[VIM] Confirmation (source inspection) of various r0t-discovered issues (fwd)

jkouns jkouns at opensecurityfoundation.org
Sun Nov 27 13:45:41 EST 2005


Considering we were receiving an email every other hour for the last 
couple days I also had "taken a small interest"....

Late last night he posted a message:
http://pridels.blogspot.com/2005/11/tapat.html

Again, with that small interest I wanted to know what it said and I 
figured it would be a quick translation. However, before I could even 
start to translate it, I needed to figure out what language it is!

Looking at the 14 year old bio, he states: Location: Turku : Finland

Trying to translate Finnish to English didn't go over very well, but the 
first word was translated to "Accident"
http://www.tranexp.com:2000/InterTran?type=url&url=http%3A%2F%2Fpridels.blogspot.com%2F&text=&from=fin&to=eng

Trying to figure out if there is another language...

Pasted the post into the
http://translation.langenberg.com/

Xerox -- Language Identifier/Guesser
They guess: Latvian_cp1257

Fuzzums -- Language Identifier/Guesser
They guess:
Latvian 	71.91% 	
Finnish 	58.51% 	
Latin 	        54.5% 	
Indonesian 	53.33% 	
Swedish 	51.12% 	
Italian 	49.72% 	
French 	        48.91% 	

Doing a Latvian translation produced absolutely nothing.  So, this small
interest has wasted a good amount of time.  If anyone figures out what 
was posted, let me know.

For some reason I am still curious.
--Jake

> ---------- Forwarded message ----------
> From: Steven M. Christey <coley at mitre.org>
> To: vim at attrition.org
> Date: Sun, 27 Nov 2005 03:05:58 -0500 (EST)
> Reply-To: Vulnerability Information Managers <vim at attrition.org>
> Subject: [VIM] Confirmation (source inspection) of various 
> r0t-discovered issues
> 
> 
> I've taken a small interest in observing r0t (r0t3d3Vil) since he's
> done a whole lot of reports in the past couple of days in software
> that hasn't been reported vulnerable before... plus his blog profile
> says he's 14.
> 
> Most of his analyses are of for-purchase products, so I couldn't check
> those.  At least one demo site for one vendor had been tested by him,
> as his leftover XSS attempts indicated :-/ so some of his results
> might be coming from tests of vendor demo sites.
> 
> Anyway, for some products with source available, I was able to confirm
> - by source inspection only - several recent issues.
> 
> 
> CVE-2005-3834
> 
>   searchFor is directly inserted into a $title variable.
> 
> CVE-2005-3846
> 
>   line 205 news.php -
>   $where="AND c.category_id=".$_REQUEST['category']."";
> 
> CVE-2005-3853
> 
>   Multiple locations exist, including the title() function where a
>   $_GET['id'] (line 174) is fed directly into a $query variable without
>   quoting (line 179), which is then fed to mysql_query() (line 180).
> 
>   source code review of 1.3 shows that snews.php is the affected file.
> 
> 
> For CVE-2005-3833 - Tunez "songinfo.php?song_id=[SQL]" SQL injection -
> source code inspection of songinfo.php suggests that an addslashes()
> is performed on the song_id parameter, so this report might be
> incorrect or associated with a different type of issue, e.g. a SQL
> error from a query with a non-numeric value.
> 
> - Steve
> 
> 
> 
> 
> ======================================================
> Name: CVE-2005-3834
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3834
> Reference: 
> MISC:http://pridels.blogspot.com/2005/11/tunez-sql-and-xss-vuln.html
> Reference: BID:15548
> Reference: URL:http://www.securityfocus.com/bid/15548
> Reference: OSVDB:21063
> Reference: URL:http://www.osvdb.org/21063
> Reference: SECUNIA:17692
> Reference: URL:http://secunia.com/advisories/17692
> 
> Cross-site scripting (XSS) vulnerability in search.php in Tunez 1.21
> and earlier allows remote attackers to inject arbitrary web script or
> HTML via the searchFor parameter.
> 
> 
> ======================================================
> Name: CVE-2005-3846
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3846
> Reference: 
> MISC:http://pridels.blogspot.com/2005/11/fantastic-news-category-sql-inj.html 
> 
> Reference: FRSIRT:ADV-2005-2595
> Reference: URL:http://www.frsirt.com/english/advisories/2005/2595
> 
> SQL injection vulnerability in news.php in Fantastic News 2.1.1 and
> earlier allows remote attackers to execute arbitrary SQL commands via
> the category parameter.
> 
> 
> ======================================================
> Name: CVE-2005-3853
> Status: Candidate
> URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3853
> Reference: 
> MISC:http://pridels.blogspot.com/2005/11/snews-13-sql-injection.html
> Reference: OSVDB:21093
> Reference: URL:http://www.osvdb.org/21093
> Reference: SECUNIA:17688
> Reference: URL:http://secunia.com/advisories/17688
> 
> SQL injection vulnerability in snews.php in sNews 1.3 and earlier
> allows remote attackers to execute arbitrary SQL commands via the (1)
> id and (2) category parameters to index.php.
> 
> 
> 
> 
> 


More information about the VIM mailing list