[VIM] security exploit - false positive (fwd)

Steven M. Christey coley at linus.mitre.org
Fri Jan 13 13:43:47 EST 2006 

Here you go.

I should REALLY write up some testing / clarification notes to
automatically send to vendors.


---------- Forwarded message ----------
Date: Fri, 13 Jan 2006 13:38:54 -0500 (EST)
From: Steven M. Christey <coley at rcf-smtp.mitre.org>
To: 'Tony Boyd'
Cc: cve at mitre.org, 'Steven M. Christey' <coley at mitre.org>
Subject: RE: security exploit - false positive


Tony,

I have noticed a positive trend of clarifications coming from vendors, and
I appreciate it.  I was wondering how you were made aware of this issue?
(We would love to notify all vendors but as you will see in this followup,
it is extremely resource-intensive and beyond CVE's scope to do for
everything.)

This issue was found by a somewhat reliable researcher, in that when he
reports something, there's usually something real going on.

However, he also mis-diagnoses many SQL errors as if they are SQL
injection, and this might be what happened here.  I've publicly warned
researchers about this mistake in the past, but they still make it.

Here's my bet:

 - he entered a '   (single quote)

 - your preg_replace made $permalink be ""

 - with PHP errors on, this generated a SQL error because the argument is
non-numeric (and blank):

    SELECT topic_id FROM [whatever]topics WHERE forum_id = $forum
    AND topic_id<

See? no numeric argument after topic_id.  Invalid syntax, error generated.
(Actually you seem to assume that $forum is also defined, which in r0t's
example it's not)


So, try this:

  - enable PHP display_errors "on"
  - provide permalink with a ' argument


I'll rephrase the description to state that this is a path disclosure
problem related to invalid SQL syntax, and I'll try to get r0t to
understand that he needs to be better about diagnosis.

I will forward your comments to other vuln DBs, as well as this answer.


Regards,
Steve Christey
CVE Editor



On Fri, 13 Jan 2006, Peter Mell wrote:

> Tony,
>
> NVD is a search engine and database for the CVE vulnerability dictionary.
> The CVE staff make the decision about what constitutes a vulnerability and
> NVD synchronizes with, and adds to, their information. Thus, this issue will
> need to be corrected within CVE and it will then be automatically updated
> within NVD.
>
> I have included the CVE staff in this email so that they can assist you.
>
> Best wishes,
> Peter Mell
> NVD Project Lead
>
> > -----Original Message-----
> > From: Tony Boyd
> > Sent: Friday, January 13, 2006 8:02 AM
> > To: nvd at nist.gov
> > Subject: security exploit - false positive
> >
> > I believe your notice about SQL injection into phpBB Blog is incorrect.
> > Your notice appears here:
> >
> > http://nvd.nist.gov/nvd.cfm?cvename=CVE-2005-4346
> >
> > As the author, I saw the advisory, and attempted to do as shown (append
> > SQL to the URL string).  The SQL was not executed.
> >
> > In addition, the advisory suggests that the script is not properly
> > sanitizing user-supplied input to the "permalink" variable.  However, it
> > is.  This line in blog.php sanitizes the data:
> >
> > $perma_id = preg_replace("/[^0-9]/", "", $_GET['permalink']);
> >
> > -Tony
> >
>
>
>
>

More information about the VIM mailing list