[VIM] More confirmed r0t issues

Steven M. Christey coley at mitre.org
Tue Nov 29 04:00:42 EST 2005


The latest products being investigated by r0t have more freeware, so
here's my take on some of 'em.

I'll need to cut down on this stuff though.  Even the obvious things
can take more time than I usually have! :)

He's definitely doing only surface-level, incomplete research.  Some
of these products had dozens of attack vectors when you looked at the
source.


CVEs listed at end of the email.

CVE-2005-3882 - Line 7 feeds $GET['id'] into mysql_query().

CVE-2005-3881 - Uninitialized $searchStr is fed directly into
mysql_query() on line 17.

CVE-2005-3877 - messages.php - line 525, print_message() called by
print_nav() with $mid as set by GPC vars.  list.php - $folder_id
initialized by GPC in line 12, injected into $query var lines 49 and
51, fed into mysql_query() line 53).

CVE-2005-3875 - including line 176 in send.php:

  $sql = "SELECT message, sender FROM connector_message WHERE messageid = " . $_GET['messageid'];

and the delete action on line 21 of messages.php:

  $sql = "DELETE FROM connector_message WHERE messageid=" . $_GET['messageid'];

CVE-2005-3874 - index.php calls netzbrett_main() (netzbr.php) which
calls print_entry($GLOBALS["p_entry"]) which calls read_entry() to
mysql_read_entry() which inserts the entry number into a SELECT clause
which is fed to mysql_query.

CVE-2005-3871 - ACCURACY: some of these attack vectors were confirmed
via source code inspection of a newer product version - v1.0.0rc1 - as
obtained from SourceForge.  The other vectors might have been
eliminated between 0.9.9rc3 and v1.0.0rc1.

CVE-2005-3870 - ACCURACY: some of these attack vectors were confirmed
via source code inspection of a newer product version - v1.0.0rc1 - as
obtained from SourceForge.  The other vectors might have been
eliminated between 0.9.9rc3 and v1.0.0rc1.



==========================================================================


======================================================
Name: CVE-2005-3870
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3870
Reference: MISC:http://pridels.blogspot.com/2005/11/edmobbs-sql-inj-vuln.html
Reference: BID:15589
Reference: URL:http://www.securityfocus.com/bid/15589
Reference: FRSIRT:ADV-2005-2621
Reference: URL:http://www.frsirt.com/english/advisories/2005/2621
Reference: SECUNIA:17726
Reference: URL:http://secunia.com/advisories/17726

Multiple SQL injection vulnerabilities in edmobbs9r.php in edmoBBS 0.9
and earlier allow remote attackers to execute arbitrary SQL commands
via the (1) table and (2) messageID parameters.


======================================================
Name: CVE-2005-3871
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3871
Reference: MISC:http://pridels.blogspot.com/2005/11/jbb-sql-inj-vuln.html
Reference: BID:15590
Reference: URL:http://www.securityfocus.com/bid/15590
Reference: FRSIRT:ADV-2005-2620
Reference: URL:http://www.frsirt.com/english/advisories/2005/2620
Reference: SECUNIA:17727
Reference: URL:http://secunia.com/advisories/17727

Multiple SQL injection vulnerabilities in Joels Bulletin board (JBB)
0.9.9rc3 and earlier allow remote attackers to execute arbitrary SQL
commands via the (1) nr parameter in topiczeigen.php, (2) forum and
(3) zeigeseite parameters in showforum.php, (4) forum parameter in
newtopic.php, and (5) tidnr parameter in neuerbeitrag.php.


======================================================
Name: CVE-2005-3874
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3874
Reference: MISC:http://pridels.blogspot.com/2005/11/netzbrett-151-sql-inj-vuln.html
Reference: BID:15593
Reference: URL:http://www.securityfocus.com/bid/15593
Reference: FRSIRT:ADV-2005-2611
Reference: URL:http://www.frsirt.com/english/advisories/2005/2611
Reference: SECUNIA:17742
Reference: URL:http://secunia.com/advisories/17742

SQL injection vulnerability in netzbr.php in Netzbrett 1.5.1 and
earlier allows remote attackers to execute arbitrary SQL commands via
the p_entry parameter in an entry command to index.php.


======================================================
Name: CVE-2005-3875
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3875
Reference: MISC:http://pridels.blogspot.com/2005/11/enterprise-connector-sql-inj-vuln.html
Reference: FRSIRT:ADV-2005-2602
Reference: URL:http://www.frsirt.com/english/advisories/2005/2602
Reference: SECUNIA:17743
Reference: URL:http://secunia.com/advisories/17743

Multiple SQL injection vulnerabilities in Enterprise Connector 1.0.2
and earlier allow remote attackers to execute arbitrary SQL commands
via the messageid parameter in (1) send.php or (2) a delete action in
messages.php.


======================================================
Name: CVE-2005-3877
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3877
Reference: MISC:http://pridels.blogspot.com/2005/11/sdms-20-sql-inj-vuln.html
Reference: FRSIRT:ADV-2005-2614
Reference: URL:http://www.frsirt.com/english/advisories/2005/2614
Reference: SECUNIA:17746
Reference: URL:http://secunia.com/advisories/17746

Multiple SQL injection vulnerabilities in Simple Document Management
System (SDMS) 2.0-CVS and earlier allow remote attackers to execute
arbitrary SQL commands via the (1) folder_id parameter in list.php and
(2) mid parameter in a view action to messages.php.


======================================================
Name: CVE-2005-3881
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3881
Reference: MISC:http://pridels.blogspot.com/2005/11/altantisfaq-sql-inj-vuln.html
Reference: FRSIRT:ADV-2005-2624
Reference: URL:http://www.frsirt.com/english/advisories/2005/2624

SQL injection vulnerability in search.php in AltantisFAQ Knowledge
Base Software 2.03 and earlier allows remote attackers to execute
arbitrary SQL commands via the searchStr parameter.


======================================================
Name: CVE-2005-3882
Status: Candidate
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3882
Reference: MISC:http://pridels.blogspot.com/2005/11/faqring-30-sql-inj-vuln.html
Reference: FRSIRT:ADV-2005-2625
Reference: URL:http://www.frsirt.com/english/advisories/2005/2625

SQL injection vulnerability in answer.php in FAQSystems FAQRing
Knowledge Base Software 3.0 and earlier allows remote attackers to
execute arbitrary SQL commands via the id parameter.




More information about the VIM mailing list