Dec 2 21:55:35 2005 Subject: [VIM] Multiple IBM Tivoli documents leading to same issue In-Reply-To: <200512010001.jB101504017064@cairo.mitre.org> References: <200512010001.jB101504017064@cairo.mitre.org> Message-ID: : FYI, iDEFENSE noticed some possible CVE dupes regarding IBM Tivoli : Directory Server. These dupes arose from different IBM documents, one : with a very vague description, and the other with a more detailed : description, and neither seeming to refer to the other. : : I did some digging and they lead to the same APARs. : : Maybe this will help save other people some analytical effort and/or : prevent their own dupes. See the references in CVE-2005-3567 below. 95% of the time I visit the IBM web site looking for info, I end up leaving negative feedback on the "was this helpful" box. We currently have the following links attached to OSVDB 20672 which covers this: http://www-1.ibm.com/support/docview.wss?uid=swg21221665 http://www-1.ibm.com/support/docview.wss?uid=swg24010819 http://www-1.ibm.com/support/docview.wss?uid=swg24010820 http://www-1.ibm.com/support/docview.wss?uid=swg24010821 http://www-1.ibm.com/support/docview.wss?uid=swg21222172 No wonder it is difficult to figure out. Vague wording that isn't even consistant across multiple documents is horrible. From coley at mitre.org Sun Dec 4 16:37:59 2005 From: coley at mitre.org (Steven M. Christey) Date: Sun Dec 4 16:41:03 2005 Subject: [VIM] Confirmed CVE-2005-3986 (Instant Photo Gallery SQL injections) Message-ID: <200512042137.jB4Lbxpw015099@cairo.mitre.org> FYI, I confirmed the following Instant Photo Gallery SQL injections using source code inspection. - Steve ====================================================== Name: CVE-2005-3986 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3986 Reference: MISC:http://pridels.blogspot.com/2005/11/instant-photo-gallery-sql-inj-vuln.html Reference: SECUNIA:17841 Reference: URL:http://secunia.com/advisories/17841 Multiple SQL injection vulnerabilities in Instant Photo Gallery 1 and earlier allow remote attackers to execute arbitrary SQL commands via the (1) cat_id parameter in portfolio.php and (2) cid parameter in content.php. From coley at mitre.org Sun Dec 4 17:29:20 2005 From: coley at mitre.org (Steven M. Christey) Date: Sun Dec 4 17:32:18 2005 Subject: [VIM] provable vendor ACK for PHPX SQL injection Message-ID: <200512042229.jB4MTKrj015381@cairo.mitre.org> Re: CVE-2005-3968 Vendor has a vague ACK at: http://www.phpx.org/news.php?news_id=139 A patch is provided. A diff between auth.inc.php in 3.5.9 versus the patch shows a new check that $username is alphanumeric. - Steve ====================================================== Name: CVE-2005-3968 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3968 Reference: BUGTRAQ:20051130 PhpX <= 3.5.9 SQL Injection -> login bypass -> remote command/code execution Reference: URL:http://www.securityfocus.com/archive/1/archive/1/418253/100/0/threaded Reference: MISC:http://rgod.altervista.org/phpx_359_xpl.html Reference: CONFIRM:http://www.phpx.org/news.php?news_id=139 Reference: BID:15680 Reference: URL:http://www.securityfocus.com/bid/15680 Reference: FRSIRT:ADV-2005-2696 Reference: URL:http://www.frsirt.com/english/advisories/2005/2696 Reference: SECTRACK:1015300 Reference: URL:http://securitytracker.com/id?1015300 Reference: SECUNIA:17858 Reference: URL:http://secunia.com/advisories/17858 SQL injection vulnerability in auth.inc.php in PHPX 3.5.9 and earlier allows remote attackers to execute arbitrary SQL commands, bypass authentication, and upload arbitrary PHP code via the username parameter. From jericho at attrition.org Mon Dec 5 10:48:08 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Dec 5 10:48:13 2005 Subject: [VIM] Vendor dispute of OSVDB 15313 / 15314 Message-ID: OSVDB 15314 = CVE 2005-1032, Secunia 14857, SecTrack 1013658 ---------- Forwarded message ---------- From: Qualiteam alliances To: moderators@osvdb.org Date: Mon, 5 Dec 2005 15:03:02 +0300 Subject: [OSVDB Mods] 15313,15314 Hello OSVDB, My name is Mickael, i am marketing manager at Qualiteam, the seller of LiteCommerce software. I write in regard of reports published at http://www.osvdb.org/displayvuln.php?osvdb_id=15313 http://www.osvdb.org/displayvuln.php?osvdb_id=15314 These reports are credited to malicious person we refused to hire. We have not taken legal action against him only because he is located in India. The vulnerabilites reported can not be reproduced, hence information you provide is contrary to fact and, moreover, is harming our busines. Please remove it ASAP. Regards, -- Mickael Bazhutin marketing manager QUALITEAM.BIZ [web sites] http://www.qualiteam.biz/ Glavpochtamt, p/o box 5152. [ phone ] +7 8422 429038 (9:00-18:00 GMT +3) 432072 Ulyanovsk, Russia [ fax ] 1 270 568 5165 From coley at linus.mitre.org Mon Dec 5 12:27:03 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon Dec 5 12:30:18 2005 Subject: [VIM] Vendor dispute of OSVDB 15313 / 15314 In-Reply-To: References: Message-ID: Hrmmmmmmmm, interesting. The researcher was Diabolic Crab. Last week there was a vendor that disputed a r0t-reported issue but when I pointed out the information leak aspects of the problem under some PHP configs, the vendor agreed (it was a path-disclosure on error due to a bad type of value in SQL query). Maybe this is the same thing. I wonder if this is another error-on-bad-SQL-value-type. - Steve On Mon, 5 Dec 2005, security curmudgeon wrote: > > > OSVDB 15314 = CVE 2005-1032, Secunia 14857, SecTrack 1013658 > > > ---------- Forwarded message ---------- > From: Qualiteam alliances > To: moderators@osvdb.org > Date: Mon, 5 Dec 2005 15:03:02 +0300 > Subject: [OSVDB Mods] 15313,15314 > > Hello OSVDB, > > My name is Mickael, i am marketing manager at Qualiteam, the seller of > LiteCommerce software. I write in regard of reports published at > > http://www.osvdb.org/displayvuln.php?osvdb_id=15313 > http://www.osvdb.org/displayvuln.php?osvdb_id=15314 > > These reports are credited to malicious person we refused to hire. We have > not taken legal action against him only because he is located in India. > The vulnerabilites reported can not be reproduced, hence information you > provide is contrary to fact and, moreover, is harming our busines. Please > remove it ASAP. > > Regards, > -- > Mickael Bazhutin > marketing manager > > QUALITEAM.BIZ [web sites] http://www.qualiteam.biz/ > Glavpochtamt, p/o box 5152. [ phone ] +7 8422 429038 (9:00-18:00 GMT +3) > 432072 Ulyanovsk, Russia [ fax ] 1 270 568 5165 > From coley at mitre.org Tue Dec 6 01:03:03 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Dec 6 01:06:09 2005 Subject: [VIM] FileLister - ummmmmmmm, what? Message-ID: <200512060603.jB6633cE027034@cairo.mitre.org> This is an odd one. r0t posted an SQL injection vuln in FileLister via "the search parameters": http://pridels.blogspot.com/2005/12/filelister-sql-inj-vuln.html Secunia, SecurityFocus, and FrSirt all describe a FileLister vuln, but instead of SQL injection, they say it's XSS, and they also say it's the "searchwhat" parameter in definesearch.jsp. They all point to r0t's SQl injection post. So, to repeat the subject line... ummmmmmmm, what? For those who want to investigate, "searchwhat" only appears in definesearch.jsp and src/org/alltimeflashdreamer/filelister/SearchParameters.java - Steve From coley at mitre.org Tue Dec 6 01:44:35 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Dec 6 01:52:25 2005 Subject: [VIM] HobSR SQl injection partially verified Message-ID: <200512060644.jB66iZfP027239@cairo.mitre.org> I was able to verify the $arrange portion of the SQL injection in HobSR: http://pridels.blogspot.com/2005/12/hobsr-sql-inj-vuln.html $arrange can be injected directly into a mysql_query at line 47. For $p, however: $p does not appear to be used in a query, but the $pages variable is set as "$pages=$p-1" and later used in a calculation, then in a DESC LIMIT clause, which might trigger an SQL error - but I'm not sure. - Steve From coley at mitre.org Tue Dec 6 01:37:55 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Dec 6 02:00:52 2005 Subject: [VIM] Verified, confirmed, acknowledged, replicated... what? Message-ID: <200512060637.jB66bt7P027230@cairo.mitre.org> Does anybody have a terminology for how "proven" a vulnerability is? I use mixed terminology all the time... For example, I say "vendor acknowledgement" when the vendor says that the issue is real, but the associated CVE reference is a "CONFIRM" I don't use "verified" or "validated" although I want to use one of these words for when a third party agrees that an issue is real. According to webster.com, "validate" means "to support or corroborate on a sound or authoritative basis." "verify" is "to establish the truth, accuracy, or reality of" Both of these are the 2nd definition for the word. Both list "confirm" as a synonym, which doesn't help. Maybe it's best to stay away from the overloaded terms altogether and just say "replicate" - DUPLICATE, REPEAT, as in "replicate a statistical experiment" - Steve From jericho at attrition.org Tue Dec 6 02:05:45 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Dec 6 02:05:49 2005 Subject: [VIM] Verified, confirmed, acknowledged, replicated... what? In-Reply-To: <200512060637.jB66bt7P027230@cairo.mitre.org> References: <200512060637.jB66bt7P027230@cairo.mitre.org> Message-ID: : Does anybody have a terminology for how "proven" a vulnerability is? I've thought about this in the past, and OSVDB uses one word consistantly, as part of our classification system: Verified - Has been personally verified by a mangler, or acknowledged by the vendor This feeds into the definition: : "verify" is "to establish the truth, accuracy, or reality of" Specifically the 'accuracy or reality' part. I believe that is why we selcted 'verified' over other words at the time. : Maybe it's best to stay away from the overloaded terms altogether and : just say "replicate" - DUPLICATE, REPEAT, as in "replicate a statistical : experiment" Definitions may disagree, but I don't like these words because they can easily mean that someone repeated or duplicated a flawed test, not verified a vulnerability. If I set up a package, turn all the PHP options a certain way (the worst you can), change permissions on files and directories (the way I shouldn't), then report a vulnerability.. you can duplicate and repeat it, but you have not verified it is a vulnerability in the software package. From jericho at attrition.org Wed Dec 7 14:43:21 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Dec 7 14:43:28 2005 Subject: [VIM] [Change Request] 21213: randshop /themes/kategorie/index.php Multiple Variable SQL Injection (fwd) Message-ID: My reply follows.. ---------- Forwarded message ---------- From: Philipp Wunderlich To: moderators@osvdb.org Date: Wed, 7 Dec 2005 20:26:22 +0100 Subject: [OSVDB Mods] [Change Request] 21213: randshop /themes/kategorie/index.php Multiple Variable SQL Injection Hi OSVDB-Team, I'm Philipp Wunderlich a software developer from the randshop from Germany. We fixed the bug and upgrade the actual download version on our website. The patch is also available in the forum and our customers are informed per mail. I try to contact the Liz0ziM who found the bug but without success. So I try to send the websites with this secure information mails with this information. -- cu & have fun Philipp Wunderlich From jericho at attrition.org Wed Dec 7 14:43:42 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Dec 7 14:43:44 2005 Subject: [VIM] Re: [Change Request] 21213: randshop /themes/kategorie/index.php Multiple Variable SQL Injection (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: Philipp Wunderlich Cc: moderators@osvdb.org Date: Wed, 7 Dec 2005 14:43:01 -0500 (EST) Subject: Re: [OSVDB Mods] [Change Request] 21213: randshop /themes/kategorie/index.php Multiple Variable SQL Injection Hi Philipp, : We fixed the bug and upgrade the actual download version on our website. : The patch is also available in the forum and our customers are informed : per mail. : I try to contact the Liz0ziM who found the bug but without success. So : I try to send the websites with this secure information mails with this : information. According to the download page, 1.1 is the current version available for download *and* the date listed is 2005-08-26 / 2005-10-20. This doesn't seem to indicate a fix has been made for the version available? The files in the version_1_1.zip have not been updated since 2005-10-20, over a month before this vulnerability was disclosed (2005-11-28). Brian OSVDB.org From jericho at attrition.org Wed Dec 7 15:09:04 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Dec 7 15:09:08 2005 Subject: [VIM] AW: [Change Request] 21213: randshop /themes/kategorie/index.php Multiple Variable SQL Injection (fwd) Message-ID: ---------- Forwarded message ---------- From: Philipp Wunderlich To: 'security curmudgeon' Date: Wed, 7 Dec 2005 21:00:39 +0100 Subject: AW: [OSVDB Mods] [Change Request] 21213: randshop /themes/kategorie/index.php Multiple Variable SQL Injection Hi Brian, sorry, I see, that my workmate haven't update the shop. He only set the information in den forum and the news section for a manual download I check this and inform you when the download version is also fixed. [..] From jericho at attrition.org Thu Dec 8 14:05:11 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu Dec 8 14:05:26 2005 Subject: [VIM] AW: AW: [Change Request] 21213: randshop /themes/kategorie/index.php Multiple Variable SQL Injection (fwd) Message-ID: ---------- Forwarded message ---------- From: Philipp Wunderlich To: 'security curmudgeon' Date: Thu, 8 Dec 2005 18:17:44 +0100 Subject: AW: AW: [OSVDB Mods] [Change Request] 21213: randshop /themes/kategorie/index.php Multiple Variable SQL Injection Hi Brian, now we got it. The actual version of the shop in the download section on our website has the latest bugfix. I hope you can change now the status on stable. And now I get the Newsletter from Secunia an hope, that get more quickly information of security problems in our system. Thanx for your help. -- cu & have fun Philipp Wunderlich -----Urspr?ngliche Nachricht----- Von: security curmudgeon [mailto:jericho@attrition.org] Gesendet: Mittwoch, 7. Dezember 2005 21:09 An: Philipp Wunderlich Betreff: Re: AW: [OSVDB Mods] [Change Request] 21213: randshop /themes/kategorie/index.php Multiple Variable SQL Injection : sorry, I see, that my workmate haven't update the shop. He only set the : information in den forum and the news section for a manual download : : I check this and inform you when the download version is also fixed. Excellent, thanks! : Another short question to you. Did you have a mailing list, where this : kind of notifications will be published? I've only see the OSVDB Date : mailing list and here would only projects published, which change the : status to a stable status. But what about the new entries on your : website? We have a mail list that sends out entries that were made stable each night. This list does not include all entries created for the day though, so it isn't necessarily the best for watching for brand new vulnerabilities. For that, I would recommend you subscribe to Secunia's mail list (daily mails) and SecurityTracker's list (one weekly summary). Brian OSVDB.org From coley at linus.mitre.org Sat Dec 10 02:58:45 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat Dec 10 03:02:08 2005 Subject: [VIM] CRLF or LFCR vulnerability in Lyris? (fwd) Message-ID: ---------- Forwarded message ---------- Date: Sat, 10 Dec 2005 02:26:08 -0500 (EST) From: Steven M. Christey To: hdm@metasploit.com Cc: coley@mitre.org Subject: CRLF or LFCR vulnerability in Lyris? H D, Regarding the "%0A%0D" sequence issue in Lyris, is this some sort of byte-ordering thing and you're really talking about a CRLF problem, or is there genuinely something weird going on and you're sending a "LFCR" sequence? This might matter because I haven't heard of LFCR problems before, but it's conceivable that some applications might be vulnerable to this variant if they do not performing cleansing and canonicalization in the proper order. Thanks, - Steve From coley at linus.mitre.org Sat Dec 10 14:39:26 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat Dec 10 14:42:57 2005 Subject: [VIM] Re: Re: [KAPDA::#16] - SMF SQL Injection (fwd) Message-ID: FYI I'm thinking of calling these "Forced invalid SQL errors" but any better ideas would be appreciated :) - Steve ---------- Forwarded message ---------- Date: Sat, 10 Dec 2005 14:36:09 -0500 (EST) From: Steven M. Christey To: bugtraq@securityfocus.com Cc: trueend5@yahoo.com, grudge@simplemachines.org Subject: Re: Re: [KAPDA::#16] - SMF SQL Injection >substr(strtolower($_REQUEST['start']), 0, 1) > >So, the string is set to lower case, and then only the FIRST letter is >used within the query. How can anyone exploit the database with a one >character insertion? Of course this is within single quotes as well, >so it cannot even be a command. This sounds like yet another example of a researcher diagnostic error, which I warned about a couple months ago: A common researcher diagnosis error: misreading error messages http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2005-10/0040.html I would bet that the software generated an error based on this portion of the SQL/PHP code: WHERE LOWER(SUBSTRING(realName, 1, 1)) < '" . substr(strtolower($_REQUEST['start']), 0, 1) . "' The original demonstration value of "start" is: '[SQL] and since the first character is "'", PHP would generate something like: WHERE LOWER(SUBSTRING(realName, 1, 1)) < ''' which would then generate a syntax error, which could then be mis-diagnosed as SQL injection. I bet that many so-called "SQL injection" issues are of this form of "limited SQL syntax manipulation." It is still an error message information leak, which some people don't think it security relevant. But clearly it is much less severe than SQL injection. - Steve From coley at linus.mitre.org Sat Dec 10 21:14:23 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat Dec 10 21:17:49 2005 Subject: [VIM] Security Vulnerability reported in ASPMForum (fwd) Message-ID: ---------- Forwarded message ---------- Date: Sat, 10 Dec 2005 21:12:38 -0500 (EST) From: Steven M. Christey To: aspmforum@kervancilar.com Subject: Security Vulnerability reported in ASPMForum Hello, I am a computer security professional and the editor for the Common Vulnerabilities and Exposures (CVE) project. CVE is a list of software vulnerabilities, and it is widely used in the computer security industry. It is sponsored by the US Department of Homeland Security. Recently, a vulnerability in your product was reported to public sources. References and a description are included below. http://secunia.com/advisories/17954 http://www.securityfocus.com/bid/15767 Is this vulnerability report accurate? If so, then is the problem fixed, and in which versions? Thank you, Steve Christey Principal Information Security Engineer CVE Editor The MITRE Corporation From coley at mitre.org Sat Dec 10 21:59:47 2005 From: coley at mitre.org (Steven M. Christey) Date: Sat Dec 10 22:03:11 2005 Subject: [VIM] PerlCal - ACKs new and old Message-ID: <200512110259.jBB2xlNB001410@cairo.mitre.org> http://www.perlcal.com/calendar/docs/bugs.txt Only problem is, no dates... === CVE-2005-4162 - cal_make.pl p0 XSS == PROBLEM: [2.99 to 2.99.30] Someone using your browser locally can use PerlCal to read your session cookies. Doing so does not compromise your password, and in such a situation, the user could already read your local cookies files directly, but this behavior is not ideal. SOLUTION: Edit cal_make.pl/ Replace the lines: $FORM{p0} =~ s/\.{2,}//g; $FORM{p1} =~ s/\.{2,}//g; with: $FORM{p0} =~ s/[^\w\-\&\@\~]+//g; $FORM{p1} =~ s/[^\w\-\&\@\~]+//g; === CVE-2001-0463 - cal_make.pl p0 directory traversal === PROBLEM: [-2.98, Unix] "Null character exploitation" -- files readable by the Web server are viewable with appropriate specification of PerlCal GET variables. SOLUTION: Edit cal_make.pl (or cal_make.cgi), and find 'sub getinput'. After the line: $value =~ s/%([a-fA-F0-9]{2})/pack("c", hex($1))/eg; Put the line: $value =~ s/\0//g; Find 'sub template'. After the line: local($viewdef) = @_; Put the line: $p0 =~ s/\.\.//g; System administrators should always turn off Read access to sensitive files on the server. From coley at linus.mitre.org Sun Dec 11 02:47:58 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Sun Dec 11 02:51:24 2005 Subject: [VIM] PluggedOut Product Vulnerabilities (fwd) Message-ID: ---------- Forwarded message ---------- Date: Sun, 11 Dec 2005 02:28:30 -0500 (EST) From: Steven M. Christey To: jonbeckett@pluggedout.com Cc: coley@mitre.org Subject: PluggedOut Product Vulnerabilities Hello, I am a computer security professional and the editor for the Common Vulnerabilities and Exposures (CVE) project. CVE is a list of software vulnerabilities, and it is widely used in the computer security industry. It is sponsored by the US Department of Homeland Security. Recently, some vulnerability in PluggedOut products were reported to public sources. References and descriptions are included below. Are these vulnerability reports accurate? If so, then is the problem fixed, and in which versions? Thank you, Steve Christey Principal Information Security Engineer CVE Editor The MITRE Corporation ====================================================== Name: CVE-2005-4054 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4054 Reference: MISC:http://pridels.blogspot.com/2005/12/pluggedout-blog-sql-vuln.html Reference: BID:15746 Reference: URL:http://www.securityfocus.com/bid/15746 Reference: FRSIRT:ADV-2005-2750 Reference: URL:http://www.frsirt.com/english/advisories/2005/2750 Reference: OSVDB:21480 Reference: URL:http://www.osvdb.org/21480 Reference: SECUNIA:17911 Reference: URL:http://secunia.com/advisories/17911 SQL injection vulnerability in index.php in PluggedOut Blog 1.9.5 and earlier allows remote attackers to execute arbitrary SQL commands via the (1) categoryid, (2) entryid, (3) year, (4) month, and (5) day parameter. ====================================================== Name: CVE-2005-4056 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4056 Reference: MISC:http://pridels.blogspot.com/2005/12/pluggedout-nexus-sqlxss-vuln_06.html Reference: FRSIRT:ADV-2005-2751 Reference: URL:http://www.frsirt.com/english/advisories/2005/2751 SQL injection vulnerability in search.php in PluggedOut Nexus 0.1 allows remote attackers to execute arbitrary SQL commands via the (1) Location, (2) Last Name, and (3) First Name parameters. ====================================================== Name: CVE-2005-4057 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4057 Reference: MISC:http://pridels.blogspot.com/2005/12/pluggedout-nexus-sqlxss-vuln_06.html Reference: FRSIRT:ADV-2005-2751 Reference: URL:http://www.frsirt.com/english/advisories/2005/2751 Cross-site scripting (XSS) vulnerability in search.php in PluggedOut Nexus 0.1 allows remote attackers to inject arbitrary web script or HTML via the (1) Location, (2) Last Name, and (3) First Name parameters. From coley at mitre.org Sun Dec 11 03:21:11 2005 From: coley at mitre.org (Steven M. Christey) Date: Sun Dec 11 03:24:35 2005 Subject: [VIM] Verified PHP-addressbook view.php/id SQL injection Message-ID: <200512110821.jBB8LBqf002784@cairo.mitre.org> Verified the above issue via source code inspection. $id variable is injected directly into SQL; include files do not define it. See source extract below. Other issues are highly likely. - Steve ===================== http://locazo.net:81/applications/ SQL Injection Vulnerability found in "searchdb.asp" in versions 1.03c and prior. Please update to 1.04d as soon as possible or re-download the entire package. Note: no mention of XSS. Source code inspection suggests a possibility of an XSS "fix" but not proof. - Steve From coley at mitre.org Tue Dec 13 00:42:51 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Dec 13 00:46:22 2005 Subject: [VIM] Ioannis Pomonis aka dr_insane Message-ID: <200512130542.jBD5gpeZ014368@cairo.mitre.org> Looks like dr_insane has changed homes from geocities or wherever he was. http://www.ipomonis.com/advisories.htm - Steve From jericho at attrition.org Tue Dec 13 01:00:12 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Dec 13 01:00:19 2005 Subject: [VIM] Ioannis Pomonis aka dr_insane In-Reply-To: <200512130542.jBD5gpeZ014368@cairo.mitre.org> References: <200512130542.jBD5gpeZ014368@cairo.mitre.org> Message-ID: : Looks like dr_insane has changed homes from geocities or wherever he : was. : : http://www.ipomonis.com/advisories.htm Yep, he contacted OSVDB about a few new issues. Some of them files were in a .tar format and once extracted appeared to contain no details. He has since fixed/verified they contain the data. Unfortunately, one of his issues (mdaemon) is really vague. The session ID weakness isn't clear if it can ONLY be used to log out a user, or for additional attacks such as reading their mail. By itself, guessing a 7 character alphanumeric string just to log someone out of the system is a nuisance at best. From coley at linus.mitre.org Tue Dec 13 01:29:24 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Dec 13 01:33:00 2005 Subject: [VIM] Ioannis Pomonis aka dr_insane In-Reply-To: References: <200512130542.jBD5gpeZ014368@cairo.mitre.org> Message-ID: An interesting thing that I noticed was that his site linked to RFPolicy, but he doesn't have vendor disclosure timelines in his advisories and it's hard to tell if he coordinated. On Tue, 13 Dec 2005, security curmudgeon wrote: > > : Looks like dr_insane has changed homes from geocities or wherever he > : was. > : > : http://www.ipomonis.com/advisories.htm > > Yep, he contacted OSVDB about a few new issues. Some of them files were > in a .tar format and once extracted appeared to contain no details. He > has since fixed/verified they contain the data. > > Unfortunately, one of his issues (mdaemon) is really vague. The session > ID weakness isn't clear if it can ONLY be used to log out a user, or for > additional attacks such as reading their mail. By itself, guessing a 7 > character alphanumeric string just to log someone out of the system is a > nuisance at best. > From smoore at securityglobal.net Tue Dec 13 01:46:25 2005 From: smoore at securityglobal.net (Stuart Moore) Date: Tue Dec 13 01:50:18 2005 Subject: [VIM] possible Guestserver duplicate bug reports Message-ID: <439E6E41.2010202@securityglobal.net> Hi SF, Possible duplicate in BID 15821 (Guestserver HTML injection reported by jaakko@ritke.fi) with BID 12232 [OSVDB 12846] (Guestserver HTML injection reported by SmOk3). Stuart From jericho at attrition.org Tue Dec 13 02:57:17 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Dec 13 02:58:24 2005 Subject: [VIM] [PHP-CHECKER] 99 potential SQL injection vulnerabilities (fwd) Message-ID: This is certainly interesting on several levels. Doing a very brief scan of this, I see at least one issue that was found in the past week and vendor confirmed. I think there was one or two others that OSVDB had entries for (likely found before, just never patched). Despise that, i'm wondering how accurate this is on the heels of the recent [KAPDA::#16] - SMF SQL Injection (and other) disclosures. If it IS accurate, imagine running this tool on a dozen packages a day.. within six months, weeding out tens of thousands of SQL injections would be incredible. ---------- Forwarded message ---------- From: php-checker@glide.stanford.edu To: bugtraq@securityfocus.com Date: 11 Dec 2005 21:17:25 -0000 Subject: [PHP-CHECKER] 99 potential SQL injection vulnerabilities Hi, we are a group of Stanford researchers and we have recently developed an automated tool for detecting injection vulnerabilities in PHP. We ran our tool on the following list of software and found 99 potential security vulnerabilites (inspected bug reports attached below): e107 -- v0.7 myBloggie -- v2.1.3beta utopia NewPro -- v1.1.4 DCP Portal -- v6.1.1 PHP Webthings -- v1.4 patched The tool detects unsanitized user input that subsequently flow into SQL queries. With slight modifications, it can also find potential XSS vulnerabilities by inspecting strings echo'ed back as HTML output. Most of which seem remotely exploitable, and we have notified vendors of confirmed exploits. We decided not to publish exploits for the interest of web sites that have deployed such software. More detailed information, including proof of concept exploits (vendor notified, and since patched), about the tool can be obtained from the links below. We'll appreciate any comments and feedbacks regarding the tool and the results. Thanks, Yichen Xie For more information: http://glide.stanford.edu/yichen/research/sec.ps http://glide.stanford.edu/yichen/research/sec.pdf ========== PHP-fusion ========== ============== Utopia NewsPro ============== 8 potentially exploitable vulnerabilities ERROR: ./editnews.php:@main: _POST#g["newsid"] ---------------------------------------------- This error occurs at lines 24-25 in editnews.php. User input _POST["newsid"] may directly flow into the SQL query below, resulting in a potentially exploitable SQL injection vulnerability. ERROR: ./faq.php:@main: _GET#g["catid"] --------------------------------------- This error occurs at lines 61-62 in faq.php. We believe user input _GET["catid"] is improperly checked in the following line: the regular expression seem to only check the existence of a number. It is probably missing "^" and "$" that ensures "catid" _is_ a number. ERROR: ./faq.php:@main: _GET#g["question"] ------------------------------------------ Lines 107-108 in faq.php. Similar as above. ERROR: ./postnews.php:@main: _POST#g["poster"] ---------------------------------------------- Line 28: $newsposter is not validated before being passed into the query string at line 42. ERROR: ./templates.php:@main: _POST#g["tempid"] ----------------------------------------------- Line 33: $tempid is not validated before being passed into the query string at line 40. ERROR: ./users.php:@main: _GET#g["userid"] ------------------------------------------ Line 256: $userid is not properly validated: the regular expression at line 262 checks the existence of a number in $userid. Missing "^" and "$"? ERROR: ./users.php:@main: _POST#g["groupid"] -------------------------------------------- Line 31: $groupid is not validated before being passed into the query string at line 72. ERROR: ./users.php:@main: _POST#g["userid"] ------------------------------------------- Line 29: $userid is not validated before being passed into the query string at line 54. ====== e107 ====== ERROR: ./signup.php:@main: _POST#g["email"] ------------------------------------------- Line 256: malformed $_POST['email'] may cause SQL injection. ERROR: ./signup.php:@main: _POST#g["hideemail"] ----------------------------------------------- Line 336: malformed $_POST['hideemail'] may cause SQL injection. ERROR: ./signup.php:@main: _POST#g["image"] ------------------------------------------- Line 336: malformed $_POST['image'] may cause SQL injection. ERROR: ./signup.php:@main: _POST#g["realname"] ---------------------------------------------- Line 336: Similar as above. ERROR: ./signup.php:@main: _POST#g["signature"] ----------------------------------------------- Line 336: Similar as above. ERROR: ./signup.php:@main: _POST#g["timezone"] ---------------------------------------------- Line 336: Similar as above. ERROR: ./signup.php:@main: _POST#g["xupexist"] ---------------------------------------------- Line 336: Similar as above. ERROR: ./subcontent.php:@main: _POST#g["content_comment"] ERROR: ./subcontent.php:@main: _POST#g["content_rating"] ERROR: ./subcontent.php:@main: _POST#g["content_summary"] --------------------------------------------------------- Line 119: Similar as above ERROR: ./upload.php:@main: _POST#g["download_category"] ERROR: ./upload.php:@main: _POST#g["file_demo"] ------------------------------------------------------- Line 59 ERROR: ./usersettings.php:@main: _POST#g["email"] ------------------------------------------------- Line 201: validity check of _POST["email"] does not prevent SQL injection into query string at Line 205. ERROR: ./usersettings.php:@main: _POST#g["hideemail"] ----------------------------------------------------- Use of non-validated input _POST["hideemail"] at line 276. ERROR: ./usersettings.php:@main: _POST#g["user_timezone"] --------------------------------------------------------- Same as above. ERROR: ./usersettings.php:@main: _POST#g["user_xup"] ---------------------------------------------------- Same as above. =========== myBloggie =========== 16 potentially expoloitable vulnerabilities ERROR: ./login.php:@main: _POST#g["username"] --------------------------------------------- Def: Line 41; Use: line 65 (fixed by the recent patch) ERROR: ./add.php:@main: _POST#g["category"] ------------------------------------------- $cat_id defined at line 203 may cause SQL injection in query string at line 268. ERROR: ./addcat.php:@main: _POST#g["cat_desc"] ---------------------------------------------- $cat_desc defined at line 73, and passed into SQL query at line 79. ERROR: ./adduser.php:@main: _POST#g["level"] -------------------------------------------- $level defined at line 48, and passed into SQL query at line 74. ERROR: ./adduser.php:@main: _POST#g["user"] ------------------------------------------- $user defined at line 46, and used in query string at line 50. ERROR: ./del.php:@main: _GET#g["post_id"] ----------------------------------------- Def: line 35; Use: line 44 ERROR: ./delcat.php:@main: _GET#g["cat_id"] ------------------------------------------- Def: line 44; Use: line 52 ERROR: ./delcomment.php:@main: HTTP_GET_VARS#g["comment_id"] ------------------------------------------------------------ Line 35: inappropriate validation with "intval" ERROR: ./deluser.php:@main: _GET#g["id"] ---------------------------------------- Def: line 45; Use: line 53 ERROR: ./edit.php:@main: _GET#g["post_id"] ------------------------------------------ Def: line 31; Use: line 43, 45 ERROR: ./edit.php:@main: _POST#g["category"] -------------------------------------------- Def: line 195; Use: line 228 ERROR: ./editcat.php:@main: _GET#g["cat_id"] -------------------------------------------- Def: line 64; Use: line 66 ERROR: ./editcat.php:@main: _POST#g["cat_desc"] ----------------------------------------------- Def: line 83; Use: line 84 ERROR: ./edituser.php:@main: _GET#g["id"] ----------------------------------------- Def: line 47; Use: line 50 ERROR: ./edituser.php:@main: _POST#g["level"] --------------------------------------------- Def: line 94; Use: line 97, 103 ERROR: ./edituser.php:@main: _POST#g["user"] -------------------------------------------- Def: line 71; Use: line 97, 103 =============== PHP Webthings =============== 20 potentially exploitable SQL injection vulnerabilities ERROR: ./download.php:@main: _GET#g["ref"] ------------------------------------------ bug in function draw_download_categories (used in download.php), defined in modules/downloads/functions.php. $ref1 holds user input $_GET["ref"] (line 33) and used in query on line 41. ERROR: ./forum.php:@main: _GET#g["direction"] --------------------------------------------- bug occurs in function draw_fs_small (used in forum.php, line 231) defined in modules/downloads/functions.php. $direction holds user input $_GET['direction'] and is subsequently used in construction of SQL queries. ERROR: ./forum.php:@main: _POST#g["direction"] ---------------------------------------------- same as above. ERROR: ./forum.php:@main: _GET#g["forum"] ----------------------------------------- Line 22 in forum.php. ERROR: ./forum.php:@main: _GET#g["msg"] --------------------------------------- forum.php: Line 58. ERROR: ./forum.php:@main: _GET#g["sforum"] ------------------------------------------ bug occurs in function draw_fs_form (used in forum.php, line 186) defined in modules/downloads/functions.php. $forumcod is defined using $_GET["sforum"], and subsequently used in construction of SQL queries. ERROR: ./forum.php:@main: _POST#g["sforum"] ------------------------------------------- same as above ERROR: ./forum.php:@main: _POST#g["reason"] ------------------------------------------- modules/forum/movetopic.php: defined on line 74 and 80, used on line 90 ERROR: ./forum.php:@main: _REQUEST#g["forum"] --------------------------------------------- defined: forum.php: line 124. used: modules/forum/split.php: line 2 ERROR: ./forum.php:@main: _REQUEST#g["msg"] ------------------------------------------- defined: forum.php: line 122. used: modules/forum/split.php: line 2 ERROR: ./forum.php:@main: _REQUEST#g["subname"] ----------------------------------------------- defined: line 135, used line 139 ERROR: ./forum.php:@main: _REQUEST#g["toforum"] ----------------------------------------------- defined: forum.php: line 110 used: modules/forum/movetopic.php: line 62 ERROR: ./forum_edit.php:@main: _GET#g["msg"] -------------------------------------------- line 25 ERROR: ./forum_edit.php:@main: _GET#g["forum"] ---------------------------------------------- line 25 ERROR: ./forum_write.php:@main: _GET#g["forum"] ----------------------------------------------- invokes forum_edit.php, same as above. ERROR: ./forum_write.php:@main: _GET#g["msg"] --------------------------------------------- invokes forum_edit.php, same as above. ERROR: ./forum_write.php:@main: _POST#g["msg"] ---------------------------------------------- modules/forum/write.php: def: line 85, use line 88 ERROR: ./guestbook.php:@main: _POST#g["tekst"] ---------------------------------------------- modules/guestbook/functions.php: def:line 202, use: line 203 ERROR: ./index.php:@main: _REQUEST#g["menuoption"] -------------------------------------------------- def: index.php: line 7 use: core/theme.php: line 148 ERROR: ./myaccount.php:@main: _POST#g["sel_avatar"] --------------------------------------------------- def: line 186 use: line 195 ============ DCP Portal ============ ERROR: ./advertiser.php:@main: _POST#g["password"] -------------------------------------------------- Line 50 ERROR: ./advertiser.php:@main: _POST#g["username"] -------------------------------------------------- Line 50 ERROR: ./annoucement.php:@main: _GET#g["aid"] --------------------------------------------- Line 13 ERROR: ./calendar.php:@main: _COOKIE#g["dcp5_member_id"] -------------------------------------------------------- Def: line 23. Use: line 65-66 ERROR: ./calendar.php:@main: _POST#g["year"] -------------------------------------------- Def: line 38. Use: line 65-66 ERROR: ./calendar.php:@main: _REQUEST#g["agid"] ----------------------------------------------- Line 215-216 ERROR: ./calendar.php:@main: _REQUEST#g["day"] ---------------------------------------------- Def: line 38. Use: line 65-66 ERROR: ./calendar.php:@main: _REQUEST#g["day_s"] ------------------------------------------------ Line 209-210 ERROR: ./calendar.php:@main: _REQUEST#g["hour"] ----------------------------------------------- Line 209-210 ERROR: ./calendar.php:@main: _REQUEST#g["minute"] ------------------------------------------------- Line 209-210 ERROR: ./calendar.php:@main: _REQUEST#g["month"] ------------------------------------------------ Def: line 41. Use: line 65-66 ERROR: ./calendar.php:@main: _REQUEST#g["month_s"] -------------------------------------------------- Line 209-210 ERROR: ./calendar.php:@main: _REQUEST#g["year"] ----------------------------------------------- Def: line 41. Use: line 65-66 ERROR: ./calendar.php:@main: _REQUEST#g["year_s"] ------------------------------------------------- Line 209-210 ERROR: ./contents.php:@main: _GET#g["cid"] ------------------------------------------ Line 15 ERROR: ./forums.php:@main: _COOKIE#g["dcp5_member_id"] ------------------------------------------------------ Line 93, UserValid uses _COOKIE#g["dcp5_member_id"] in query. ERROR: ./forums.php:@main: _GET#g["bid"] ---------------------------------------- Line 87 ERROR: ./forums.php:@main: _GET#g["mid"] ---------------------------------------- Line 161 ERROR: ./forums.php:@main: _POST#g["mid"] ----------------------------------------- Line 221 ERROR: ./go.php:@main: _GET#g["bid"] ------------------------------------ Line 9 ERROR: ./golink.php:@main: _GET#g["lid"] ---------------------------------------- Line 9 ERROR: ./inbox.php:@main: _COOKIE#g["dcp5_member_id"] ----------------------------------------------------- Line 9, UserValid uses _COOKIE#g["dcp5_member_id"] in query. ERROR: ./inbox.php:@main: _GET#g["mid"] --------------------------------------- Line 239 ERROR: ./index.php:@main: _GET#g["catid"] ----------------------------------------- Line 234 ERROR: ./index.php:@main: _GET#g["cid"] --------------------------------------- Line 60 ERROR: ./index.php:@main: _GET#g["dcat"] ---------------------------------------- Line 306 ERROR: ./index.php:@main: _GET#g["dl"] -------------------------------------- Line 370 ERROR: ./index.php:@main: _GET#g["doc"] --------------------------------------- Line 328 ERROR: ./index.php:@main: _GET#g["lcat"] ---------------------------------------- Line 252 ERROR: ./index.php:@main: _GET#g["uid"] --------------------------------------- Line 538 ERROR: ./informer.php:@main: _COOKIE#g["dcp5_member_id"] -------------------------------------------------------- Line 9, UserValid ERROR: ./lostpassword.php:@main: _POST#g["email"] ------------------------------------------------- Line 91 ERROR: ./mycontents.php:@main: _COOKIE#g["dcp5_member_id"] ---------------------------------------------------------- Line 9, UserValid ERROR: ./news.php:@main: _GET#g["nid"] -------------------------------------- Line 13 ERROR: ./rate.php:@main: _GET#g["cid"] -------------------------------------- Line 9 ERROR: ./rate.php:@main: _GET#g["type"] --------------------------------------- Line 17 ERROR: ./rate.php:@main: _POST#g["rate"] ---------------------------------------- Line 17 ERROR: ./search.php:@main: _POST#g["q"] --------------------------------------- Line 20, 28, 36... ERROR: ./update.php:@main: _COOKIE#g["dcp5_member_id"] ------------------------------------------------------ Line 9 From coley at linus.mitre.org Tue Dec 13 03:06:30 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Dec 13 03:10:04 2005 Subject: [VIM] [PHP-CHECKER] 99 potential SQL injection vulnerabilities (fwd) In-Reply-To: References: Message-ID: OK, they parse into Abstract Syntax Trees and use control flow graphs, they're definitely better than mine. Nice. Ah, the work someone wishes they could have done but didn't have the time to do ;-) - Steve From jericho at attrition.org Tue Dec 13 03:36:55 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Dec 13 03:37:04 2005 Subject: [VIM] [PHP-CHECKER] 99 potential SQL injection vulnerabilities (fwd) In-Reply-To: References: Message-ID: : OK, they parse into Abstract Syntax Trees and use control flow graphs, : they're definitely better than mine. Nice. Does this mean that the program isn't prone to finding the sql errors that are not true sql injections? If so.. =) From coley at linus.mitre.org Tue Dec 13 03:01:59 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Dec 13 03:45:47 2005 Subject: [VIM] [PHP-CHECKER] 99 potential SQL injection vulnerabilities (fwd) In-Reply-To: References: Message-ID: arrrgggghhhhhhhh!!!! and r0t was chilling out finally! :) I wonder how they compare to my little lame-o checker... seems like they're being a bit smarter. - Steve From coley at linus.mitre.org Tue Dec 13 03:58:13 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Dec 13 04:01:46 2005 Subject: [VIM] [PHP-CHECKER] 99 potential SQL injection vulnerabilities (fwd) In-Reply-To: References: Message-ID: On Tue, 13 Dec 2005, security curmudgeon wrote: > : OK, they parse into Abstract Syntax Trees and use control flow graphs, > : they're definitely better than mine. Nice. > > Does this mean that the program isn't prone to finding the sql errors > that are not true sql injections? If so.. =) You got me there, it's probably only good at spotting untrusted/uncleansed input. Still a big deal better than glorified grep! And bad news for us VDBs if everyone gets their hands on it, as you suggested. - Steve From coley at linus.mitre.org Tue Dec 13 23:24:57 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Dec 13 23:29:01 2005 Subject: [VIM] Re: IMOEL CMS Sql password discovery (fwd) Message-ID: ---------- Forwarded message ---------- Date: Tue, 13 Dec 2005 23:23:30 -0500 (EST) From: Steven M. Christey To: silversmith@ashiyane.com Cc: bugtraq@securityfocus.com Subject: Re: IMOEL CMS Sql password discovery Hello, >IMOEL CMS has the weakness to download the plain text sql password in >the setting.php file > >*/************************************* >$setting['host']['username'] = 'sqlusername'; >$setting['host']['password'] = 'sqlpassword'; > >*************************************** >so u can download the setting.php file & view the plain text password These commands appear within a "" construct, so on a properly configuredeb server, I would think that the code would be executed due to the ".php' extension. So there would not be any leak to a remote attacker unless the attacker used some other vulnerability to obtain the file. Or is this a concern for multiple users on the same server? (I don't know PHP that well so apologies if this is a dumb question.) - Steve From mattmurphy at kc.rr.com Tue Dec 13 23:50:03 2005 From: mattmurphy at kc.rr.com (Matthew Murphy) Date: Tue Dec 13 23:53:41 2005 Subject: [VIM] Re: IMOEL CMS Sql password discovery (fwd) In-Reply-To: References: Message-ID: <439FA47B.4090602@kc.rr.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 Steven M. Christey wrote: > > ---------- Forwarded message ---------- > Date: Tue, 13 Dec 2005 23:23:30 -0500 (EST) > From: Steven M. Christey > To: silversmith@ashiyane.com > Cc: bugtraq@securityfocus.com > Subject: Re: IMOEL CMS Sql password discovery > > > Hello, > > >>IMOEL CMS has the weakness to download the plain text sql password in >>the setting.php file >> >>*/************************************* >>$setting['host']['username'] = 'sqlusername'; >>$setting['host']['password'] = 'sqlpassword'; >> >>*************************************** The only case where that is an issue is if the file is disclosed in its entirety. The executed file will not reveal the password. At best, it is a weakness, and not an independent vulnerability. I'd classify it as a non-issue, because the APIs for authenticating to mysql DBs, AFAIK, all require plain passwords. There's not much the script author could do about this, other than using (reversible) encryption, which would cost a cracker a few extra seconds. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDn6R6fp4vUrVETTgRA0/GAKC2MGizutGDfKhRdIgWb5FjIA5f1QCfR4Az feNngMD/GHmHVxf4W65i2gs= =vezr -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3436 bytes Desc: S/MIME Cryptographic Signature Url : http://www.attrition.org/pipermail/vim/attachments/20051213/29d4ca48/smime.bin From coley at mitre.org Wed Dec 14 00:27:37 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed Dec 14 00:31:19 2005 Subject: [VIM] PhpWebThings mess Message-ID: <200512140527.jBE5RbD3021265@cairo.mitre.org> Haven't investigated the whole thing, especially other people's DBs, but it's messy enough that some ppl might have missed something. 1) the PHP-CHECKER report includes overlapping attack vectors with older vulns in PhpWebThings (actually it does this for a couple products). CVE pending. 2) CVE-2005-3585 BUGTRAQ:20051105 XSS & SQL injection in phpWebThing http://marc.theaimsgroup.com/?l=bugtraq&m=113122187101383&w=2 vector: forum.php/forum parameter 3) CVE-2005-4218 (pending) is a retrogod exploit for the forum parameter in CVE-2005-3585, but also adds "a more chritical injection in msg parameter that works with magic_quotes_gpc on" http://rgod.altervista.org/phpwebth14_xpl.html From coley at linus.mitre.org Wed Dec 14 00:47:43 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Dec 14 00:51:20 2005 Subject: [VIM] PhpWebThings mess In-Reply-To: <200512140527.jBE5RbD3021265@cairo.mitre.org> References: <200512140527.jBE5RbD3021265@cairo.mitre.org> Message-ID: Ditto on DCP Portal, too. I am *so* glad a team member slogged through this and not me :) From coley at linus.mitre.org Wed Dec 14 00:59:25 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Dec 14 01:03:02 2005 Subject: [VIM] Security Vulnerabilities reported in UNP (fwd) Message-ID: Still haven't heard back from whoever it was I sent another inquiry to a few days ago. ---------- Forwarded message ---------- Date: Wed, 14 Dec 2005 00:57:34 -0500 (EST) From: Steven M. Christey To: utopiasupport@gmail.com Cc: coley@mitre.org Subject: Security Vulnerabilities reported in UNP Hello, I am a computer security professional and the editor for the Common Vulnerabilities and Exposures (CVE) project. CVE is a list of software vulnerabilities, and it is widely used in the computer security industry. It is sponsored by the US Department of Homeland Security. Recently, some vulnerabilities in your product was reported to public sources. References and a description are included below. Are these vulnerability reports accurate? If so, then are the problems fixed, and in which versions? For your convenience, I will share your response with other vulnerability information sources unless you request otherwise. Thank you, Steve Christey Principal Information Security Engineer CVE Editor The MITRE Corporation ====================================================== Name: CVE-2005-3200 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3200 Reference: BUGTRAQ:20051007 Utopia News Pro 1.1.3 SQL Injection / cross site scripting Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112872691119874&w=2 Reference: BID:15027 Reference: URL:http://www.securityfocus.com/bid/15027 Reference: SECUNIA:17115 Reference: URL:http://secunia.com/advisories/17115/ Reference: XF:utopianewspro-header-footer-xss(22554) Reference: URL:http://xforce.iss.net/xforce/xfdb/22554 Multiple cross-site scripting (XSS) vulnerabilities in Utopia News Pro 1.1.3 and 1.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the sitetitle parameter in header.php and (2) the version and (3) query_count parameters in footer.php. ====================================================== Name: CVE-2005-3201 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3201 Reference: BUGTRAQ:20051007 Utopia News Pro 1.1.3 SQL Injection / cross site scripting Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112872691119874&w=2 Reference: BID:15028 Reference: URL:http://www.securityfocus.com/bid/15028 Reference: SECUNIA:17115 Reference: URL:http://secunia.com/advisories/17115/ Reference: XF:utopianewspro-news-sql-injection(22555) Reference: URL:http://xforce.iss.net/xforce/xfdb/22555 SQL injection vulnerability in news.php for Utopia News Pro (UNP) 1.1.3, when magic_quotes_gpc is disabled and register_globals is enabled, allows remote attackers to execute arbitrary SQL via the newsid parameter. ====================================================== Name: CVE-2005-4223 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4223 Reference: BUGTRAQ:20051211 [PHP-CHECKER] 99 potential SQL injection vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/archive/1/419280/100/0/threaded Reference: MISC:http://glide.stanford.edu/yichen/research/sec.pdf Reference: FRSIRT:ADV-2005-2859 Reference: URL:http://www.frsirt.com/english/advisories/2005/2859 Reference: SECUNIA:17988 Reference: URL:http://secunia.com/advisories/17988/ Multiple "potential" SQL injection vulnerabilities in Utopia News Pro (UNP) 1.1.4 might allow remote attackers to execute arbitrary SQL commands via (1) the newsid parameter in editnews.php, (2) the catid and question parameters in faq.php, (3) the poster parameter in postnews.php, (4) the tempid parameter in templates.php, and (5) the userid and groupid parameters in users.php. From coley at mitre.org Wed Dec 14 01:54:40 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed Dec 14 01:58:19 2005 Subject: [VIM] Verified EveryAuction "searchstring" XSS Message-ID: <200512140654.jBE6sehG021691@cairo.mitre.org> I verified the EveryAuction "searchstring" via source inspection in auction.pl of EveryAuction version 1.53: >local %form = &get_form_data; >if ($form{'action'} eq 'new') { &new; } >... > >elsif ($form{'action'} eq 'search') { &procsearch; } > >... > >sub procsearch { > print "

Search Results - $form{'searchstring'}

\n"; get_form_data() just does basic URL conversion. Enlightened disinterest behooves me to speak not of additional likely issues discovered during verification. - Steve From jericho at attrition.org Wed Dec 14 02:03:36 2005 From: jericho at attrition.org (security curmudgeon) Date: Wed Dec 14 02:03:39 2005 Subject: [VIM] PhpWebThings mess In-Reply-To: <200512140527.jBE5RbD3021265@cairo.mitre.org> References: <200512140527.jBE5RbD3021265@cairo.mitre.org> Message-ID: : Haven't investigated the whole thing, especially other people's DBs, but : it's messy enough that some ppl might have missed something. Yep, I commented on this today (blog entry). One of the myBloggie issues was previously disclosed, and five of the PHP WebThings were. From coley at linus.mitre.org Wed Dec 14 02:14:44 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Dec 14 02:18:21 2005 Subject: [VIM] inquiry sent to Link Up Gold vendor Message-ID: inquiry on r0t-discovered XSS/SQL sent to: http://www.phpwebscripts.com/contact.html regarding: http://pridels.blogspot.com/2005/12/link-up-gold-vuln.html he's baaaaaaack! From coley at linus.mitre.org Wed Dec 14 11:28:55 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Dec 14 21:28:51 2005 Subject: [VIM] Re: Security vulnerabilities in Link Up Gold (fwd) Message-ID: ---------- Forwarded message ---------- Date: Wed, 14 Dec 2005 11:37:12 +0100 PHP Web Scripts To: coley@mitre.org Subject: Re: Security vulnerabilities in Link Up Gold Hello Steve, Thank you for informing us. Yes, the report was accurate and the issues mentioned on your pages have been fixed. We also fixed the issues in Ad Manager Pro listed at http://pridels.blogspot.com/2005/12/ad-manager-pro-sql-vuln.html. Regards From coley at mitre.org Thu Dec 15 01:47:00 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu Dec 15 10:11:56 2005 Subject: [VIM] ASP-DEV XM Forum RC3 XSS - unable to verify Message-ID: <200512150647.jBF6l0kV021294@cairo.mitre.org> Apparent reporter: Dj_Eyes BID: 15858 Original report not locatable. Claim: XSS in forum.asp via forum_title, in ASP-DEV XM Forum RC3 Problem: > lynx 'http://www.asp-dev.com/download.asp?did=1' > unzip ASPXMForum-RC3.zip > cd Forum_RC3/ > grep -i forum_title `find . -type file` --> yields nothing > grep -i forum_id `find . -type file` --> yields nothing (and leave me alone about my little find lameness) Note: might be AliveSites instead. - Steve From coley at mitre.org Wed Dec 14 23:27:12 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu Dec 15 10:14:56 2005 Subject: [VIM] Utopia News Pro issues acknowledged/fixed Message-ID: <200512150427.jBF4RCdX020375@cairo.mitre.org> After a couple email exchanges to help explain the specifics of the issues to the developer, fixes have been posted to the web site within a day of my initial email inquiry. See CVE's below. The "Utopia News Pro File Updates" news item on December 15, 2005 says "The header and footer files of UNP have been updated to reflect increasing security awareness." - Steve ====================================================== Name: CVE-2005-3200 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3200 Reference: BUGTRAQ:20051007 Utopia News Pro 1.1.3 SQL Injection / cross site scripting Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112872691119874&w=2 Reference: CONFIRM:http://www.utopiasoftware.net/ Reference: BID:15027 Reference: URL:http://www.securityfocus.com/bid/15027 Reference: SECUNIA:17115 Reference: URL:http://secunia.com/advisories/17115/ Reference: XF:utopianewspro-header-footer-xss(22554) Reference: URL:http://xforce.iss.net/xforce/xfdb/22554 Multiple cross-site scripting (XSS) vulnerabilities in Utopia News Pro (UNP) 1.1.3 and 1.1.4 allow remote attackers to inject arbitrary web script or HTML via (1) the sitetitle parameter in header.php and (2) the version and (3) query_count parameters in footer.php. ====================================================== Name: CVE-2005-3201 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3201 Reference: BUGTRAQ:20051007 Utopia News Pro 1.1.3 SQL Injection / cross site scripting Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112872691119874&w=2 Reference: CONFIRM:http://www.utopiasoftware.net/ Reference: BID:15028 Reference: URL:http://www.securityfocus.com/bid/15028 Reference: SECUNIA:17115 Reference: URL:http://secunia.com/advisories/17115/ Reference: XF:utopianewspro-news-sql-injection(22555) Reference: URL:http://xforce.iss.net/xforce/xfdb/22555 SQL injection vulnerability in news.php for Utopia News Pro (UNP) 1.1.3, when magic_quotes_gpc is disabled and register_globals is enabled, allows remote attackers to execute arbitrary SQL via the newsid parameter. ====================================================== Name: CVE-2005-4223 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4223 Reference: BUGTRAQ:20051211 [PHP-CHECKER] 99 potential SQL injection vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/archive/1/419280/100/0/threaded Reference: BUGTRAQ:20051212 [PHP-CHECKER] 99 potential SQL injection vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/archive/1/419487/100/0/threaded Reference: MISC:http://glide.stanford.edu/yichen/research/sec.pdf Reference: FRSIRT:ADV-2005-2859 Reference: URL:http://www.frsirt.com/english/advisories/2005/2859 Reference: OSVDB:21645 Reference: URL:http://www.osvdb.org/21645 Reference: OSVDB:21646 Reference: URL:http://www.osvdb.org/21646 Reference: OSVDB:21647 Reference: URL:http://www.osvdb.org/21647 Reference: OSVDB:21648 Reference: URL:http://www.osvdb.org/21648 Reference: OSVDB:21649 Reference: URL:http://www.osvdb.org/21649 Reference: SECUNIA:17988 Reference: URL:http://secunia.com/advisories/17988/ Multiple "potential" SQL injection vulnerabilities in Utopia News Pro (UNP) 1.1.4 might allow remote attackers to execute arbitrary SQL commands via (1) the newsid parameter in editnews.php, (2) the catid and question parameters in faq.php, (3) the poster parameter in postnews.php, (4) the tempid parameter in templates.php, and (5) the userid and groupid parameters in users.php. From coley at linus.mitre.org Thu Dec 15 02:01:02 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu Dec 15 10:51:09 2005 Subject: [VIM] Re: ASP-DEV XM Forum RC3 XSS - unable to verify In-Reply-To: <200512150647.jBF6l0kV021294@cairo.mitre.org> References: <200512150647.jBF6l0kV021294@cairo.mitre.org> Message-ID: By the way, "posts.asp" (CVE-2005-1008) does not appear to exist in the source code for ASP-DEV XM Forum RC3; it might be post.asp. On Thu, 15 Dec 2005, Steven M. Christey wrote: > > Apparent reporter: Dj_Eyes > > BID: 15858 > > Original report not locatable. > > Claim: XSS in forum.asp via forum_title, in ASP-DEV XM Forum RC3 > > Problem: > > > lynx 'http://www.asp-dev.com/download.asp?did=1' > > unzip ASPXMForum-RC3.zip > > cd Forum_RC3/ > > grep -i forum_title `find . -type file` > > --> yields nothing > > > grep -i forum_id `find . -type file` > > --> yields nothing > > > (and leave me alone about my little find lameness) > > > > Note: might be AliveSites instead. > > > - Steve > From coley at mitre.org Fri Dec 16 15:49:21 2005 From: coley at mitre.org (Steven M. Christey) Date: Sat Dec 17 18:57:15 2005 Subject: [VIM] StaticStore XSS - Vendor disputes, but I dispute the dispute Message-ID: <200512162049.jBGKnLWP004156@cairo.mitre.org> I sent StaticStore a request to acknowledge the XSS issue as reported by r0t in StaticStore Search Engine 1.189A for search.cgi. The vendor disputed saying "No, it is not accurate - please show me proof of the vulnerability. If your site cannot show proof, I would appreciate you removing the misinformation from your site. If this is not done by the first day of next week I will be forced to contact both Blogger and ask our attorney to handle this matter." Since the vendor requested proof, I showed how a basic XSS injection was possible on the demo site. I also informed the vendor about how XSS is number 4 on OWASP's "Top Ten Web Application" vulnerabilities list, and that best practices - as advocated by the National Infrastructure Advisory Council's "Vulnerability Disclosure Framework" - requires a security response contact, which StaticStore did not have, forcing me to contact a sales address. I am now patiently awaiting response. Can anyone else confirm that this issue is real? - Steve ====================================================== Name: CVE-2005-4284 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4284 Reference: MISC:http://pridels.blogspot.com/2005/12/staticstore-search-engine-friendly-e.html Reference: BID:15895 Reference: URL:http://www.securityfocus.com/bid/15895 Reference: FRSIRT:ADV-2005-2915 Reference: URL:http://www.frsirt.com/english/advisories/2005/2915 Reference: SECUNIA:18037 Reference: URL:http://secunia.com/advisories/18037 ** DISPUTED ** Cross-site scripting (XSS) vulnerability in StaticStore Search Engine 1.189A and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to search.cgi, possibly the keywords parameter. NOTE: this issue has been disputed by the vendor, saying "No, it is not accurate - please show me proof of the vulnerability. If your site cannot show proof, I would appreciate you removing the misinformation from your site. If this is not done by the first day of next week I will be forced to contact both Blogger and ask our attorney to handle this matter." CVE then provided the vendor with concrete proof that the issue is real. CVE is now awaiting a response. From smoore at securityglobal.net Sat Dec 17 20:39:53 2005 From: smoore at securityglobal.net (Stuart Moore) Date: Sat Dec 17 22:18:33 2005 Subject: [VIM] StaticStore XSS - Vendor disputes, but I dispute the dispute In-Reply-To: <200512162049.jBGKnLWP004156@cairo.mitre.org> References: <200512162049.jBGKnLWP004156@cairo.mitre.org> Message-ID: <43A4BDE9.5090300@securityglobal.net> Steve, It seems that the vendor may have fixed at least part of their demo site. But the search script that is part of the administrative interface demo is still vulnerable: http://www.staticstore.com/cgi-bin/demo/admin/admin11.cgi?keywords="> The code escapes the single quote character, so some minor trickiness is required. I wouldn't ordinarily have wasted my time on this, but references to attorneys are usually a sure sign of problems in the code and are annoying for sure. Stuart Steven M. Christey wrote: > I sent StaticStore a request to acknowledge the XSS issue as reported > by r0t in StaticStore Search Engine 1.189A for search.cgi. > > The vendor disputed saying "No, it is not accurate - please show me > proof of the vulnerability. If your site cannot show proof, I would > appreciate you removing the misinformation from your site. If this is > not done by the first day of next week I will be forced to contact > both Blogger and ask our attorney to handle this matter." > > Since the vendor requested proof, I showed how a basic XSS injection > was possible on the demo site. I also informed the vendor about how > XSS is number 4 on OWASP's "Top Ten Web Application" vulnerabilities > list, and that best practices - as advocated by the National > Infrastructure Advisory Council's "Vulnerability Disclosure Framework" > - requires a security response contact, which StaticStore did not > have, forcing me to contact a sales address. > > I am now patiently awaiting response. > > Can anyone else confirm that this issue is real? > > - Steve > > > ====================================================== > Name: CVE-2005-4284 > Status: Candidate > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4284 > Reference: MISC:http://pridels.blogspot.com/2005/12/staticstore-search-engine-friendly-e.html > Reference: BID:15895 > Reference: URL:http://www.securityfocus.com/bid/15895 > Reference: FRSIRT:ADV-2005-2915 > Reference: URL:http://www.frsirt.com/english/advisories/2005/2915 > Reference: SECUNIA:18037 > Reference: URL:http://secunia.com/advisories/18037 > > ** DISPUTED ** > > Cross-site scripting (XSS) vulnerability in StaticStore Search Engine > 1.189A and earlier allows remote attackers to inject arbitrary web > script or HTML via unspecified parameters to search.cgi, possibly the > keywords parameter. NOTE: this issue has been disputed by the vendor, > saying "No, it is not accurate - please show me proof of the > vulnerability. If your site cannot show proof, I would appreciate you > removing the misinformation from your site. If this is not done by > the first day of next week I will be forced to contact both Blogger > and ask our attorney to handle this matter." CVE then provided the > vendor with concrete proof that the issue is real. CVE is now > awaiting a response. > > > -- Stuart Moore SecurityTracker.com SecurityGlobal.net LLC smoore@securityglobal.net +1 301 495 5930 voice +1 413 691 4346 fax -------------- next part -------------- A non-text attachment was scrubbed... Name: staticcart xss.jpg Type: image/jpeg Size: 53226 bytes Desc: not available Url : http://www.attrition.org/pipermail/vim/attachments/20051217/20188edf/staticcartxss-0001.jpg From coley at mitre.org Fri Dec 16 02:01:08 2005 From: coley at mitre.org (Steven M. Christey) Date: Sat Dec 17 23:12:06 2005 Subject: [VIM] Vendor ACK inquiries sent - PDEstore, StaticStore Message-ID: <200512160701.jBG718iV029392@cairo.mitre.org> Vendor inquiries sent for CVE-2005-4285 (PDEstore XSS) and CVE-2005-4284 (StaticStore XSS), both r0t ventures. I've sent various others but am not great about forwarding them all to VIM. Vendor communications tracking is completely ad hoc. - Steve From coley at mitre.org Sat Dec 17 16:05:38 2005 From: coley at mitre.org (Steven M. Christey) Date: Sun Dec 18 11:11:38 2005 Subject: [VIM] ACK Inquiry sent on Blackboard Systems Message-ID: <200512172105.jBHL5cDj011469@cairo.mitre.org> Re: the Blackboard Academic Suite / Learning and Community Portal System issues as reported by dr_insane (CVE-2005-4337, CVE-2005-4338, CVE-2005-4339, CVE-2005-4340, CVE-2005-4341). This seems heavily used, so I tried to send an inquiry. Everything on the site required registration, so I was forced to use the web feedback form at: http://www.blackboard.com/company/contactother.aspx?c=Website The first sentence of the inquiry says: I am trying to inquire about multiple security vulnerabilities in your product, but I cannot contact tech support because registration is required. :-) - Steve From coley at mitre.org Sat Dec 17 13:53:18 2005 From: coley at mitre.org (Steven M. Christey) Date: Sun Dec 18 11:12:09 2005 Subject: [VIM] StaticStore vendor ACK of XSS issue (CVE-2005-4284) Message-ID: <200512171853.jBHIrID2010873@cairo.mitre.org> After a bit of confusion, the vendor has now acknowledged the search.cgi XSS issue: The vulnerability has been corrected... thank you for bringing that to our attention and the patched "search.cgi" has been emailed to all customers and posted for download on our private forums. - Steve ====================================================== Name: CVE-2005-4284 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4284 Reference: MISC:http://pridels.blogspot.com/2005/12/staticstore-search-engine-friendly-e.html Reference: BID:15895 Reference: URL:http://www.securityfocus.com/bid/15895 Reference: FRSIRT:ADV-2005-2915 Reference: URL:http://www.frsirt.com/english/advisories/2005/2915 Reference: SECUNIA:18037 Reference: URL:http://secunia.com/advisories/18037 Cross-site scripting (XSS) vulnerability in StaticStore Search Engine 1.189A and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified parameters to search.cgi, possibly the keywords parameter. NOTE: this issue was originally disputed by the vendor, but it has since been acknowledged. From coley at mitre.org Sun Dec 18 14:58:10 2005 From: coley at mitre.org (Steven M. Christey) Date: Sun Dec 18 14:58:20 2005 Subject: [VIM] Adobe/Macromedia MPSB05-11 addresses CVE-2005-4216 Message-ID: <200512181958.jBIJwAOF017065@cairo.mitre.org> Just confirmed with Adobe PSIRT that advisory MPSB05-11 addresses CVE-2005-4216 (reported by dr_insane Dec 7). It was originally a judgment call CVE-wise because the descriptions and disclosure dates were aligned fairly well, but the advisory was just vague enough - and released so soon after initial disclosure - that I wanted that extra confidence. - Steve ====================================================== Name: CVE-2005-4216 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4216 Reference: MISC:http://www.ipomonis.com/advisories/Flash_media_server_2.txt Reference: CONFIRM:http://www.macromedia.com/devnet/security/security_zone/mpsb05-11.html Reference: BID:15822 Reference: URL:http://www.securityfocus.com/bid/15822 Reference: FRSIRT:ADV-2005-2865 Reference: URL:http://www.frsirt.com/english/advisories/2005/2865 Reference: SECTRACK:1015346 Reference: URL:http://securitytracker.com/id?1015346 Reference: SECUNIA:17978 Reference: URL:http://secunia.com/advisories/17978 Reference: XF:macromedia-fmsadmin-dos(23563) Reference: URL:http://xforce.iss.net/xforce/xfdb/23563 The Administration Service (FMSAdmin.exe) in Macromedia Flash Media Server 2.0 r1145 allows remote attackers to cause a denial of service (application crash) via a malformed request with a single character to port 1111. From smoore at securityglobal.net Sun Dec 18 23:15:08 2005 From: smoore at securityglobal.net (Stuart Moore) Date: Mon Dec 19 09:55:37 2005 Subject: [VIM] ACK Inquiry sent on Blackboard Systems In-Reply-To: <200512172105.jBHL5cDj011469@cairo.mitre.org> References: <200512172105.jBHL5cDj011469@cairo.mitre.org> Message-ID: <43A633CC.8070407@securityglobal.net> Steve, If you don't get a quick answer, you should try contacting the PR folks. PR people generally don't know anything about the technical stuff, but they are often good at getting you in touch w/ the right people. From the web site: Public Relations Inquiries Melissa Chotiner Public Relations Manager Blackboard Inc. 202-463-4860 ext. 2404 mchotiner@blackboard.com Good luck, Stuart Steven M. Christey wrote: > Re: the Blackboard Academic Suite / Learning and Community Portal > System issues as reported by dr_insane (CVE-2005-4337, CVE-2005-4338, > CVE-2005-4339, CVE-2005-4340, CVE-2005-4341). > > This seems heavily used, so I tried to send an inquiry. > > Everything on the site required registration, so I was forced to use > the web feedback form at: > > http://www.blackboard.com/company/contactother.aspx?c=Website > > The first sentence of the inquiry says: > > I am trying to inquire about multiple security vulnerabilities in > your product, but I cannot contact tech support because registration > is required. > > :-) > > > - Steve > -- Stuart Moore SecurityTracker.com SecurityGlobal.net LLC smoore@securityglobal.net +1 301 495 5930 voice +1 413 691 4346 fax From jericho at attrition.org Mon Dec 19 20:05:17 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Dec 19 20:05:27 2005 Subject: [VIM] interesting on several levels.. Message-ID: (btw, attrition is having hardware issues. new box en route to NOC, arriving thursday. until then it will likely be up a few hours a day at best. bear with me!) http://pridels.blogspot.com/2005/12/blog-system-v12-sql-inj-vuln.html (osvdb 21453, 21454) Check the comments out. Appears two people found the issue w/i hours of each other (and get in a pissing match over it). Also one anon post calling the validity into question. From coley at linus.mitre.org Mon Dec 19 20:13:59 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon Dec 19 20:14:03 2005 Subject: [VIM] interesting on several levels.. In-Reply-To: References: Message-ID: Just another data point: http://pridels.blogspot.com/2005/11/drzes-hms-32-multiple-vuln.html was posted Nov 25. One of the many vectors was later posted to Bugtraq: http://www.securityfocus.com/archive/1/archive/1/418851/100/0/threaded by the same person, a week or two after r0t's original blog. I only noticed this because I *just* did the NOv 25 post. - Steve From coley at mitre.org Tue Dec 20 18:23:59 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Dec 20 20:50:41 2005 Subject: [VIM] WowBB - Partial Rediscovery of view_user.php/sort_by vector Message-ID: <200512202323.jBKNNxx5015338@cairo.mitre.org> Re: MISC:http://pridels.blogspot.com/2005/11/wowbb-165-sql-vuln.html view_user.php/sort_by vector was previously published in CVE-2004-2181 for an earlier version. (Note that r0t mentions a previous disclosure) - Steve ====================================================== Name: CVE-2004-2181 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2181 Reference: MISC:http://www.maxpatrol.com/advdetails.asp?id=7 Reference: BID:11429 Reference: URL:http://www.securityfocus.com/bid/11429 Multiple SQL injection vulnerabilities in WowBB Forum 1.61 allow remote attackers to execute arbitrary SQL commands via the (1) sort_by or (2) page parameters to view_user.php, or the (3) forum_id parameter to view_topic.php. From jericho at attrition.org Thu Dec 22 20:04:06 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu Dec 22 20:04:09 2005 Subject: [VIM] StaticStore vendor ACK of XSS issue (CVE-2005-4284) In-Reply-To: <200512171853.jBHIrID2010873@cairo.mitre.org> References: <200512171853.jBHIrID2010873@cairo.mitre.org> Message-ID: : After a bit of confusion, the vendor has now acknowledged the : search.cgi XSS issue: : : The vulnerability has been corrected... thank you for bringing : that to our attention and the patched "search.cgi" has been emailed : to all customers and posted for download on our private forums. Does this include the variation (possible seperate script) that Matthew reported here? Or did they not distinguish? From coley at linus.mitre.org Thu Dec 22 20:14:17 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu Dec 22 20:14:24 2005 Subject: [VIM] StaticStore vendor ACK of XSS issue (CVE-2005-4284) In-Reply-To: References: <200512171853.jBHIrID2010873@cairo.mitre.org> Message-ID: I haven't followed up on the variation yet (bad me...) so presumably they still have it :( On Thu, 22 Dec 2005, security curmudgeon wrote: > > : After a bit of confusion, the vendor has now acknowledged the > : search.cgi XSS issue: > : > : The vulnerability has been corrected... thank you for bringing > : that to our attention and the patched "search.cgi" has been emailed > : to all customers and posted for download on our private forums. > > Does this include the variation (possible seperate script) that Matthew > reported here? Or did they not distinguish? > From coley at linus.mitre.org Fri Dec 23 00:25:19 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri Dec 23 00:25:34 2005 Subject: [VIM] RE: Feedback : ASPBite Content Management System (fwd) Message-ID: vendor ACK for ASPBite strSearch XSS. ---------- Forwarded message ---------- Date: Thu, 22 Dec 2005 11:36:06 -0000 From: Geoff Allen - Reyaltec Ltd To: coley@mitre.org Subject: RE: Feedback : ASPBite Content Management System Hi Steve Thanks for bringing this to our attention. The security flaw has been fixed this morning. The Latest version 8.4 will contain the fix. Regards Geoff Allen Reyaltec Ltd From jericho at attrition.org Sat Dec 24 13:03:54 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat Dec 24 13:03:56 2005 Subject: [VIM] OpenEdit XSS vendor dispute Message-ID: http://pridels.blogspot.com/2005/12/openedit-xss-vuln.html 1 Comments: Anonymous teica... Hi There, I am the author of OpenEdit and I wanted to clarify. The page variable is just the page number. So it lets you jump from page 1 to page 100. If you pass in page -1 it will just generate an error. It is not a problem. The oe-action is possible more concern but we check for a user being logged in on most dangerous actions. So this is not considered a security problem either. 8:29 PM From jericho at attrition.org Mon Dec 26 07:27:51 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon, 26 Dec 2005 07:27:51 +0000 (UTC) Subject: [VIM] [Change Request] 21689 21690 21691 PhpWebGallery related (fwd) Message-ID: ---------- Forwarded message ---------- From: Pierrick LE GALL To: moderators at osvdb.org Date: Mon, 26 Dec 2005 00:56:47 +0100 Subject: [OSVDB Mods] [Change Request] 21689 21690 21691 PhpWebGallery related Hi, I'm a PhpWebGalley developer. Release 1.5.2 is available to fix security bugs related to OSVDB entries 21689 21690 21691. Bye -- Pierrick LE GALL From jericho at attrition.org Mon Dec 26 08:10:00 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon, 26 Dec 2005 08:10:00 +0000 (UTC) Subject: [VIM] WikkaWiki confirm Message-ID: http://archives.neohapsis.com/archives/apps/freshmeat/2005-12/0023.html Freshmeat announce: Changes: This minor security release fixed a vulnerability issue in search-related actions and modified the default write ACL to prevent spam. From jericho at attrition.org Mon Dec 26 18:17:16 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon, 26 Dec 2005 18:17:16 +0000 (UTC) Subject: [VIM] macromedia annoying wording/reference Message-ID: http://www.macromedia.com/devnet/security/security_zone/mpsb05-13.html JWS Denial of Service Vulnerability The JRun Web Server improperly handles long URLs and headers allowing a remote attacker to cause a denial of service. Macromedia does not recommend the JWS be used as a production web server. [..] Acknowledgements Adobe would like to thank the following individuals and companies for working with to help protect our customers' security. iDefense JWS Denial of Service Vulnerability -- iDefense links to http://www.idefense.com/, not a specific advisory. iDefense released a new JRun 4 Web Server (JWS?) buffer overflow advisory days after the Macromedia advisory, which they had been sitting on since 2004-08-25 waiting for vendor fix. It is highly likely that is the advisory they reference, but annoying they don't call it by the same title, link to it, and imply it is DoS and not code execution which the advisory states: "Successful exploitation may allow remote attackers to execute arbitrary code with Local System privileges." From mattmurphy at kc.rr.com Tue Dec 27 02:48:32 2005 From: mattmurphy at kc.rr.com (Matthew Murphy) Date: Mon, 26 Dec 2005 20:48:32 -0600 Subject: [VIM] macromedia annoying wording/reference In-Reply-To: References: Message-ID: <43B0AB80.1070103@kc.rr.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 security curmudgeon wrote: > > http://www.macromedia.com/devnet/security/security_zone/mpsb05-13.html [...] > iDefense JWS Denial of Service Vulnerability It appears that the error is on the part of Adobe. iDEFENSE's JRun 4 advisory (http://www.idefense.com/intelligence/vulnerabilities/display.php?id=360) links to that specific advisory. They are talking about the same issue, it appears. Indeed, the terminology is annoying, but it appears Adobe extrapolated iDefense's analysis: "Although this vulnerability allows a stack overwrite, it may be more difficult to exploit due the input string being converted into a 'wide character' version of the str input, by placing a null byte between each character. While this does not necessarily prevent exploitation, it does increase the complexity of developing an exploit. Exploitation of this vulnerability may allow a remote attacker to execute code on the affected system as Local System, allowing complete compromise, or cause a denial of service against the affected system, preventing legitimate use." to mean that the issue was not practically exploitable. This is more-than-likely wrong, as Unicode overflows have been extensively researched and found to be exploitable in most cases where ANSI overflows are. The terminology certainly is annoying. More frustrating is the obvious downplay being done by Adobe. But, given Adobe's history of suing researchers (or having them arrested) for cracking its lousy DRM on PDFs and eBooks, no surprise there on my part. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org iD8DBQFDsKuAfp4vUrVETTgRAzH0AKCOdisg/424Na4crTWerXiD+VMnFACdFg9h +FTy8r2IhudZ3u5EdeQsbHg= =jz4h -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3436 bytes Desc: S/MIME Cryptographic Signature Url : http://www.attrition.org/pipermail/vim/attachments/20051226/ecf6e3b2/attachment.bin From jericho at attrition.org Tue Dec 27 08:15:15 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue, 27 Dec 2005 03:15:15 -0500 (EST) Subject: [VIM] secunia disputes r0t's eggblog vuln? Message-ID: http://secunia.com/advisories/18212/ search.php q variable XSS they list.. search.php q variable path disclosure.. I am assuming that r0t threw a ' to the application, got an SQL error and assumed injection. Secunia presumably did further testing and saw the error disclosed path, but did not allow injection. ---------- Forwarded message ---------- From: Support Service To: moderators at osvdb.org Date: Fri, 23 Dec 2005 09:18:09 +0100 Subject: [OSVDB Mods] eggblog vuln. eggblog vuln. Vuln. discovered by : r0t Date: 22 dec. 2005 orginal advisory:http://pridels.blogspot.com/2005/12/eggblog-vuln.html vendor:www.epicdesigns.co.uk/projects/eggblog.php affected version:eggblog v2.0 and prior Product Description: eggblog is a small, simple, secure and open source blogging package. Anyone with a php and mysql enabled server can make use of our easy to install package to create their own personal blog. Vuln. Description: 1. eggblog contains a flaw that allows a remote sql injection attacks.Inputpassed to the "q" parameter in "/forum/search.php" isn't properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code 2. eggblog contains a flaw that allows a remote cross site scripting attack. This flaw exists because input passed to parameters in "home/search.php" and when performing a search isn't properly sanitised before being returned to the user. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. Solution: Edit the source code to ensure that input is properly sanitised. From jericho at attrition.org Tue Dec 27 09:29:24 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue, 27 Dec 2005 04:29:24 -0500 (EST) Subject: [VIM] bitweaver confirmation Message-ID: http://www.bitweaver.org/forums/viewtopic.php?t=1299 original: http://pridels.blogspot.com/2005/12/bitweaver-multiple-vuln.html From sullo at cirt.net Tue Dec 27 22:17:31 2005 From: sullo at cirt.net (Sullo) Date: Tue, 27 Dec 2005 17:17:31 -0500 Subject: [VIM] OpenEdit XSS vendor dispute In-Reply-To: References: Message-ID: <43B1BD7B.6050306@cirt.net> security curmudgeon wrote: > > http://pridels.blogspot.com/2005/12/openedit-xss-vuln.html > > > Hi There, I am the author of OpenEdit and I wanted to clarify. The > page variable is just the page number. So it lets you jump from page 1 > to page 100. If you pass in page -1 it will just generate an error. It > is not a problem. > The oe-action is possible more concern but we check for a user > being logged in on most dangerous actions. So this is not considered a > security problem either. This sounds to me like a developer that doesn't get XSS. He seems to be thinking in terms of supplying an invalid *number* to the "page" variable, rather than supplying some arbitrary text. Not that I would ever try such a thing on a live site, but... the demo was down when I tried to access it. -- http://www.cirt.net/ | http://www.osvdb.org/ From coley at mitre.org Tue Dec 27 23:01:52 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue, 27 Dec 2005 18:01:52 -0500 (EST) Subject: [VIM] Mantis bug details Message-ID: <200512272301.jBRN1q1f010113@cairo.mitre.org> The vague Mantis bug reports appear to stem from this advisory: MISC:http://www.trapkit.de/advisories/TKADV2005-11-002.txt Correlator reference: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=377932&group_id=14963 is a changelog that says "- 0006419: [security] File Upload Vulnerability (TKADV2005-11-002) (thraxisp)"... and various other things. - Steve From coley at linus.mitre.org Wed Dec 28 00:16:10 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 27 Dec 2005 19:16:10 -0500 (EST) Subject: [VIM] OpenEdit XSS vendor dispute In-Reply-To: <43B1BD7B.6050306@cirt.net> References: <43B1BD7B.6050306@cirt.net> Message-ID: On Tue, 27 Dec 2005, Sullo wrote: > This sounds to me like a developer that doesn't get XSS. He seems to be > thinking in terms of supplying an invalid *number* to the "page" > variable, rather than supplying some arbitrary text. He doesn't understand XSS that much, but he finds enough real issues... I bet what happened is that he sent "