From jericho at attrition.org Mon Oct 3 01:16:56 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Oct 3 01:16:59 2005 Subject: [VIM] H.323 protocol vulns Message-ID: via the PROTOS testing suite: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0054 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0056 http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0097 then we see an "update" to the suite (guessing, they don't explicitly state the name of the testing software): http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0498 http://www.uniras.gov.uk/niscc/docs/re-20041026-00956.pdf?lang=en Were the different vulnerabilities every described in more detail? Or is this a year+ later and everything is still vague? From coley at mitre.org Wed Oct 5 17:08:43 2005 From: coley at mitre.org (Steven M. Christey) Date: Wed Oct 5 17:11:12 2005 Subject: [VIM] MyBloggie SQL injection vuln variant Message-ID: <200510052108.j95L8h9e027127@linus.mitre.org> retrogod recently posted a null character / SQL injection issue in myBloggie: http://marc.theaimsgroup.com/?l=bugtraq&m=112818273307878&w=2 The affected version is 2.1.3beta, the app is login.php, and the parameter is username. This is CAN-2005-3153. This makes it sound like a rediscovery of an earlier post by OS2A: http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2 which also has the same version, app, and parameter; this is CAN-2005-2838. However, retrogod's description shows this source code extract: // Security precaution - sean 03 sep 2005 [!] if(ereg('[^A-Za-z0-9_]', $username)){ which is the fix for the older CAN-2005-2838. So, the problem is that the fix is incomplete, and the retrogod issue is really an interaction error / null character problem that, in this case, happens to have resultant SQL injection. In CVE's book, this makes it different enough to merit a new candidate. - Steve ====================================================== Candidate: CAN-2005-2838 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2838 Reference: BUGTRAQ:20050905 Vulnerability in myBloggie 2.1.3-beta and prior Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112607358831963&w=2 Reference: CONFIRM:http://mywebland.com/forums/showtopic.php?t=399 Reference: BID:14739 Reference: URL:http://www.securityfocus.com/bid/14739 Reference: SECUNIA:16699 Reference: URL:http://secunia.com/advisories/16699 Reference: XF:mybloggie-login-sql-injection(22162) Reference: URL:http://xforce.iss.net/xforce/xfdb/22162 SQL injection vulnerability in login.php in myBloggie 2.1.3-beta and earlier allows remote attackers to execute arbitrary SQL commands via the username parameter. ====================================================== Candidate: CAN-2005-3153 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3153 Reference: BUGTRAQ:20051001 MyBloggie 2.1.3beta null char + SQL Injection -> Login Bypass Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112818273307878&w=2 Reference: MISC:http://rgod.altervista.org/mybloggie213b.html Reference: SECTRACK:1014995 Reference: URL:http://securitytracker.com/id?1014995 login.php in MyBloggie 2.1.3 beta allows remote attackers to bypass a regular expression check for invalid characters and conduct SQL injection attacks via a null character in the username parameter, a different vulnerability than CAN-2005-2838. From coley at linus.mitre.org Wed Oct 5 17:13:33 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Oct 5 17:16:01 2005 Subject: [VIM] H.323 protocol vulns In-Reply-To: References: Message-ID: On Mon, 3 Oct 2005, security curmudgeon wrote: > via the PROTOS testing suite: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0054 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0056 > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0097 > > then we see an "update" to the suite (guessing, they don't explicitly > state the name of the testing software): > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0498 > http://www.uniras.gov.uk/niscc/docs/re-20041026-00956.pdf?lang=en > > Were the different vulnerabilities every described in more detail? Or is > this a year+ later and everything is still vague? I think everything is still vague. - Steve From coley at linus.mitre.org Wed Oct 5 23:56:06 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed Oct 5 23:58:38 2005 Subject: [VIM] JVN#79314822 and Hitachi HS05-019 (fwd) Message-ID: FYI - by CVE's content decisions, if JVN#79314822 is for an existing Tomcat issue, then I would not create a separate CAN for the hitachi advisory. CAN-2005-3164 is currently the placeholder for HS05-019, though it could be rejected as a duplicate depending on JPCERT's answer. Insert pathetic whining about vulnerability reports in other languages here. wahh wahh wahhh, woe is us. - Steve ---------- Forwarded message ---------- Date: Wed, 5 Oct 2005 23:52:06 -0400 (EDT) From: Steven M. Christey To: jvn@jvn.jp Cc: coley@mitre.org Subject: JVN#79314822 and Hitachi HS05-019 Hello JPCERT, I have a question regarding Hitachi HS05-019. It links to JVN#79314822, but I cannot read Japanese :) JVN#79314822 mentions JavaServer Pages or Apache Tomcat, but that is all I can read. Is JVN#79314822 related to any known issues in Tomcat? If so, do you have any references in English for the problem? Thank you, Steve Christey CVE Editor From coley at mitre.org Thu Oct 6 01:31:58 2005 From: coley at mitre.org (Steven M. Christey) Date: Thu Oct 6 01:34:30 2005 Subject: [VIM] Various CVE's for Windows 2000 SP4 update Rollup 1 Message-ID: <200510060531.j965VwKf011637@linus.mitre.org> FYI, I slogged through Microsoft KB article 900345 for the Update Rollup 1 for Microsoft Windows 2000 Service Pack 4 and found 10 security-relevant issues. There might be more than that, but these were the ones that were clearly security-relevant. - Steve ====================================================== Candidate: CAN-2005-3168 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3168 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:834424 Reference: URL:http://support.microsoft.com/kb/834424/ The SECEDIT command on Microsoft Windows 2000 before Update Rollup 1 for SP4, when using a security template to set Access Control Lists (ACLs) on folders, does not apply ACLs on folders that are listed after a long folder entry, which could result in less secure permissions than specified by the template. ====================================================== Candidate: CAN-2005-3169 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3169 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:833873 Reference: URL:http://support.microsoft.com/kb/833873 Microsoft Windows 2000 before Update Rollup 1 for SP4, when the "audit directory service access" policy is enabled, does not record a 565 event message for File Delete Child operations on an Active Directory object in the security event log, which could allow attackers to conduct unauthorized activities without detection. ====================================================== Candidate: CAN-2005-3170 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3170 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:883639 Reference: URL:http://support.microsoft.com/kb/883639 The LDAP client on Microsoft Windows 2000 before Update Rollup 1 for SP4 accepts certificates using LDAP Secure Sockets Layer (LDAPS) even when the Certificate Authority (CA) is not trusted, which could allow attackers to trick users into believing that they are accessing a trusted site. ====================================================== Candidate: CAN-2005-3171 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3171 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:884559 Reference: URL:http://support.microsoft.com/kb/884559 Microsoft Windows 2000 before Update Rollup 1 for SP4 records Event ID 1704 to indicate that Group Policy security settings were successfully updated, even when the processing fails such as when Ntuser.pol cannot be accessed, which could cause system administrators to believe that the system is compliant with the specified settings. ====================================================== Candidate: CAN-2005-3172 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3172 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:824867 Reference: URL:http://support.microsoft.com/kb/824867 The WideCharToMultiByte function in Microsoft Windows 2000 before Update Rollup 1 for SP4 does not properly convert strings with Japanese composite characters in the last character, which could prevent the string from being null terminated and lead to data corruption or enable buffer overflow attacks. ====================================================== Candidate: CAN-2005-3173 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3173 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:821102 Reference: URL:http://support.microsoft.com/kb/821102 Microsoft Windows 2000 before Update Rollup 1 for SP4 does not apply group policies if the user logs on using UPN credentials with a trailing dot, which prevents Windows 2000 from finding the correct domain controller and could allow the user to bypass intended restrictions. ====================================================== Candidate: CAN-2005-3174 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3174 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:830847 Reference: URL:http://support.microsoft.com/kb/830847 Microsoft Windows 2000 before Update Rollup 1 for SP4 allows users to log on to the domain, even when their password has expired, if the fully qualified domain name (FQDN) is 8 characters long. ====================================================== Candidate: CAN-2005-3175 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3175 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:842742 Reference: URL:http://support.microsoft.com/kb/842742 Microsoft Windows 2000 before Update Rollup 1 for SP4 allows a local administrator to unlock a computer even if it has been locked by a domain administrator, which allows the local administrator to access the session as the domain administrator. ====================================================== Candidate: CAN-2005-3176 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3176 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:891076 Reference: URL:http://support.microsoft.com/kb/891076 Microsoft Windows 2000 before Update Rollup 1 for SP4 does not record the IP address of a Windows Terminal Services client in a security log event if the client connects successfully, which could make it easier for attackers to escape detection. ====================================================== Candidate: CAN-2005-3177 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3177 Reference: MSKB:900345 Reference: URL:http://support.microsoft.com/kb/900345 Reference: MSKB:831375 Reference: URL:http://support.microsoft.com/kb/831375 Reference: MSKB:831374 Reference: URL:http://support.microsoft.com/kb/831374 CHKDSK in Microsoft Windows 2000 before Update Rollup 1 for SP4, Windows XP, and Windows Server 2003, when running in fix mode, does not properly handle security descriptors if the master file table contains a large number of files or if the descriptors do not satisfy certain NTFS conventions, which could cause ACLs for some files to be reverted to less secure defaults, or cause security descriptors to be removed. From jericho at attrition.org Fri Oct 7 07:20:34 2005 From: jericho at attrition.org (security curmudgeon) Date: Fri Oct 7 07:20:43 2005 Subject: [VIM] Various CVE's for Windows 2000 SP4 update Rollup 1 In-Reply-To: <200510060531.j965VwKf011637@linus.mitre.org> References: <200510060531.j965VwKf011637@linus.mitre.org> Message-ID: Also: Microsoft Windows XP Wireless Zero Configuration Credential/Key Disclosure http://www.secunia.com/advisories/17064/ http://support.microsoft.com/default.aspx?scid=kb;EN-US;893357 http://www.soonerorlater.hu/index.khtml?article_id=62 http://osvdb.org/19873 From coley at mitre.org Fri Oct 14 13:48:21 2005 From: coley at mitre.org (Steven M. Christey) Date: Fri Oct 14 13:51:26 2005 Subject: [VIM] vendor dispute for CAN-2005-1244 (NetIQ iSeries directory traversal) Message-ID: <200510141748.j9EHmLWE023591@linus.mitre.org> CVE received an email from NetIQ disputing the following issue. The dispute was apparently confirmed by another VDB. In the original report, the researcher claims that NetIQ did not respond to his inquiries, which probably contributed to the likely-incorrect report. - Steve ====================================================== Candidate: CAN-2005-1244 URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1244 Reference: BUGTRAQ:20050420 Canonicalization and directory traversal in iSeries FTP security products Reference: URL:http://www.securityfocus.com/archive/1/396628 Reference: MISC:http://www.venera.com/downloads/Canonicalization_problems_in_iSeries_FTP_security.pdf ** DISPUTED ** Directory traversal vulnerability in the third party tool from NetIQ, as used to secure the iSeries AS/400 FTP server, allows remote attackers to access arbitrary files, including those from qsys.lib, via ".." sequences in a GET request. NOTE: the vendor has disputed this issue, saying that "neither NetIQ Security Manager nor our iSeries Security Solutions are vulnerable." From jericho at attrition.org Sun Oct 16 06:23:42 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun Oct 16 06:23:53 2005 Subject: [VIM] vendor dispute for CAN-2005-1244 (NetIQ iSeries directory traversal) In-Reply-To: <200510141748.j9EHmLWE023591@linus.mitre.org> References: <200510141748.j9EHmLWE023591@linus.mitre.org> Message-ID: : CVE received an email from NetIQ disputing the following issue. The : dispute was apparently confirmed by another VDB. In the original : report, the researcher claims that NetIQ did not respond to his : inquiries, which probably contributed to the likely-incorrect report. I think I recall Stuart/SecTracker dealing with NetIQ over this, but not entirely sure. I also remember OSVDB working on this, and/or communicating with the vendor. We ended up adding it as a myth/fake report: http://osvdb.org/15791 Vuln Desc: NetIQ Security Manager has been reported to contain a flaw allowing a remote attacker to access files outside of the FTP root path, bypassing its intended functionality. The original report indicated NetIQ and several other products were vulnerable to an underlying traversal issue in the iSeries product. Further examination and testing has revealed that NetiQ Security Manager is not vulnerable to this issue. From jericho at attrition.org Sun Oct 16 07:10:48 2005 From: jericho at attrition.org (security curmudgeon) Date: Sun Oct 16 07:10:51 2005 Subject: [VIM] Various CVE's for Windows 2000 SP4 update Rollup 1 In-Reply-To: <200510060531.j965VwKf011637@linus.mitre.org> References: <200510060531.j965VwKf011637@linus.mitre.org> Message-ID: : FYI, I slogged through Microsoft KB article 900345 for the Update Rollup : 1 for Microsoft Windows 2000 Service Pack 4 and found 10 : security-relevant issues. There might be more than that, but these were : the ones that were clearly security-relevant. Good stuff. I am currently doing the same for the Sun Java System Directory Server. The last changelog had a huge list of bugs including ~ 7 or 8 security issues, and a couple *dozen* potential DoS attacks. We may end up grouping some of the DoS attacks together depending on the information (or lack of) though. Once I get it all sorted out i'll post a summary here. From smoore at securityglobal.net Sun Oct 16 19:50:18 2005 From: smoore at securityglobal.net (Stuart Moore) Date: Sun Oct 16 19:54:02 2005 Subject: [VIM] vendor dispute for CAN-2005-1244 (NetIQ iSeries directory traversal) In-Reply-To: References: <200510141748.j9EHmLWE023591@linus.mitre.org> Message-ID: <4352E73A.9080507@securityglobal.net> This NetIQ report was not one of the disputes that we were involved with. Stuart security curmudgeon wrote: > : CVE received an email from NetIQ disputing the following issue. The > : dispute was apparently confirmed by another VDB. In the original > : report, the researcher claims that NetIQ did not respond to his > : inquiries, which probably contributed to the likely-incorrect report. > > I think I recall Stuart/SecTracker dealing with NetIQ over this, but not > entirely sure. I also remember OSVDB working on this, and/or > communicating with the vendor. We ended up adding it as a myth/fake > report: > > http://osvdb.org/15791 > > Vuln Desc: > NetIQ Security Manager has been reported to contain a flaw allowing a > remote attacker to access files outside of the FTP root path, bypassing > its intended functionality. The original report indicated NetIQ and > several other products were vulnerable to an underlying traversal issue in > the iSeries product. Further examination and testing has revealed that > NetiQ Security Manager is not vulnerable to this issue. > -- Stuart Moore SecurityTracker.com SecurityGlobal.net LLC smoore@securityglobal.net +1 301 495 5930 voice +1 413 691 4346 fax From coley at mitre.org Sun Oct 23 01:25:07 2005 From: coley at mitre.org (Steven M. Christey) Date: Mon Oct 24 03:06:19 2005 Subject: [VIM] Chipmunk XSS is likely resultant from SQL injection Message-ID: <200510230525.j9N5P7XN011442@linus.mitre.org> I'm not in the mood at this instant to deal with this entirely, but I thought I'd mention it: XSS & Path Disclosure in Chipmunk's products http://marc.theaimsgroup.com/?l=bugtraq&m=112982490104274&w=2 This is likely another example of primary SQL injection with resultant XSS from an error message, being labeled only as XSS by the researcher. A download of the Forum product and a quick glance at quote.php shows that the $forumID variable is used in several SQL queries, e.g.: > $getforuminfo="SELECT * from b_forums where ID='$forumID'"; and > $posting="INSERT INTO b_posts (author, title, post,timepost, telapsed, threadparent, postforum, lastpost,nosmilies,ipaddress ) values ('$name', '$title', '$post', '$day', '$timegone', '$threadparent', '$forumID','$user','$nosmiley','$s')"; Interestingly, later vectors in the code suggest there might be real XSS. - Steve From jericho at attrition.org Mon Oct 24 19:36:12 2005 From: jericho at attrition.org (security curmudgeon) Date: Mon Oct 24 19:36:16 2005 Subject: [VIM] FlatNuke Message-ID: OSVDB 19114 http://archives.neohapsis.com/archives/bugtraq/2005-08/0442.html usr variable XSS http://archives.neohapsis.com/archives/bugtraq/2005-10/0276.html user variable XSS Makes me wonder if one of them is a typo and this is the same issue.. From coley at linus.mitre.org Tue Oct 25 00:26:52 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Oct 25 00:32:28 2005 Subject: [VIM] FlatNuke In-Reply-To: References: Message-ID: > OSVDB 19114 > http://archives.neohapsis.com/archives/bugtraq/2005-08/0442.html > > usr variable XSS > > http://archives.neohapsis.com/archives/bugtraq/2005-10/0276.html > > user variable XSS > > > > Makes me wonder if one of them is a typo and this is the same issue.. My immediate guess is that it isn't. I haven't used PHP myself, but I've gleaned from lots of staring at URLs that: - modules.php is usually a dispatcher for lots of other functionality - "op" or "action" and similar parameters are usually dispatchers as well In this case, the "usr" variable was in an "op=vis_reg" and the "user" variable is in an" op=profile", both accessible from an index.php. Actually, I just confirmed this via source code inspection - there's a vis_reg() with a $_GET['usr'] and a profile() with a $_GET['user'] etc. Since I'm here, might as well confirm, by source inspection, the user "file inclusion" issue (which doesn't appear to be an "include" issue per se, but does involve dumping contents of a file into the resulting page). from forum/index.php: [874]function profile(){ ... [876]$user=$_GET['user']; ... [891]$fp=file("users/$user.php"); ... [895]> ** but ** the other two elements look like they're not full file reading: function topic(){ ... $quale=$_GET['quale']; ... $string=get_file("topics/$quale.xml"); $posts=get_xml_array("ff:post",$string); ... $unsplitpost = $posts[$x]; ... $poster=get_xml_element("ff:poster",$unsplitpost); ... $subj=get_xml_element("ff:subj",$unsplitpost); etc. function newtopic(){ ... $quale=$_GET['quale']; $string=get_file("topics/$quale.xml"); $subjtmp="Re: ".get_xml_element("ff:topic",$string); topic() and newtopic() seem to be just grabbing a single element out of a well-formed input file; so it's a limited cross-user information leak at best, it seems. Not sure, though. Also looked at the original post. Confirmed (by source inspection only) the vis_reg XSS. The "mod=read" and "news=DEVICE" issues - all of them - seem to be related to file opening or file access errors underneath, i.e. items (2) and (3) appear to be resultant from basic pathname manipulation / directory traversal in (4). - Steve From coley at mitre.org Tue Oct 25 21:06:42 2005 From: coley at mitre.org (Steven M. Christey) Date: Tue Oct 25 21:07:00 2005 Subject: [VIM] Blaming product vendors for other vendors' "features" Message-ID: <200510260106.j9Q16g31011693@linus.mitre.org> How are other VDB's handling situations in which Internet Explorer automatic type detection feature renders HTML in .GIF/.JPG files as if it's HTML? Theoretically, every single web application that allows uploads is "vulnerable" - is it really the application vendors' responsibility to work around this "feature"? From a VDB perspective I don't like the idea of "blaming" the wrong party and/or adding dozens or hundreds of entries for products that don't work around another product's feature. These fall under a class of vulns that I call "multiple interpretation errors" in which one product assumes "good" behavior of other products that don't actually behave. A-V products get hit on these a lot, but in those cases I think they should share some of the "blame" since they are supposed to know how the inputs are going to be handled by end systems. Insert comment about Jon Postel's great motto "Be liberal in what you accept, and conservative in what you send" being an impediment to systemic security. - Steve ====================================================== Name: CVE-2005-3310 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3310 Reference: BUGTRAQ:20051022 phpBB 2.0.17 (and other BB systems as well) Cookie disclosure Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=113017003617987&w=2 Reference: FULLDISC:20051022 phpBB 2.0.17 (and other BB systems as well) Cookie disclosure exploit. Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2005-10/0479.html Reference: BID:15170 Reference: URL:http://www.securityfocus.com/bid/15170/ Reference: SECUNIA:17295 Reference: URL:http://secunia.com/advisories/17295/ Reference: XF:phpbb-avatar-bypass-security(22837) Reference: URL:http://xforce.iss.net/xforce/xfdb/22837 Multiple interpretation error in phpBB 2.0.17, with remote avatars and avatar uploading enabled, allows remote authenticated users to inject arbitrary web script or HTML via an HTML file with a GIF or JPEG file extension, which causes the HTML to be executed by a victim who views the file in Internet Explorer, which renders malformed image types as HTML, enabling cross-site scripting (XSS) attacks. NOTE: it could be argued that this vulnerability is due to a design flaw in Internet Explorer that should not require all web-based applications to work around; if so, then this should not be treated as a vulnerability in phpBB. From jericho at attrition.org Tue Oct 25 21:20:03 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Oct 25 21:20:05 2005 Subject: [VIM] Blaming product vendors for other vendors' "features" In-Reply-To: <200510260106.j9Q16g31011693@linus.mitre.org> References: <200510260106.j9Q16g31011693@linus.mitre.org> Message-ID: : How are other VDB's handling situations in which Internet Explorer : automatic type detection feature renders HTML in .GIF/.JPG files as if : it's HTML? So far, we're making seperate entries but I recognized this recently and wondered. Before this, the other possibly similar thing that came up was some XSS vulns that only occur if the victim uses MSIE. : Theoretically, every single web application that allows uploads is : "vulnerable" - is it really the application vendors' responsibility to : work around this "feature"? From a VDB perspective I don't like the : idea of "blaming" the wrong party and/or adding dozens or hundreds of : entries for products that don't work around another product's feature. Ditto, but the obvious problem is isolating exactly what is causing it and making it well known. This will help prevent subsequent reports and copycat vuln disclosures. From coley at linus.mitre.org Tue Oct 25 21:28:17 2005 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue Oct 25 21:28:35 2005 Subject: [VIM] Blaming product vendors for other vendors' "features" In-Reply-To: References: <200510260106.j9Q16g31011693@linus.mitre.org> Message-ID: On Tue, 25 Oct 2005, security curmudgeon wrote: > So far, we're making seperate entries but I recognized this recently and > wondered. Before this, the other possibly similar thing that came up was > some XSS vulns that only occur if the victim uses MSIE. I was thinking about that in general. Netscape had some of its own unusual constructs that would escape normal XSS filters. But you see this kind of stuff all over the place in A-V, even with corrupted files that are rejected by most - but not all - tools (e.g. CVE-2005-3210 through CVE-2005-3235). I think this kind of happened with MS-DOS device names a number of years ago, when it used to cause a blue screen. Various products had to put in defenses/workarounds to protect themselves against what was basically an OS bug. > Ditto, but the obvious problem is isolating exactly what is causing it and > making it well known. This will help prevent subsequent reports and > copycat vuln disclosures. One can hope ;-) although it's a rather interesting example of how apparently cosmetic design choices can have major side effects. - Steve From sullo at cirt.net Tue Oct 25 21:34:43 2005 From: sullo at cirt.net (Sullo) Date: Tue Oct 25 21:35:08 2005 Subject: [VIM] Blaming product vendors for other vendors' "features" In-Reply-To: References: <200510260106.j9Q16g31011693@linus.mitre.org> Message-ID: <435EDD33.4090308@cirt.net> security curmudgeon wrote: >: How are other VDB's handling situations in which Internet Explorer >: automatic type detection feature renders HTML in .GIF/.JPG files as if >: it's HTML? > >So far, we're making seperate entries but I recognized this recently and >wondered. Before this, the other possibly similar thing that came up was >some XSS vulns that only occur if the victim uses MSIE. > > Well, I read the info that sparked this and decided that it's an IE problem, not a particular web app. So I'd argue it should be listed as a flaw in IE, not in the products that store and send the image file as an "image." After all... the list of products impacted by this is probably everything out there that gets/stores/displays an image--even if they are doing (some) verification... but the root "problem" is that IE does something it probably shouldn't. -Sullo -- http://www.cirt.net/ | http://www.osvdb.org/ From jericho at attrition.org Tue Oct 25 21:39:00 2005 From: jericho at attrition.org (security curmudgeon) Date: Tue Oct 25 21:39:03 2005 Subject: [VIM] Blaming product vendors for other vendors' "features" In-Reply-To: References: <200510260106.j9Q16g31011693@linus.mitre.org> Message-ID: : But you see this kind of stuff all over the place in A-V, even with : corrupted files that are rejected by most - but not all - tools (e.g. : CVE-2005-3210 through CVE-2005-3235). : : I think this kind of happened with MS-DOS device names a number of years : ago, when it used to cause a blue screen. Various products had to put : in defenses/workarounds to protect themselves against what was basically : an OS bug. Not just a few years ago =) We're still seeing the classic MS-DOS Device Name DoS today. From jericho at attrition.org Thu Oct 27 06:35:37 2005 From: jericho at attrition.org (security curmudgeon) Date: Thu Oct 27 06:35:39 2005 Subject: [VIM] Blaming product vendors for other vendors' "features" In-Reply-To: <200510260106.j9Q16g31011693@linus.mitre.org> References: <200510260106.j9Q16g31011693@linus.mitre.org> Message-ID: : How are other VDB's handling situations in which Internet Explorer : automatic type detection feature renders HTML in .GIF/.JPG files as if : it's HTML? Theoretically, every single web application that allows : uploads is "vulnerable" - is it really the application vendors' : responsibility to work around this "feature"? From a VDB perspective I : don't like the idea of "blaming" the wrong party and/or adding dozens or : hundreds of entries for products that don't work around another : product's feature. I revamped our entry for this (OSVDB 20248), now titled "Microsoft IE Embedded Content Processing XSS". I think there was a post prior to this, calling out a certain application as vulnerable "only if the person uses IE", but I don't recall what vuln it was, or if it was the same issue. From coley at mitre.org Fri Oct 28 17:13:25 2005 From: coley at mitre.org (Steven M. Christey) Date: Fri Oct 28 17:13:55 2005 Subject: [VIM] vendor inquiry on eRoom issues Message-ID: <200510282113.j9SLDPdw016979@linus.mitre.org> FYI, I sent an email inquiry to EMC about the eRoom vulns from July (see below). We got an inquiry about it. They are investigating the issue. - Steve ====================================================== Name: CVE-2005-2184 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2184 Reference: BUGTRAQ:20050706 eRoom Multiple Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112069267700034&w=2 eRoom 6.x does not properly restrict files that can be attached, which allows remote attackers to execute arbitrary commands via a .lnk file. ====================================================== Name: CVE-2005-2185 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2185 Reference: BUGTRAQ:20050706 eRoom Multiple Security Issues Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=112069267700034&w=2 eRoom does not set an expiration for Cookies, which allows remote attackers to capture cookies and conduct replay attacks. From coley at mitre.org Sat Oct 29 13:30:26 2005 From: coley at mitre.org (Steven M. Christey) Date: Sat Oct 29 13:31:02 2005 Subject: [VIM] Saphp Lesson Message-ID: <200510291730.j9THUQlW016772@linus.mitre.org> Regarding this post by aLMaSTeR: BUGTRAQ:20051024 SQL saphp Lesson URL:http://marc.theaimsgroup.com/?l=bugtraq&m=113018965520240&w=2 I've been cruising Google for a while, and it took ages to figure out what "saphp" is/was. I tried alternate spellings such as "saphplesson" and "saphp lesson", to no avail. The only matches were vulnerability reports. However, "saphpLesson2.0" seems to point to various web sites that use showcat.php and the forumid parameter. The sites are using some Arabic language. The "dros/" part of the URL does not seem to be inherent to the product. The source site may have been www.saphp.com, but the site currently doesn't have any information on it. Other useful search strings are "saphp Lesson1.1" - Steve From jericho at attrition.org Sat Oct 29 14:53:36 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat Oct 29 14:53:38 2005 Subject: [VIM] Saphp Lesson In-Reply-To: <200510291730.j9THUQlW016772@linus.mitre.org> References: <200510291730.j9THUQlW016772@linus.mitre.org> Message-ID: : I've been cruising Google for a while, and it took ages to figure out : what "saphp" is/was. I tried alternate spellings such as "saphplesson" : and "saphp lesson", to no avail. The only matches were vulnerability : reports. : : However, "saphpLesson2.0" seems to point to various web sites that use : showcat.php and the forumid parameter. The sites are using some Arabic : language. The "dros/" part of the URL does not seem to be inherent to : the product. : : The source site may have been www.saphp.com, but the site currently : doesn't have any information on it. Yep, I had to use archive.org to find older versions, and even reported this web site to zone-h as a defacement. It only said "lord byron" (with elite speak), which I believe is a known defacer. archive.org didnt help much as the site is in arabic(?) From jericho at attrition.org Sat Oct 29 14:57:35 2005 From: jericho at attrition.org (security curmudgeon) Date: Sat Oct 29 14:57:37 2005 Subject: [VIM] defacement (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: Zone-H Date: Tue, 25 Oct 2005 17:20:14 -0400 (EDT) Subject: defacement while digging into some vulnerabilities posted to bugtraq, found a vendor page that appears to be defaced. no clue when it happened original: http://web.archive.org/web/20041024043300/http://www.saphp.com/ currently: http://www.saphp.com/