From krustevs at googlemail.com Sat Jul 1 08:32:22 2006 From: krustevs at googlemail.com (Support Service) Date: Sat, 1 Jul 2006 05:32:22 -0700 Subject: [VIM] http://www.attrition.org/pipermail/vim/2006-June/000913.html Message-ID: <88b78d300607010532of7fe3a3v6e0de87ab56d778b@mail.gmail.com> Hi Steven, Yes i had spoken about hijacking user session, thats wuy in blog i spoke about 2 examples how it can be used... in on of them i told that there must only pput a hyperlink , cauz Hostflow do not use IP filter and it will give as reffer url full users session , without any XSS. From coley at mitre.org Mon Jul 3 12:41:53 2006 From: coley at mitre.org (Steven M. Christey) Date: Mon, 3 Jul 2006 12:41:53 -0400 (EDT) Subject: [VIM] Vendor dispute - CVE-2006-3249 (Phorum search.php) Message-ID: <200607031641.k63Gfr0I002510@faron.mitre.org> FYI. This was a r0t disclosure. I haven't investigated more closely. The bulk of the vendor e-mail to us is quoted in the CVE. - Steve ====================================================== Name: CVE-2006-3249 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3249 Reference: MISC:http://pridels.blogspot.com/2006/06/phorum-sql-injection-vuln.html Reference: MISC:http://www.phorum.org/cgi-bin/trac.cgi/ticket/382#preview ** DISPUTED ** SQL injection vulnerability in search.php in Phorum 5.1.14 and earlier allows remote attackers to execute arbitrary SQL commands via the page parameter. NOTE: the vendor has disputed this report, stating "If a non positive integer or non-integer is used for the page parameter for a search URL, the search query will use a negative number for the LIMIT clause. This causes the query to break, showing no results. It IS NOT however a sql injection error." While the original report is from a researcher with mixed accuracy, as of 20060703, CVE does not have any additional information regarding this issue. From smoore at securityglobal.net Mon Jul 3 13:06:45 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Mon, 03 Jul 2006 13:06:45 -0400 Subject: [VIM] vendor dispute on CVE-2006-3253 Message-ID: <44A94EA5.5090603@securityglobal.net> The vendor has contacted us to dispute the crazy cracker posting regarding a cross-site scripting vulnerability in vBulletin: http://securitytracker.com/id?1016348 The vendor has been unable to reproduce this, testing versions 3.5.4, 3.6.0 and even 3.0.x. I did some random spot testing and was also unable to reproduce anything. Interestingly, crazy cracker's web site runs vBulletin 3.5.4. I've sent mail to crazy cracker to ask for additional information, but last time I did that, I got no response. Stuart From coley at mitre.org Mon Jul 3 16:20:51 2006 From: coley at mitre.org (Steven M. Christey) Date: Mon, 3 Jul 2006 16:20:51 -0400 (EDT) Subject: [VIM] Sun confirms SUNALERT:102496 link to CVE-2006-3159 Message-ID: <200607032020.k63KKphu007273@faron.mitre.org> We just received e-mail confirmation from Sun that their SUNALERT:102496 is in fact related to the Full-Disclosure post from a couple weeks back (CVE-2006-3159). The details in the alert were a little vague albeit fairly similar, but the lack of cross-references made things too uncertain by CVE's standards. - Steve ====================================================== Name: CVE-2006-3159 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3159 Reference: FULLDISC:20060614 Sun iPlanet Messaging Server 5.2 root password compromise Reference: URL:http://lists.grok.org.uk/pipermail/full-disclosure/2006-June/046920.html Reference: SUNALERT:102496 Reference: URL:http://sunsolve.sun.com/search/document.do?assetkey=1-26-102496-1 Reference: SECTRACK:1016312 Reference: URL:http://securitytracker.com/id?1016312 Reference: XF:iplanet-msgconf-symlink(27220) Reference: URL:http://xforce.iss.net/xforce/xfdb/27220 pipe_master in Sun ONE/iPlanet Messaging Server 5.2 HotFix 1.16 (built May 14 2003) allows local users to read portions of restricted files via a symlink attack on msg.conf in a directory identified by the CONFIGROOT environment variable, which returns the first line of the file in an error message. From heinbockel at mitre.org Wed Jul 5 18:33:50 2006 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Wed, 5 Jul 2006 18:33:50 -0400 Subject: [VIM] Searching for a good Bugtraq and Full-disclosure mirror... Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DCF7FE7B@IMCSRV5.MITRE.ORG> Perhaps someone here can lend a hand (or a link): I am looking for a mirror for Bugtraq and Full-disclosure postings for data mining and searching purposes. Currently, marc.theaimsgroup.com is being used due to it's decent search capabilities. The problem is that it does not provide the full e-mail subject line on the results page. SecurityFocus provides the full subject (formatting aside) for at least Bugtraq, but it's search capability is definitely lacking. I've tried some other mirrors, but have found most to have sub par search capabilities (I'm looking for full subject and body text search) and/or lack of options (results must be sorted by descending timestamp). So, what site do you guys turn to when you need to search the Bugtraq and/or Full-disclosure mailing lists? CVE thanks you in advance, William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From jericho at attrition.org Wed Jul 5 18:56:29 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 5 Jul 2006 18:56:29 -0400 (EDT) Subject: [VIM] Searching for a good Bugtraq and Full-disclosure mirror... In-Reply-To: <224FBC6B814DBD4E9B9E293BE33A10DCF7FE7B@IMCSRV5.MITRE.ORG> References: <224FBC6B814DBD4E9B9E293BE33A10DCF7FE7B@IMCSRV5.MITRE.ORG> Message-ID: : I am looking for a mirror for Bugtraq and Full-disclosure postings for : data mining and searching purposes. : : Currently, marc.theaimsgroup.com is being used due to it's decent search : capabilities. The problem is that it does not provide the full e-mail : subject line on the results page. : : SecurityFocus provides the full subject (formatting aside) for at least : Bugtraq, but it's search capability is definitely lacking. : : I've tried some other mirrors, but have found most to have sub par : search capabilities (I'm looking for full subject and body text search) : and/or lack of options (results must be sorted by descending timestamp). : : So, what site do you guys turn to when you need to search the Bugtraq : and/or Full-disclosure mailing lists? For day to day use, archives.neohapsis.com but it uses google as the search engine, and doesn't display some other header information that can be useful. I can't cite any examples right off, but when there is a question of the date/time published, neohapsis (and other archives) will only show the client set date, which may be wrong. Personally, if I need more details I use a local copy of the archived posts and grep/search as needed. Using procmail to save a copy of each list into its own folder has been incredibly helpful over the last few years. -rw------- 1 jericho users 7685783 Sep 29 2002 archive-bugtraq-001.gz -rw------- 1 jericho users 4156684 Apr 7 2003 archive-bugtraq-002.gz -rw------- 1 jericho root 1144284 Nov 14 2003 archive-bugtraq-003.gz -rw------- 1 jericho root 2345681 Mar 23 2004 archive-bugtraq-004.gz -rw------- 1 jericho root 2870984 Aug 25 2004 archive-bugtraq-005.gz -rw------- 1 jericho root 5525875 Apr 15 2005 archive-bugtraq-006.gz -rw------- 1 jericho root 4849768 Nov 21 2005 archive-bugtraq-007.gz This goes back to: Date: Mon, 13 Aug 2001 15:22:22 +1200 (NZST) From coley at mitre.org Fri Jul 7 15:06:34 2006 From: coley at mitre.org (Steven M. Christey) Date: Fri, 7 Jul 2006 15:06:34 -0400 (EDT) Subject: [VIM] nanika Excel buffer overflow is new Message-ID: <200607071906.k67J6YKY018666@faron.mitre.org> FYI, I contacted Microsoft and they confirmed that the nanika Excel overflow is new. The CVE is below. - Steve ====================================================== Name: CVE-2006-3431 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3431 Reference: BUGTRAQ:20060703 Excel 2000/XP/2003 Style 0day POC Reference: URL:http://www.securityfocus.com/archive/1/archive/1/438963/100/0/threaded Reference: BUGTRAQ:20060707 Major updates to Excel 0-day Vulnerability FAQ at SecuriTeam Blogs Reference: URL:http://www.securityfocus.com/archive/1/archive/1/439427/100/0/threaded Reference: BID:18872 Reference: URL:http://www.securityfocus.com/bid/18872 Reference: FRSIRT:ADV-2006-2689 Reference: URL:http://www.frsirt.com/english/advisories/2006/2689 Reference: SECUNIA:20268 Reference: URL:http://secunia.com/advisories/20268 Buffer overflow in certain Asian language versions of Microsoft Excel might allow user-complicit attackers to execute arbitrary code via a crafted spreadsheet that triggers the overflow when the user attempts to repair the document or selects the "Style" option, as demonstrated by nanika.xls. NOTE: Microsoft has confirmed to CVE via e-mail that this is different than the other Excel vulnerabilities announced before 20060707, including CVE-2006-3059 and CVE-2006-3086. From coley at mitre.org Fri Jul 7 18:48:43 2006 From: coley at mitre.org (Steven M. Christey) Date: Fri, 7 Jul 2006 18:48:43 -0400 (EDT) Subject: [VIM] FortiGate issue - "EPSV" not "ESPV" Message-ID: <200607072248.k67Mmhhc023486@faron.mitre.org> Various vuln DBs have used the acronym "ESPV" for a recent FortiGate FTP Anti-Virus issue: http://www.fortinet.com/FortiGuardCenter/advisory/FG-2006-15.html However the proper acronym is "EPSV" for Extended Passive Mode, as defined in RFC2428: http://www.networksorcery.com/enp/rfc/rfc2428.txt - Steve From heinbockel at mitre.org Tue Jul 11 09:37:11 2006 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Tue, 11 Jul 2006 09:37:11 -0400 Subject: [VIM] Webmin traversal - changelog In-Reply-To: <44A5902C.1070009@tenablesecurity.com> Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DCFEB1CD@IMCSRV5.MITRE.ORG> >-----Original Message----- >From: vim-bounces at attrition.org >[mailto:vim-bounces at attrition.org] On Behalf Of George A. Theall >Sent: Freitag, 30. Juni 2006 16:57 >To: Vulnerability Information Managers >Subject: Re: [VIM] Webmin traversal - changelog > >security curmudgeon wrote: > >> Multiple guess! >> >> a) Not properly fixed the first time >> b) Originally thought to be Windows only, then discovered >works on Unix >> c) Completely seperate issues/scripts > >The issue with 1.270 involves a failure to sanitize '\' characters in >simplify_path(), while that in 1.280 occurs because simplify_path() is >called before HTML entities are decoded. Sample exploit available on >request. > >George >-- >theall at tenablesecurity.com > Is this (CVE-2006-3392) related to the resent posting on Bugtraq? http://www.securityfocus.com/archive/1/archive/1/439653/100/0/threaded And the following references provided therein: http://securitydot.net/vuln/exploits/vulnerabilities/articles/17885/vul n.html http://securitydot.net/xpl/exploits/vulnerabilities/articles/1152/explo it.html which lists a directory traversal URL similar to that below: http: //[url]/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01 /..%01/[file] (the "/..%01" sequence is repeated 61 times). William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From theall at tenablesecurity.com Tue Jul 11 09:55:44 2006 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 11 Jul 2006 09:55:44 -0400 Subject: [VIM] Webmin traversal - changelog In-Reply-To: <224FBC6B814DBD4E9B9E293BE33A10DCFEB1CD@IMCSRV5.MITRE.ORG> References: <224FBC6B814DBD4E9B9E293BE33A10DCFEB1CD@IMCSRV5.MITRE.ORG> Message-ID: <44B3ADE0.1030706@tenablesecurity.com> Heinbockel, Bill wrote: > Is this (CVE-2006-3392) related to the resent posting on Bugtraq? > http://www.securityfocus.com/archive/1/archive/1/439653/100/0/threaded ... > which lists a directory traversal URL similar to that below: > http: > //[url]/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01 > /..%01/[file] > (the "/..%01" sequence is repeated 61 times). Yes, it's *very* similar to the exploit I used when I wrote my Nessus plugin to test for the original flaw: http://www.nessus.org/plugins/index.php?view=viewsrc&id=21785 That plugin was first published on 6/30. George -- theall at tenablesecurity.com From coley at linus.mitre.org Tue Jul 11 16:02:14 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 11 Jul 2006 16:02:14 -0400 (EDT) Subject: [VIM] Webmin traversal - changelog In-Reply-To: <44B3ADE0.1030706@tenablesecurity.com> References: <224FBC6B814DBD4E9B9E293BE33A10DCFEB1CD@IMCSRV5.MITRE.ORG> <44B3ADE0.1030706@tenablesecurity.com> Message-ID: On Tue, 11 Jul 2006, George A. Theall wrote: > > //[url]/unauthenticated/..%01/..%01/..%01/..%01/..%01/..%01/..%01/..%01 > > /..%01/[file] > > (the "/..%01" sequence is repeated 61 times). > > Yes, it's *very* similar to the exploit I used when I wrote my Nessus > plugin to test for the original flaw: > > http://www.nessus.org/plugins/index.php?view=viewsrc&id=21785 "*very*" is an understatement : So now the question is, what's happening here - why is the "%01" working? Is it getting removed entirely after the ".." check, or does the underlying OS just ignore the 0x01 byte? If the latter, then that's a pretty interesting feature. - Steve From theall at tenablesecurity.com Tue Jul 11 16:50:46 2006 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 11 Jul 2006 16:50:46 -0400 Subject: [VIM] Webmin traversal - changelog In-Reply-To: References: <224FBC6B814DBD4E9B9E293BE33A10DCFEB1CD@IMCSRV5.MITRE.ORG> <44B3ADE0.1030706@tenablesecurity.com> Message-ID: <44B40F26.5030900@tenablesecurity.com> Steven M. Christey wrote: > "*very*" is an understatement : > > So now the question is, what's happening here - why is the "%01" working? > Is it getting removed entirely after the ".." check, or does the > underlying OS just ignore the 0x01 byte? Anything between octal 0 and 37 is being removed -- look at lines 1482-82 as well as the simplify_path() function in the version of miniserv.pl included with 1.280. For the plugin, I randomly picked a binary 1 and 10 directory traversal sequences (which might be thought of as 60 sequences because of the way I wrote the NASL code :-). George -- theall at tenablesecurity.com From coley at mitre.org Tue Jul 11 19:04:51 2006 From: coley at mitre.org (Steven M. Christey) Date: Tue, 11 Jul 2006 19:04:51 -0400 (EDT) Subject: [VIM] SimpleBoard sbp file inclusion - more info Message-ID: <200607112304.k6BN4pBm026982@faron.mitre.org> ref: http://milw0rm.com/exploits/1994 The milw0rm posting claims the bug was found in file_upload.php, but the demonstration URL uses image_upload.php. I did some source code inspection that shows that the same statement: require_once("$sbp/sb_helpers.php") appears at the top of both files. Other files also have this statement, but they include a check for direct requests using a defined('_VALID_MOS') test. - Steve From coley at mitre.org Wed Jul 12 14:54:17 2006 From: coley at mitre.org (Steven M. Christey) Date: Wed, 12 Jul 2006 14:54:17 -0400 (EDT) Subject: [VIM] Slight oddities in randshop file inclusion issue(s) Message-ID: <200607121854.k6CIsHrT021126@faron.mitre.org> Refs: http://www.milw0rm.com/exploits/1971 http://www.securityfocus.com/archive/1/archive/1/439750/100/0/threaded These posts give two different executables as entry points with a parameter "dateiPfad". A *brief* source inspection of 1.2 and 1.1.1 shows heavy use of a constant variable "DATEIPFAD". The only presence of the mixed-case "dateiPfad" appears to be a hard-coded set of the $dateiPfad variable, which is commented out, in config.inc.php for version 1.1.1. However, this code might all have been fixed by the time I downloaded it. So if someone feels like investigating further, feel free. I'm out of time for this one :) - Steve From coley at mitre.org Wed Jul 19 15:01:29 2006 From: coley at mitre.org (Steven M. Christey) Date: Wed, 19 Jul 2006 15:01:29 -0400 (EDT) Subject: [VIM] Vendor dispute of CVE-2006-3486 (MySQL overflow) Message-ID: <200607191901.k6JJ1Tsu018377@faron.mitre.org> Apparently a terse MySQL changelog entry made it into some VDBs and into CVE. The vendor has since disputed the issue to us. The CVE follows, with the end note approved by the vendor. I would tend to concur given the analysis. - Steve ====================================================== Name: CVE-2006-3486 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3486 Acknowledged: yes changelog Announced: 20060704 Flaw: buf Reference: MISC:http://bugs.mysql.com/bug.php?id=20622 Reference: MISC:http://dev.mysql.com/doc/refman/5.1/en/news-5-1-12.html Reference: MISC:http://dev.mysql.com/doc/refman/5.0/en/news-5-0-23.html Reference: FRSIRT:ADV-2006-2700 Reference: URL:http://www.frsirt.com/english/advisories/2006/2700 Reference: XF:mysql-instancemanager-dos(27635) Reference: URL:http://xforce.iss.net/xforce/xfdb/27635 ** DISPUTED ** Off-by-one buffer overflow in the Instance_options::complete_initialization function in instance_options.cc in the Instance Manager in MySQL before 5.0.23 and 5.1 before 5.1.12 might allow local users to cause a denial of service (application crash) via unspecified vectors, which triggers the overflow when the convert_dirname function is called. NOTE: the vendor has disputed this issue via e-mail to CVE, saying that it is only exploitable when the user has access to the configuration file or the Instance Manager daemon. Due to intended functionality, this level of access would already allow the user to disrupt program operation, so this does not cross security boundaries and is not a vulnerability. Analysis: ACKNOWLEDGEMENT: MySQL 5.0.23 changelog " A buffer overwrite error in Instance Manager caused a crash. (Bug#20622)" This apparently triggered some refined sources to report it as a security issue. However, the vendor notified CVE via e-mail that the issue is not exploitable to cross security boundaries, and approved the statement on 20060719. ACCURACY: it is not clear whether this is security-relevant, as the input vectors are unknown. From jericho at attrition.org Thu Jul 20 10:26:11 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 20 Jul 2006 10:26:11 -0400 (EDT) Subject: [VIM] vendor ack/fix: Actinic Catalog Unspecified .pl Files XSS (fwd) Message-ID: ---------- Forwarded message ---------- From: Bruce Townsend To: moderators at osvdb.org Cc: 'David Eldridge - Actinic Ecommerce solutions' Date: Thu, 20 Jul 2006 12:00:01 +0100 Reply-To: moderators at osvdb.org Subject: [OSVDB Mods] [Change Request] 27095: Actinic Catalog Unspecified .pl Files XSS Hi It has been pointed out to me that you are currently presenting incorrect information on four of your web pages about security vulnerabilies in Actinic Catalog: 'Currently, there are no known upgrades, patches, or workarounds available to correct this issue.' These security loopholes, which all relate to cross-site scripting, were closed in a subsequent release. The fix is to upgrade to the latest version, currently v7.0.6 The other IDs affected are 27096, 27097 and 27098 I would be grateful if these could be corrected. Best regards Bruce Townsend ------------------------ Actinic Software Limited www.actinic.co.uk * Market-leading ecommerce software for small and medium businesses * Professional ecommerce tools for web designers Globe House, Lavender Park Road, West Byfleet, Surrey, KT14 6ND, UK Tel: 0845 129 4800 | Fax: 01932 358341 This email has been scanned for viruses by NetBenefit using Sophos anti-virus technology From jericho at attrition.org Thu Jul 20 11:16:09 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 20 Jul 2006 11:16:09 -0400 (EDT) Subject: [VIM] Vendor dispute - CVE-2006-3249 (Phorum search.php) In-Reply-To: <200607031641.k63Gfr0I002510@faron.mitre.org> References: <200607031641.k63Gfr0I002510@faron.mitre.org> Message-ID: : FYI. This was a r0t disclosure. I haven't investigated more closely. : The bulk of the vendor e-mail to us is quoted in the CVE. The pridels URL is now 404 as well. : ====================================================== : Name: CVE-2006-3249 : Status: Candidate : URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3249 : Reference: MISC:http://pridels.blogspot.com/2006/06/phorum-sql-injection-vuln.html From jkouns at opensecurityfoundation.org Thu Jul 20 23:27:08 2006 From: jkouns at opensecurityfoundation.org (jkouns) Date: Thu, 20 Jul 2006 23:27:08 -0400 Subject: [VIM] vuln DB gathering at Black Hat? In-Reply-To: <448B7412.8090609@opensecurityfoundation.org> References: <200606070339.k573dxpA007314@cairo.mitre.org> <448B7412.8090609@opensecurityfoundation.org> Message-ID: <44C0498C.7010205@opensecurityfoundation.org> Wanted to follow up on a VIM/VDB meeting at Black Hat. We would like to propose that we meet Wednesday, August 2. Lets say at 20:30 @ the Shadow Bar. This should give time for Jericho to finish up hacker court and others time to hang out at the reception if they so choose... If you definitely plan on meeting up then email me off list and we can trade contact information in case there are any issues. Hope to see you guys soon! --Jake jkouns wrote: >> : Will various people be going to Black Hat? Would it be worth having >> a : gathering of some sort? Even if it's just to complain in person >> instead : of on this list :) >> >> I will be there for one or two days of BH as well as most of the >> weekend for Defcon. > > I think that is a great idea! I will be there on Tuesday..... When it > gets a bit closer lets pick a time as it we will have a better idea of > the OSVDB events, etc. > > See you soon, > --Jake From coley at mitre.org Fri Jul 21 18:07:26 2006 From: coley at mitre.org (Steven M. Christey) Date: Fri, 21 Jul 2006 18:07:26 -0400 (EDT) Subject: [VIM] ATutor 1.5.3 Cross Site Scripting Message-ID: <200607212207.k6LM7QPn018728@faron.mitre.org> Sent the following to the atutor vendor and CC'd Bugtraq. Did some diff digging between the original and patched versions. Also, the diffs suggest a lot of SQL injection related fixes, and some of the originally mentioned XSS might be resultant from SQL injection. Don't have enough time to dig deeper though, sorry... - Steve ============================================================ >The mentioned SQL injection vulnerability is not possible. Please >remove it. Could you explain this further? In 1.5.3, edit_forum() in forums.inc.php has the following: $sql = "UPDATE ".TABLE_PREFIX."forums SET title='$_POST[title]', description='$_POST[body]' WHERE forum_id=$_POST[fid]"; $result = mysql_query($sql,$db); where is appears that $_POST[fid] is directly inserted into the SQL query. In 1.5.3.1, a new statement has been added to the same function, just before the two statements above: $_POST['fid'] = intval($_POST['fid']); This looks like cleansing that would be relevant for SQL injection. For those who were wondering, both $_POST['title'] and $_POST['body'] are re-set using addslashes: $_POST['title'] = $addslashes($_POST['title']); $_POST['body'] = $addslashes($_POST['body']); - Steve From jericho at attrition.org Fri Jul 21 18:38:47 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 21 Jul 2006 18:38:47 -0400 (EDT) Subject: [VIM] Hyper Estraier Message-ID: Secunia (21049) & CVE (2006-3671) reported a CSRF vuln in Hyper Estraier. Information came from the following changelog: http://sourceforge.net/project/shownotes.php?release_id=432119 2006-07-13 Mikio Hirabayashi * estmaster.c (communicate): a CSRF vulnerability was cleared. -- However, a few more entries stand out: * estmaster.c (sendnodecmdsearch): a bug of race condition was fixed. * estnode.c (est_get_host_addr): a bug about race confition of threads was fixed. * estnode.c (est_url_shuttle_impl): a bug of memory leak was fixed. * estraier.c (est_idx_size): a bug about overflow was fixed. The two race conditions are too vague for creating an entry solely off the above text in my opinion. "memory leak" is always iffy as it could be anything from a slow exhaustion of resources to disclosure of information. But typically an overflow is worth pointing out. From jericho at attrition.org Fri Jul 21 18:42:10 2006 From: jericho at attrition.org (security curmudgeon) Date: Fri, 21 Jul 2006 18:42:10 -0400 (EDT) Subject: [VIM] Hyper Estraier In-Reply-To: References: Message-ID: And this will teach me to be a tad more thorough, even when in a hurry. This refers to a patch in 2005-07, which is already covered by CVE 2005-3421. Doh! From sullo at cirt.net Sun Jul 23 11:31:05 2006 From: sullo at cirt.net (Sullo) Date: Sun, 23 Jul 2006 11:31:05 -0400 Subject: [VIM] Igloo DoublSpeak vuln Message-ID: <44C39639.4010304@cirt.net> CVE-2006-3069 BID:18401 SECTRACK:1016278 Since this guy posted (http://archives.neohapsis.com/archives/bugtraq/2006-06/0184.html) I checked out the source and confirmed he's right. The "advisory" author didn't bother to read more source or, I bet, even try it... >From index.php: require 'config.inc'; require $config[private].'/storyfun.inc'; require $config[private].'/local.inc'; Looks vuln, maybe? Except in the config.inc it says: 'private' => '/www/mrpenguin.org/devel/private', So... I don't see a path for exploit. Now, if config.inc is in your web root... that's a different problem as it has your mysql db connection info it. Also, I think the scripts relies on register globals as I see a lot of values being used in SQL that aren't defined and don't have any input validation on them... you know what that means--but I don't have time right now to dig into this further. -Sullo -- http://www.cirt.net/ | http://www.osvdb.org/ From jericho at attrition.org Sun Jul 23 12:04:41 2006 From: jericho at attrition.org (security curmudgeon) Date: Sun, 23 Jul 2006 12:04:41 -0400 (EDT) Subject: [VIM] Igloo DoublSpeak vuln In-Reply-To: <44C39639.4010304@cirt.net> References: <44C39639.4010304@cirt.net> Message-ID: : So... I don't see a path for exploit. : : Now, if config.inc is in your web root... that's a different problem as : it has your mysql db connection info it. Also, I think the scripts : relies on register globals as I see a lot of values being used in SQL : that aren't defined and don't have any input validation on them... you : know what that means--but I don't have time right now to dig into this : further. now 404: http://www.aria-security.net/advisory/igloo/doublespeak.txt From theall at tenablesecurity.com Mon Jul 24 15:42:31 2006 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 24 Jul 2006 15:42:31 -0400 Subject: [VIM] Vanilla CMS Message-ID: <44C522A7.8060309@tenablesecurity.com> Has anyone else looked into the recently announced flaw in "Vanilla CMS"? Advisory's here: http://www.securityfocus.com/archive/1/440938/30/0/threaded I grabbed a copy of the software (it's more of a forum than a CMS) from here: http://lussumo.com/download.php?Get=Vanilla It appears to be version 1.0, and the code quoted in the advisory does appear in setup/upgrader.php (nb: there is no 'steup/'), which is dated June 24, 2006. At least in the version I was able to retrieve, I find immediately before that this snippet: ---- snip, snip, snip ---- $RootDirectory = str_replace('setup/', '', $WorkingDirectory); $WebRoot = dirname(ForceString(@$_SERVER['PHP_SELF'], '')); $WebRoot = substr($WebRoot, 0, strlen($WebRoot) - 5); // strips the "setup" off the end of the path. $BaseUrl = 'http://'.ForceString(@$_SERVER['HTTP_HOST'], '').$WebRoot; $ThemeDirectory = $WebRoot . 'themes/'; $AllowNext = 0; $NewConfiguration = array(); // Assign some default values to the postback parameters $DBHost = ''; $DBName = ''; $DBUser = ''; $DBPass = ''; $SupportEmail = ''; $SupportName = ''; $ApplicationTitle = ''; ---- snip, snip, snip ---- So, does the remote include issue exist in a different version or did MFox just not look at this carefully? George -- theall at tenablesecurity.com From jericho at attrition.org Mon Jul 24 15:59:19 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 24 Jul 2006 15:59:19 -0400 (EDT) Subject: [VIM] Web-CMS <<--1.0 "print.php" SQL injection In-Reply-To: <20060612170223.4532.qmail@securityfocus.com> References: <20060612170223.4532.qmail@securityfocus.com> Message-ID: Hi, : ============================================= : Discovered By: CrAzY CrAcKeR : Site:www.alshmokh.com : I want to thank my friend:- : nono225-mHOn-rageh-Lover Hacker-Sw33t h4ck3r : Breeeeh-BoNy_m-Rootshill-LiNuX_rOOt-SauDiVirUs : ============================================= : : Example:- : /cms/print.php?id=[SQL] What is the vendor's URL for "Web-CMS"? Using Google finds several possibilities. Brian OSVDB.org From coley at linus.mitre.org Mon Jul 24 16:48:50 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 24 Jul 2006 16:48:50 -0400 (EDT) Subject: [VIM] Vendor ACK for CVE-2006-3663 Message-ID: FYI. ---------- Forwarded message ---------- Date: Mon, 24 Jul 2006 09:36:23 +0300 From: Raphael Barki To: cve at mitre.org Subject: CVE-2006-3663 Hi, We are pleased to inform you that the security issue "Finjan Appliance 5100/8100 NG 8.3.5 stores passwords in plaintext in a backup file, which allows local users to gain privileges" described here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3663 has been overcome with version 8.3.6 of Finjan's Vital Security Appliance (NG 5100/8100), released on 23/7/06. Non-user passwords in Archive or LDAP locations were not encrypted in version 8.3.5. In order to prevent any potential vulnerability, the passwords for LDAP and Archive (i.e., backup) are now encrypted in version 8.3.6. Please update your Web site accordingly and kindly send us a confirmation when done. Best regards, Raphael ____________________________________________ Raphael Barki Director of Product Marketing From jericho at attrition.org Mon Jul 24 18:46:30 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 24 Jul 2006 18:46:30 -0400 (EDT) Subject: [VIM] bbrss PhpBB (phpbb_root_path) Remote File Inclusion (fwd) Message-ID: http://archives.neohapsis.com/archives/bugtraq/2006-06/0269.html BID:18432 BID has labeled this "PhpBB BBRSS.PHP Remote File Include Vulnerability" but checking the 2.0.21 distro at http://www.phpbb.com/downloads.php finds no "bbrss.php" file in it. If it is an add-on, it isn't immediately obvious in a Google search. There were a few hits showing such a file installed on remote hosts: http://mywebland.com/forums/bbrss.php http://www.10.israel-forum.co.il/forum/bbrss.php http://www.reflectionsindia.org/bapuli/forum/bbrss.php no html comment, but browse up one dir and it isn't a phpBB install. http://www.reflectionsindia.org/bapuli/forum/ http://www.linuxjuegos.com/foro/bbrss.php http://www.faito.ru/forum/bbrss.php Maybe relevant post with followup, but can't read: http://www.iyuanma.com/Safety/9/8994_2006626203432.htm Did anyone else do analysis? Secunia and SecTracker didn't include it seems. ---------- Forwarded message ---------- From: SpC-x at Bsdmail.Org To: bugtraq at securityfocus.com Date: 14 Jun 2006 04:56:46 -0000 Subject: bbrss PhpBB (phpbb_root_path) Remote File Inclusion ###################################################### # bbrss PhpBB (phpbb_root_path) Remote File Inclusion ###################################################### # Credit : SpC-x | The_BeKiR # Site : http://wWw.SaVSaK.CoM ###################################################### # Greetz : # | The_BeKiR | Nukedx | Ejder | Str0ke | joffer | Poizonb0x | ###################################################### Remote File Inclusion : http://www.target.com/path/bbrss.php?phpbb_root_path=Command*Shell Bbrss.PHP : define('IN_PHPBB', true); // to ensure your script works ! // $phpbb_root_path = './'; include_once($phpbb_root_path . 'extension.inc'); include_once($phpbb_root_path . 'common.php'); /SpC-x From jericho at attrition.org Mon Jul 24 19:15:09 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 24 Jul 2006 19:15:09 -0400 (EDT) Subject: [VIM] Fusion Polls (xtrphome) Remote File Inclusion In-Reply-To: <20060614103439.5645.qmail@securityfocus.com> References: <20060614103439.5645.qmail@securityfocus.com> Message-ID: : ###################################################### : # Fusion Polls (xtrphome) Remote File Inclusion : ###################################################### Is this Fusion Polls: Fusion Poll 1.1 http://www.fusionphp.net/ http://www.ezgoal.com/channels/developer/f.asp?f=319691 Fusion Polls 1.0 http://madguild0.tripod.com/poll/readme.html Fusion Polls (no version) http://www.hotscripts.com/Detailed/27531.html Fusion Polls 1.0 http://www.1phpscripts.com/Polls_and_Voting_Scripts-5.html Or another maybe? From jericho at attrition.org Mon Jul 24 19:29:56 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 24 Jul 2006 19:29:56 -0400 (EDT) Subject: [VIM] bbrss PhpBB (phpbb_root_path) Remote File Inclusion In-Reply-To: <4490A187.90506@tenablesecurity.com> References: <4490A187.90506@tenablesecurity.com> Message-ID: : To save people the effort... Man, I swear I searched my inbox for bbrss before posting! : bbrss appears to be an add-on for phpBB. I found a copy for download here: : : http://scripts.ringsworld.com/discussion-boards/bbrss/ spc-x seems to be crawling ringsworld.com for the latest batch of programs. i'll check there first for future disclosures =) From jericho at attrition.org Mon Jul 24 22:04:56 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 24 Jul 2006 22:04:56 -0400 (EDT) Subject: [VIM] dvdwolf SQL injection/XSS (fwd) Message-ID: This appears to be site specific, for dvdwolf.com Google search shows these exact path/scripts in relation to it: Google Directory - Arts > Movies > Titles > S > Shaolin Soccer DVDWolf.com - Shaolin Soccor - http://www.dvdwolf.com/templates/dsp_movie.php? u_movieid=73625 Positive review of the upcoming release from Miramax. ... www.google.com/Top/Arts/Movies/Titles/S/Shaolin_Soccer/ Everything Tarantino | Kill Bill 2 DVD Coming In August http://www.dvdwolf.com/templates/dsp_movie.php?u_movieid=74031. But I agree with the majority opinion: I'm gonna suck it in til I get the boxed set. ... www.everythingtarantino.com/data/2004/0519-203156.shtml ---------- Forwarded message ---------- From: CrAzY.CrAcKeR at hotmail.com To: bugtraq at securityfocus.com Date: 16 Jun 2006 14:16:33 -0000 Subject: dvdwolf SQL injection/XSS ============================================= Discovered By: CrAzY CrAcKeR Site:www.alshmokh.com I want to thank my friend:- nono225-mHOn-rageh-Lover Hacker-Breeeeh BoNy_m-Rootshill-LiNuX_rOOt-Sw33t h4ck3r ============================================= Example:- /templates/dsp_movie.php?u_movieid=[SQL] /templates/dsp_movie.php?u_movieid=[XSS] =================================== Email: CrAzY.CrAcKeR(at)hotmail(dot)com From coley at linus.mitre.org Tue Jul 25 17:13:37 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 25 Jul 2006 17:13:37 -0400 (EDT) Subject: [VIM] Vanilla CMS In-Reply-To: <44C522A7.8060309@tenablesecurity.com> References: <44C522A7.8060309@tenablesecurity.com> Message-ID: On Mon, 24 Jul 2006, George A. Theall wrote: > It appears to be version 1.0, and the code quoted in the advisory does > appear in setup/upgrader.php (nb: there is no 'steup/'), which is dated > June 24, 2006. At least in the version I was able to retrieve, I find > immediately before that this snippet: > > ---- snip, snip, snip ---- > $RootDirectory = str_replace('setup/', '', $WorkingDirectory); >... > So, does the remote include issue exist in a different version or did > MFox just not look at this carefully? That's the question, but looking at the source code you mentioned, it doesn't appear in version 1.0. It does seem to be a pretty popular product, so maybe older versions are affected. However, a source listing of 0.9.2.6 appears to be here: http://phpxref.com/xref/vanilla/ but "upgrade.php" is not in a setup directory, and it doesn't have the code you mention. You mentioned the type in the advisory, but the vendor URL was also wrong, and the demonstration URL started with "Http". So there was a lot of manual typing going on. Even if it's real, a lot of "researchers" must be doing something like this: egrep '(require|include).*\$' *.php | post-to-bugtraq.pl - Steve From jericho at attrition.org Tue Jul 25 18:35:13 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 25 Jul 2006 18:35:13 -0400 (EDT) Subject: [VIM] Ashop Search Module SQL injection In-Reply-To: <20060613164855.23080.qmail@securityfocus.com> References: <20060613164855.23080.qmail@securityfocus.com> Message-ID: On Tue, 13 Jun 2006, entrika_fs at yahoo.com wrote: : http://[SITE]/default.asp?mod=search&type=simple&q=%27+union+select+1%2Cadmin_password%2C3%2C4+from+admin_users+%27+&cmdSearch=Search : : credits: EntriKa & The_BeKiR & erne Which "Ashop" is this? AShop Software www.ashopsoftware.com/ Ashop Shopping Cart Software www.ashop.com.au/ ASHOP www.ashop.com.hk/ Ashop www.ashop.co.il/ Ashop www.ashop.at/ ashop.co.uk www.ashop.co.uk/ [..] Something else? From smoore at securityglobal.net Tue Jul 25 23:16:33 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Tue, 25 Jul 2006 23:16:33 -0400 Subject: [VIM] ListMessenger dispute CVE-2006-3692 Message-ID: <44C6DE91.70009@securityglobal.net> Hi, Matt Simpson (author of ListMessenger) wrote to say that the xoron posting regarding an include file vuln in ListMessenger is false. He pointed to line 26 of listmessenger.php: $lm_path = "/my/full/path/to/listmessenger/directory/"; Code inspection confirms that lm_path is defined to be a local file before it is used in any include statement. Perhaps this is a site-specific bug. Sound familiar? We've asked xoron for clarification. Stuart http://securitytracker.com/id?1016530 CVE-2006-3692 From James.Williams at ca.com Wed Jul 26 04:35:17 2006 From: James.Williams at ca.com (Williams, James K) Date: Wed, 26 Jul 2006 04:35:17 -0400 Subject: [VIM] bbrss PhpBB (phpbb_root_path) Remote File Inclusion In-Reply-To: Message-ID: <649CDCB56C88AA458EFF2CBF494B6204011976E6@USILMS12.ca.com> bbrss is definitely _not_ part of the core phpbb distro. It appears to be an rss add-on, as you noted below. Furthermore, I'm 99% certain that it has never been a part of the phpbb core distro. As far as add-ons go, its not very popular either. Regards, ken > security curmudgeon jericho at attrition.org > Mon Jul 24 19:29:56 EDT 2006 > > : To save people the effort... > > Man, I swear I searched my inbox for bbrss before posting! > > : bbrss appears to be an add-on for phpBB. I found a copy for download here: > : > : http://scripts.ringsworld.com/discussion-boards/bbrss/ > > spc-x seems to be crawling ringsworld.com for the latest batch of > programs. i'll check there first for future disclosures =) From jericho at attrition.org Wed Jul 26 17:11:04 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 26 Jul 2006 17:11:04 -0400 (EDT) Subject: [VIM] CMScout - vendor ack/fix Message-ID: OSVDB 25246 / CVE-2006-2188 http://www.cmscout.za.net/index.php?page=news&id=10 Critical Update 31 May, 08:01 Please get CMScout 1.21 ASAP, it fixes a critical security problem. From jericho at attrition.org Sat Jul 29 12:27:21 2006 From: jericho at attrition.org (security curmudgeon) Date: Sat, 29 Jul 2006 12:27:21 -0400 (EDT) Subject: [VIM] security enquiry (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: enquiries-at-traqsoftware.co.uk Date: Sat, 29 Jul 2006 02:15:29 -0400 (EDT) Subject: security enquiry Hi, Can you confirm the 6_7_rc release fixes the XSS vulns disclosed on Jun 23? All I could find in the changelog notes was the following: The following functionality/fixes have been included in this release: ~ 606 67R: security advisory! Thanks Brian From jericho at attrition.org Sat Jul 29 12:27:39 2006 From: jericho at attrition.org (security curmudgeon) Date: Sat, 29 Jul 2006 12:27:39 -0400 (EDT) Subject: [VIM] security enquiry (fwd) Message-ID: ---------- Forwarded message ---------- From: Bill Echlin To: security curmudgeon Cc: enquiries-at-traqsoftware.co.uk Date: Sat, 29 Jul 2006 08:53:04 +0100 (BST) Subject: Re: security enquiry Hi Brian I can confirm that these fixes do address the XSS vulns disclosed on Jun 23rd. Just out of interest do you know who else I should contact to notify people in the security industry that these vulns are fixed? Kind regards Bill Echlin QaTraq Team www.testmanagement.com On Sat, 29 Jul 2006, security curmudgeon wrote: > > Hi, > > Can you confirm the 6_7_rc release fixes the XSS vulns disclosed on Jun > 23? All I could find in the changelog notes was the following: > > The following functionality/fixes have been included in this release: > ~ 606 67R: security advisory! > > Thanks > > Brian > From jericho at attrition.org Mon Jul 31 04:34:55 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 31 Jul 2006 04:34:55 -0400 (EDT) Subject: [VIM] Do world's famous companies take care of their security? (fwd) Message-ID: Curious what the VDB crowd thinks of a list specifically created for the disclosure of XSS bugs? And if not XSS, substitute that with any other type. ---------- Forwarded message ---------- From: Valery Marchuk To: bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk Date: Mon, 31 Jul 2006 11:17:20 +0300 Subject: [Full-disclosure] Do world's famous companies take care of their security? Do world's famous companies take care of their security? There was discussion last week in the Full-Disclosure about XSS vulnerabilities in reply to XSS vulns in PayPal and Gadi Evron suggested creation of a separate mailing list for just XSS vulnerabilities. I would agree with him if PayPal and many other world's famous companies tried at least to patch such bugs: The incident with Netscape must be example for everyone. Actually I don't understand the behavior of such companies. XSS bugs are easy to discover and easy to fix, so what's the problem? And instead of monitoring bugs these companies just put into risk their customers. That's how they do their business and that's how they take care of us - their customers. There are XSS flaws at Digg's and Netscape's web sites. Are they planning to fix them? There are still XSS flaws at PayPal`s web site (two years and one week after XSS bugs were reveled). Are they planning to fix them? Example of XSS vulns are in my blog at http://www.securitylab.ru/blog/tecklord/?category=19 I will publish such information in my blog and hope that companies will take care of their security. Valery Marchuk From jericho at attrition.org Mon Jul 31 04:35:16 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 31 Jul 2006 04:35:16 -0400 (EDT) Subject: [VIM] [ISN] Security expert dubs July the 'Month of browser bugs' (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: InfoSec News Date: Mon, 31 Jul 2006 04:32:40 -0400 (EDT) Subject: Re: [ISN] Security expert dubs July the 'Month of browser bugs' http://osvdb.org/blog/?p=127 : http://news.com.com/Security+expert+dubs+July+the+Month+of+browser+bugs/2100-1002_3-6090959.html : : By Greg Sandoval : Staff Writer, CNET News.com : July 5, 2006 : : Each day this month, a prominent security expert will highlight a new : vulnerability found in one of the major Internet browsers. : : HD Moore, the creator of Metasploit Framework, a tool that helps test : whether a system is safe from intrusion, has dubbed July the Month of : Browser Bugs. Already, the security researcher has featured five : security flaws, three for Microsoft's Internet Explorer and one apiece : for Mozilla's Firefox and Apple Computer's Safari. Thirty one days later, MoBB is done! By far one of the more interesting vulnerability disclosure projects we've seen this year. I have a strong feeling that the real ramifications won't be realized until months later, but until someone does a more thorough analysis.. my random thoughts. First, HDM and I chatted almost every single day during the month, mostly to coordinate the pre-assignment of OSVDB IDs for each bug. Due to the schedule I keep, it was usually easy to check the blog around midnight every night, and for 30 of the 31 days, he was right on time releasing the next bug. Only on the 31st day did he finally fall behind by a whole two hours (jeez, what a slacker!) in releasing the final bug. Ok ok, it wasn't due to slacking, he had been working for hours trying to isolate the exact details to fully understand and document the bug he had found in Safari. 31 browser bugs, what's the final breakdown? MSIE: 25 Apple Safari: 2 Mozilla: 2 Opera: 1 Konqueror: 1 I'll let you make any conclusions you want. If I hadn't posted this, we'd no doubt see at least one article saying how much more insecure MSIE is than X and this is just proof of that. Hopefully the fact I posted that last line might actually make a journalist stop and think, "why, is it something else?!" GLAD YOU ASKED! Ok not really, but there is more to it than W bugs in X browser vs Y bugs in Z browser so W must be more insecure than Y!@$#! If you can't think of any such reasons, quit your job and go to art school. What if he had... a) followed 'accepted' vulnerability disclosure guidelines? (the project would have been dubbed the YoBB?) b) sold his findings to the shops like ZDI or iDefense that pay for such information? (he'd be rich?!) c) sold his findings to a russian spam syndicate? (he'd be able to buy a new iPod?!) d) never posted a single bug in any fashion? (he and a dozen others would all be sitting on this information) e) provided even more easy point-and-drool exploitation? (we'd be reading another CNET article about the latest spyware/adware that exploited..) Want another month of browser bugs? Yes, he could continue on into August without a problem. The amount of browser bugs is stupid. Apparently, the idea of writing a basic fuzzer is still lost on the authors. The good news, HDM will be releasing the fuzzer he used to find all these to the public. Will an insane rush of browser bugs follow? We can hope! Want another month of browser bugs? Then do it yourself. While it may sound easy, researching each one to the degree HDM did is not easy and it isn't fast. If you can devote between 15 minutes and 3 hours a day for 31 days, then go for it! Until then, as my friend major says, "never lick a gift whore in the mouse." The bugs: OSVDB ID OSVDB Title 27534 Apple Safari KHTMLParser::popOneBlock Code Execution 27532 Microsoft IE ADODB.Recordset SysFreeString Invalid Length 27533 Microsoft IE Orphan Object Property Access NULL Dereference 27530 Microsoft IE NDFXArtEffects Multiple Property Stack Overflow 27559 Mozilla Multiple Product Window Navigator Object Arbitrary Code Execution 27373 Microsoft IE Native Function Iteration NULL Dereference 27374 Opera CSS Background Property HTTPS Memory Corruption 27232 Microsoft IE NMSA.ASFSourceMediaDescription dispValue Overflow 27372 Microsoft IE Forms Multiple Object ListWidth Property Overflow 27231 Microsoft IE HTML Help COM Object Click Method NULL Dereference 27230 Microsoft IE CEnroll SysAllocStringLen Invalid Length 27111 Microsoft IE OWC11.DataSourceControl getDataMemberName Method Overflow 27112 Microsoft IE OVCtl NewDefaultItem Method NULL Dereference 27109 Microsoft IE DXImageTransform.Microsoft.Gradient Multiple Property 27110 Microsoft IE WebViewFolderIcon setSlice Overflow 27108 Microsoft IE MHTMLFile Multiple Property NULL Dereference 27059 Microsoft IE FolderItem Object NULL Dereference 27058 KDE Konqueror replaceChild() NULL Dereference 27057 Microsoft IE DXImageTransform.Microsoft.RevealTrans Transition Property 27056 Microsoft IE TriEditDocument URL Property NULL Dereference 27055 Microsoft IE HtmlDlgSafeHelper fonts Property NULL Dereference 27014 Microsoft IE Object.Microsoft.DXTFilter Enabled Property NULL Dereference 27013 Microsoft IE DirectAnimation.DAUserData Data Property NULL Dereference 26955 Microsoft IE RDS.DataControl SysAllocStringLen Invalid Length Issue 26837 Microsoft IE Frameset inside Table NULL Dereference 26839 Microsoft IE DirectAnimation.StructuredGraphicsControl SourceURL NULL 26838 Apple Safari DHTML setAttributeNode() NULL Dereference 26836 Microsoft IE OutlookExpress.AddressBook COM Object NULL Dereference 26835 Microsoft IE HTML Help COM Object Image Property Heap Overflow 26834 Microsoft IE ADODB.Recordset COM Object Filter Property NULL Dereference 24967 Mozilla Firefox iframe.contentWindow.focus() Overflow From sullo at cirt.net Mon Jul 31 08:04:50 2006 From: sullo at cirt.net (Sullo) Date: Mon, 31 Jul 2006 08:04:50 -0400 Subject: [VIM] Do world's famous companies take care of their security? (fwd) In-Reply-To: References: Message-ID: <44CDF1E2.9040508@cirt.net> Personally, I think it would take away almost all of the "useful" FD content that isn't duplicated on bugtraq. I just don't see the point. security curmudgeon wrote: > > Curious what the VDB crowd thinks of a list specifically created for > the disclosure of XSS bugs? > > And if not XSS, substitute that with any other type. > > ---------- Forwarded message ---------- > From: Valery Marchuk > To: bugtraq at securityfocus.com, full-disclosure at lists.grok.org.uk > Date: Mon, 31 Jul 2006 11:17:20 +0300 > Subject: [Full-disclosure] Do world's famous companies take care of their > security? > > Do world's famous companies take care of their security? > > > > There was discussion last week in the Full-Disclosure about XSS > vulnerabilities in reply to XSS vulns in PayPal and Gadi Evron > suggested creation of a separate mailing list for just XSS > vulnerabilities. I would agree with him if PayPal and many other > world's famous companies tried at least to patch such bugs: > > The incident with Netscape must be example for everyone. Actually I > don't understand the behavior of such companies. XSS bugs are easy to > discover and easy to fix, so what's the problem? And instead of > monitoring bugs these companies just put into risk their customers. > That's how they do their business and that's how they take care of us > - their customers. > > There are XSS flaws at Digg's and Netscape's web sites. Are they > planning to fix them? > > > > There are still XSS flaws at PayPal`s web site (two years and one week > after XSS bugs were reveled). Are they planning to fix them? > > > > Example of XSS vulns are in my blog at > > http://www.securitylab.ru/blog/tecklord/?category=19 > > > > I will publish such information in my blog and hope that companies > will take care of their security. > > > > > Valery Marchuk > > > -- http://www.cirt.net/ | http://www.osvdb.org/ From jericho at attrition.org Mon Jul 31 12:59:36 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 31 Jul 2006 12:59:36 -0400 (EDT) Subject: [VIM] vuln DB gathering at Black Hat? (fwd) Message-ID: Just a reminder! VIM/VDB gathering at BlackHat. This is open to anyone that works with VDBs, not just VIM members. 8:30, Shadow Bar (Caesars), Wed August 2. ---------- Forwarded message ---------- From: jkouns To: Vulnerability Information Managers Date: Thu, 20 Jul 2006 23:27:08 -0400 Reply-To: Vulnerability Information Managers Subject: Re: [VIM] vuln DB gathering at Black Hat? Wanted to follow up on a VIM/VDB meeting at Black Hat. We would like to propose that we meet Wednesday, August 2. Lets say at 20:30 @ the Shadow Bar. This should give time for Jericho to finish up hacker court and others time to hang out at the reception if they so choose... If you definitely plan on meeting up then email me off list and we can trade contact information in case there are any issues. Hope to see you guys soon! --Jake jkouns wrote: >> : Will various people be going to Black Hat? Would it be worth having a : >> gathering of some sort? Even if it's just to complain in person instead : >> of on this list :) >> >> I will be there for one or two days of BH as well as most of the weekend for >> Defcon. > > I think that is a great idea! I will be there on Tuesday..... When it gets > a bit closer lets pick a time as it we will have a better idea of the OSVDB > events, etc. > > See you soon, > --Jake From coley at linus.mitre.org Mon Jul 31 14:25:19 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 31 Jul 2006 14:25:19 -0400 (EDT) Subject: [VIM] vuln DB gathering at Black Hat? (fwd) In-Reply-To: References: Message-ID: On Mon, 31 Jul 2006, security curmudgeon wrote: > VIM/VDB gathering at BlackHat. This is open to anyone that works with > VDBs, not just VIM members. 8:30, Shadow Bar (Caesars), Wed August 2. I'm looking forward to it! I'll second the invitation for anyone who works with VDBs to attend. - Steve From coley at linus.mitre.org Mon Jul 31 15:47:02 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 31 Jul 2006 15:47:02 -0400 (EDT) Subject: [VIM] Do world's famous companies take care of their security? (fwd) In-Reply-To: References: Message-ID: > Curious what the VDB crowd thinks of a list specifically created for the > disclosure of XSS bugs? It's definitely a gap, so I like it. Not sure what the VDB's role should be. > And if not XSS, substitute that with any other type. Things like sensitive data disclosure (files under the web root) are probably just as frequent, along with things like unauthenticated/unauthorized changes to other people's accounts - so any "site-specific" type of bug would count for inclusion on such a list, I'd think. - Steve From coley at linus.mitre.org Mon Jul 31 15:50:35 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 31 Jul 2006 15:50:35 -0400 (EDT) Subject: [VIM] Do world's famous companies take care of their security? (fwd) In-Reply-To: <44CDF1E2.9040508@cirt.net> References: <44CDF1E2.9040508@cirt.net> Message-ID: On Mon, 31 Jul 2006, Sullo wrote: > Personally, I think it would take away almost all of the "useful" FD > content that isn't duplicated on bugtraq. Interesting observation. Not sure what that says about FD :) > I just don't see the point. I don't think we collectively have much idea of the scope of the problem, since VDB's don't track this. And "XYZ disclosure" practices don't really exist/apply in the site-specific world, so vendors are not necessarily pressured to address the issues. Such a beast might be useful for awareness, assuming it registers with the right people. - Steve From coley at linus.mitre.org Mon Jul 31 15:59:57 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 31 Jul 2006 15:59:57 -0400 (EDT) Subject: [VIM] security enquiry (fwd) In-Reply-To: References: Message-ID: On Sat, 29 Jul 2006, security curmudgeon wrote: > ---------- Forwarded message ---------- > From: Bill Echlin > To: security curmudgeon > > > Just out of interest do you know who else I should contact to notify > people in the security industry that these vulns are fixed? What was your answer? :) These days I just say a more user-friendly version of "we tell VIM and the others will see it." - Steve From jericho at attrition.org Mon Jul 31 16:28:11 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 31 Jul 2006 16:28:11 -0400 (EDT) Subject: [VIM] security enquiry (fwd) In-Reply-To: References: Message-ID: : > ---------- Forwarded message ---------- : > From: Bill Echlin : > To: security curmudgeon : > : > : > Just out of interest do you know who else I should contact to notify : > people in the security industry that these vulns are fixed? : : What was your answer? :) These days I just say a more user-friendly : version of "we tell VIM and the others will see it." I mentioned I was with OSVDB, on a small list with other VDB reps and would forward it. I also said he could reply to the bugtraq post but cautioned that the list catered to security researchers, not his customers. From jericho at attrition.org Mon Jul 31 17:10:42 2006 From: jericho at attrition.org (security curmudgeon) Date: Mon, 31 Jul 2006 17:10:42 -0400 (EDT) Subject: [VIM] Do world's famous companies take care of their security? (fwd) In-Reply-To: References: <44CDF1E2.9040508@cirt.net> Message-ID: : > I just don't see the point. : : I don't think we collectively have much idea of the scope of the : problem, since VDB's don't track this. And "XYZ disclosure" practices : don't really exist/apply in the site-specific world, so vendors are not : necessarily pressured to address the issues. Such a beast might be : useful for awareness, assuming it registers with the right people. Not scientific by any means, but I have the start of an idea on the scope =) I think I have mentioned this before, maybe to some of you off list. I keep a really primitive archive of site specific issues. It's nothing more than saving the disclosure e-mail to its own file. Since I don't have time to really track these, I do it really fast, often append random numbers to the file name to avoid overwriting or appending to a previous disclosure, etc. The file times aren't the best indication of disclosure since i've copied these files around, moved them, edited/appended, etc. But, it may give us an idea of just how many we've seen cross the lists. Sorry for the length of this, but it goes to the point =) -rw-r--r-- 1 jericho root 194 Nov 12 2004 00-more -rw------- 1 jericho users 1380 Dec 8 2003 anglfire.bug -rw------- 1 jericho users 2133 Jul 24 2003 anonymiser.com-reveal_ip.bug -rw------- 1 jericho users 1608 Apr 1 2002 anonymizer-com-bypass.bug -rw------- 1 jericho users 2148 Oct 4 2002 aol-juno.bug -rw------- 1 jericho root 3006 Oct 20 2004 aol-webmail-xss.bug -rw------- 1 jericho root 5480 Sep 24 2004 aol.com-groups-multiple.bug -rw------- 1 jericho root 2407 Sep 27 2004 aol.com-groups.bug -rw-r--r-- 1 jericho root 1559 Sep 27 2004 aol.com-groups2.bug -rw------- 1 jericho users 777 Oct 4 2002 aol40-1.bug -rw------- 1 jericho users 4035 Jul 23 2003 auth-net-merch.bug -rw------- 1 jericho users 4619 Oct 4 2002 bellsth1.bug -rw------- 1 jericho users 318 Dec 21 2001 caramail.com-general.jsp-css.bug -rw------- 1 jericho users 908 Nov 19 2004 cashncarrion.co.uk-xss.bug -rw------- 1 jericho users 2296 Jul 23 2003 charterone.com-1.bug -rw------- 1 jericho users 4358 Oct 4 2002 cis-logn.txt -rw------- 1 jericho root 5176 Aug 25 2004 comcast_net-code.bug -rw------- 1 jericho root 4983 Aug 25 2004 defensivethinking-com-validation.bug -rw------- 1 jericho users 4499 Oct 4 2002 ecash-nf.bug -rw------- 1 jericho root 1053 Sep 24 2004 gmail-login-proxy.bug -rw------- 1 jericho root 1813 Aug 25 2004 gmail_com-info_disc.bug -rw------- 1 jericho root 2089 Oct 20 2004 google.com-script_insert.bug -rw------- 1 jericho users 3614 Jul 23 2003 grc-probe.bug -rw-r--r-- 1 jericho root 157 Feb 26 2005 hotmail-cve-1 -rw-r--r-- 1 jericho root 224 Feb 26 2005 hotmail-cve-2 -rw-r--r-- 1 jericho root 185 Feb 26 2005 hotmail-cve-3 -rw------- 1 jericho users 7332 Oct 4 2002 hotmail1.bug -rw------- 1 jericho users 2746 Oct 4 2002 hotmailj.bug -rw------- 1 jericho users 1443 Oct 4 2002 internic.bug -rw-r--r-- 1 jericho root 1843 Nov 21 2004 mcarecords.com-cookie.bug -rw------- 1 jericho users 2279 Mar 24 2002 myownemail.com.txt -rw------- 1 jericho users 3758 Jul 21 2003 myvoicestream.bug -rw------- 1 jericho users 6105 Oct 14 2003 nasa-gov-css.bug -rw------- 1 jericho root 2978 Oct 20 2004 netscape-webmail-xss.bug -rw------- 1 jericho users 1952 Jan 5 2002 nick-com.bug -rw-r--r-- 1 jericho root 223 Apr 19 2004 orkut-xss.bug -rw------- 1 jericho root 22317 Feb 1 2004 orsm.net-1.txt -rw------- 1 jericho users 1022 Mar 26 2002 secureinc-com.bug -rw------- 1 jericho root 1865 Dec 8 2005 site-0x90.org-injection -rw------- 1 jericho root 1554 Jul 31 08:47 site-1asphost.com -rw------- 1 jericho root 1324 Dec 8 2005 site-30gigs-email.bug -rw------- 1 jericho root 2100 Jul 31 08:47 site-43things.com-xss -rw------- 1 jericho root 2018 Jul 31 08:47 site-about.com-xss -rw------- 1 jericho root 4320 Feb 15 22:36 site-aim.com-multiple_xss -rw------- 1 jericho root 649 Feb 15 22:36 site-akkamai-remote-backup -rw------- 1 jericho root 820 Jul 31 08:47 site-alexadex.com-xss -rw------- 1 jericho root 962 Jul 31 08:47 site-amazon-crlf-xss -rw------- 1 jericho root 1625 Apr 16 2005 site-americangreetings.com -rw------- 1 jericho root 7924 Jul 31 08:47 site-amex.com-xss -rw------- 1 jericho root 1573 Apr 16 2005 site-amihotornot.com.au-mod -rw------- 1 jericho root 329 Jul 31 08:47 site-animesuki-doc.php-xss -rw------- 1 jericho root 3236 Feb 15 22:36 site-aol.com-multiple_xss -rw------- 1 jericho root 5065 Apr 16 2005 site-aol_online_password_reset -rw------- 1 jericho root 5716 Apr 16 2005 site-aol_redirs -rw------- 1 jericho root 3365 Jul 31 08:47 site-apnaspace.com-multiple -rw------- 1 jericho root 2050 Jul 31 08:47 site-asianxo.com-xss -rw------- 1 jericho root 1493 Oct 26 2004 site-autoscout24.de-xss.bug -rw------- 1 jericho root 806 Jul 31 08:47 site-b3ta.com-xss -rw------- 1 jericho root 658 Dec 8 2005 site-bahnshop.de-multiple -rw------- 1 jericho root 857 Jul 31 08:47 site-beoped.com-xss -rw------- 1 jericho root 1454 Jul 31 08:47 site-biblenet.net-xss -rw------- 1 jericho root 7363 Jul 31 08:47 site-bingbox.com-multiple -rw------- 1 jericho root 1684 Dec 8 2005 site-biosmagazine.co.uk-xss -rw------- 1 jericho root 2116 Apr 16 2005 site-birthday.yahoo.com -rw------- 1 jericho root 5703 Jul 31 08:47 site-blackplanet.com-xss -rw------- 1 jericho root 2143 Jul 31 08:47 site-blacksingles.com-multiple -rw------- 1 jericho root 1839 Apr 16 2005 site-blogger-xss -rw------- 1 jericho root 1724 Feb 15 22:36 site-blogger.com-http_rs -rw------- 1 jericho root 1917 Jul 31 08:47 site-blogspot.com-xss -rw------- 1 jericho root 1200 Jul 31 08:47 site-boardhost.com-xss -rw------- 1 jericho root 1090 Jul 31 08:47 site-borussia.de-xss -rw------- 1 jericho root 2790 Nov 11 2004 site-callwave.com-caller_id.bug -rw------- 1 jericho root 6403 Aug 4 2005 site-capitalone-phishing -rw------- 1 jericho root 2098 Jul 31 08:47 site-carspace.com-xss -rw------- 1 jericho root 2579 Dec 8 2005 site-chamberofgold-ratingbox-xss -rw------- 1 jericho root 1280 Jul 31 08:47 site-chatizens.com-xss -rw------- 1 jericho root 910 Jul 31 08:47 site-christian-heffner.de -rw------- 1 jericho root 1384 Dec 8 2005 site-citibank.co.uk-xss -rw------- 1 jericho root 1407 Jul 31 08:47 site-cline-comm -rw------- 1 jericho root 72 Aug 4 2005 site-compozit-fr-sql-injection -rw------- 1 jericho root 2872 Feb 15 22:36 site-consti.de-xss -rw------- 1 jericho root 6944 Apr 16 2005 site-corp.aol.com-multiple -rw------- 1 jericho root 1356 Jul 31 08:47 site-cybersocieties.com-xss -rw------- 1 jericho root 848 Jul 31 08:47 site-danawa.com-xss -rw------- 1 jericho root 1041 Feb 15 22:36 site-darkstarlings.com-xss -rw------- 1 jericho root 839 Jul 31 08:47 site-daum.net-search-xss -rw------- 1 jericho root 1226 Jul 31 08:47 site-dealgates.com-xss -rw------- 1 jericho root 644 Aug 4 2005 site-deutsche-bank-xss -rw------- 1 jericho root 773 Jul 31 08:47 site-diaryland.com-xss -rw------- 1 jericho root 1392 Jul 31 08:47 site-digg.com -rw------- 1 jericho root 2224 Jul 31 08:47 site-distributed.net-ogr-spoof -rw------- 1 jericho root 1554 Jul 31 08:47 site-domaindlx.com -rw------- 1 jericho root 566 Jul 31 08:47 site-domaintools.com-unspecified -rw------- 1 jericho root 855 Jul 31 08:47 site-dreamwiz-xss -rw------- 1 jericho root 614 Jul 31 08:47 site-dvdwolf.com-multiple -rw------- 1 jericho root 2710 Apr 16 2005 site-easydns.net-sql_injection -rw------- 1 jericho root 4139 Feb 15 22:36 site-eazycms_sql -rw------- 1 jericho root 8787 Aug 4 2005 site-ebay-auction-session -rw------- 1 jericho root 1810 Jul 31 08:47 site-ebay-js_inject -rw------- 1 jericho root 1115 Jul 31 08:47 site-ebay.com-xss-928734 -rw------- 1 jericho root 755 Apr 16 2005 site-echalk-search-xss.bug -rw------- 1 jericho root 2057 Jul 31 08:47 site-egold -rw------- 1 jericho root 1099 Jul 31 08:47 site-emllabs.com-xss -rw------- 1 jericho root 1042 Jul 31 08:47 site-emopunk.de-xss -rw------- 1 jericho root 3932 Jul 31 08:47 site-everyone.net-xss -rw------- 1 jericho root 2359 Jul 31 08:47 site-facerave.com-xss -rw------- 1 jericho root 932 Jul 31 08:47 site-facetherating.com-xss -rw------- 1 jericho root 852 Jul 31 08:47 site-fapomatic.com-xss -rw------- 1 jericho root 506 Jul 31 08:47 site-filelodge.bolt.com-xss -rw------- 1 jericho root 6400 Jul 31 08:47 site-findnot.com-dns -rw------- 1 jericho root 8243 Jul 31 08:47 site-findnot.com-ip_disclosure -rw------- 1 jericho root 547 Jul 31 08:47 site-flork.com -rw------- 1 jericho root 2766 Dec 8 2005 site-fotolog.net-xss -rw------- 1 jericho root 2715 Apr 16 2005 site-fotolog.net-xss1.bug -rw------- 1 jericho root 1047 Feb 15 22:36 site-foundstone-disclosure -rw------- 1 jericho root 749 Feb 15 22:36 site-foundstone-xss -rw------- 1 jericho root 2035 Jul 31 08:47 site-freecodesource.com-xss -rw------- 1 jericho root 2080 Apr 16 2005 site-froogle-xss -rw------- 1 jericho root 1489 Jul 31 08:47 site-gameplay.co.uk-xss -rw------- 1 jericho root 341 Jul 31 08:47 site-gardenweb-search-xss -rw------- 1 jericho root 537 Jul 31 08:47 site-gawab.com-register.php-xss -rw------- 1 jericho root 1493 Oct 26 2004 site-giga.de-xss.bug -rw------- 1 jericho root 1735 Jul 31 08:47 site-gmail-dos -rw------- 1 jericho root 2446 Apr 16 2005 site-gmail-esmtp-bo -rw------- 1 jericho root 553 Apr 16 2005 site-gmail-message-interception -rw------- 1 jericho root 958 Nov 11 2004 site-gmail.com-xss.bug -rw------- 1 jericho users 1745 Nov 19 2004 site-gmail.com-xss2.bug -rw------- 1 jericho root 1070 Oct 26 2004 site-gmail.google.com-contact_list.bug -rw------- 1 jericho root 2900 Dec 8 2005 site-gmx.net-xss -rw------- 1 jericho root 8663 Aug 4 2005 site-google-ads -rw------- 1 jericho root 2668 Aug 4 2005 site-google-adsense-invite-friend -rw------- 1 jericho root 1403 Jul 31 08:47 site-google-groups-xss_cd -rw------- 1 jericho root 1654 Dec 8 2005 site-google-pendmsg-xss -rw------- 1 jericho root 4953 Jul 31 08:47 site-google-search_xss8239427 -rw------- 1 jericho root 3666 Jul 31 08:47 site-google.com-reader -rw------- 1 jericho root 4759 Dec 8 2005 site-google.com-sql -rw------- 1 jericho root 4728 Dec 27 2005 site-google.com-url-xss -rw------- 1 jericho root 1943 Feb 15 22:36 site-google_blogger-csrf -rw------- 1 jericho root 2611 Apr 16 2005 site-google_groups-injectino -rw------- 1 jericho root 3783 Jul 31 08:47 site-google_reader -rw------- 1 jericho root 1642 Jul 31 08:47 site-greatdomains.com-xss -rw------- 1 jericho root 1158 Jul 31 08:47 site-hackernetwork-xss -rw------- 1 jericho root 939 Jul 31 08:47 site-hackernetwork.com-xss -rw------- 1 jericho root 799 Jul 31 08:47 site-hanaro-search-xss -rw------- 1 jericho root 8447 Apr 16 2005 site-help.msn.com-xss -rw------- 1 jericho root 2754 Jul 31 08:47 site-hi5.com-xss -rw------- 1 jericho root 678 Jul 31 08:47 site-hotbot-xss-2342 -rw------- 1 jericho root 1240 Jul 31 08:47 site-hotbot.com-xss -rw------- 1 jericho root 1807 Apr 16 2005 site-hotforum.nl-xss -rw------- 1 jericho root 6721 Aug 4 2005 site-hotmail-av-bypass -rw------- 1 jericho root 2571 Jul 31 08:47 site-hotmail-bgcolor-xss -rw------- 1 jericho root 7322 Jul 31 08:47 site-hotmail-cookie -rw------- 1 jericho root 2805 Apr 16 2005 site-hotmail-xss1.bug -rw------- 1 jericho root 2800 Apr 16 2005 site-hotmail-xss2.bug -rw------- 1 jericho root 2901 Jul 31 08:47 site-hotscripts.com-xss -rw------- 1 jericho root 1394 Jul 31 08:47 site-housecarers.com-xss -rw------- 1 jericho root 577 Jul 31 08:47 site-icq.com-atoz.php-xss -rw------- 1 jericho root 428 Jul 31 08:47 site-icq.com-multiple-xss -rw------- 1 jericho root 3373 Feb 15 22:36 site-icq.com-search_result.php-xss -rw------- 1 jericho root 259 Jul 31 08:47 site-icq.com-thanks.php-xss -rw------- 1 jericho root 2236 Jul 31 08:47 site-incredibleindia.org-sql -rw------- 1 jericho root 5080 Apr 16 2005 site-indian_mail-multiple -rw------- 1 jericho root 2926 Dec 8 2005 site-indiatimes-xss -rw------- 1 jericho root 7033 Dec 8 2005 site-itan -rw------- 1 jericho root 2571 Apr 16 2005 site-itunes-store -rw------- 1 jericho root 2220 Dec 8 2005 site-jg-tc.com-xss -rw------- 1 jericho root 2839 Oct 26 2004 site-journals-aol-com-blogid_info_disclosure.bug -rw------- 1 jericho root 2373 Apr 16 2005 site-kayako-support.bug -rw------- 1 jericho root 669 Jul 31 08:47 site-larkinweb.com-xss -rw------- 1 jericho root 130 Feb 15 22:36 site-lemoon -rw------- 1 jericho root 3165 Jul 31 08:47 site-libero.it-xss -rw------- 1 jericho root 526 Jul 31 08:47 site-listbox.com-unspecified -rw------- 1 jericho root 3819 Dec 27 2005 site-livejournal-xss23948 -rw------- 1 jericho root 1335 Nov 11 2004 site-local.google.com-xss.bug -rw------- 1 jericho root 2313 Aug 4 2005 site-login.passport.net-phising -rw------- 1 jericho root 900 Dec 8 2005 site-login.yahoo.com-redirect -rw------- 1 jericho root 13138 Apr 16 2005 site-looknmeet -rw------- 1 jericho root 993 Dec 8 2005 site-lycos-ssl -rw------- 1 jericho root 1208 Jul 31 08:47 site-lycos.com-xss -rw------- 1 jericho root 1246 Jul 31 08:47 site-macworld.com-xss -rw------- 1 jericho root 2301 Jul 31 08:47 site-mafia-games -rw------- 1 jericho root 2079 Feb 15 22:36 site-mahindrabt.com-xss -rw------- 1 jericho root 1644 Jul 31 08:47 site-mail2world_and_icqmail -rw------- 1 jericho root 5066 Feb 15 22:36 site-many_translation-xss -rw------- 1 jericho root 1055 Aug 4 2005 site-mcdonalds-xss -rw------- 1 jericho root 1581 Jul 31 08:47 site-meefo.com-xss -rw------- 1 jericho root 962 Jul 31 08:47 site-microsoft-3248923 -rw------- 1 jericho root 908 Feb 15 22:36 site-moblog.co.uk-m3log -rw------- 1 jericho root 4538 Jul 31 08:47 site-movilnet-captha -rw------- 1 jericho root 1237 Jul 31 08:47 site-mp3.com-xss -rw------- 1 jericho root 13297 Dec 8 2005 site-multiple -rw------- 1 jericho root 1133 Aug 4 2005 site-multiple-huge_site-xss -rw------- 1 jericho root 1238 Apr 16 2005 site-multiple-xss -rw------- 1 jericho root 3976 Aug 4 2005 site-multiple-xss2394 -rw------- 1 jericho root 4502 Apr 16 2005 site-multiple_il_domains -rw------- 1 jericho root 2383 Apr 16 2005 site-musicmatch-xss -rw------- 1 jericho root 1095 Apr 16 2005 site-my-forum.org -rw------- 1 jericho root 2179 Oct 26 2004 site-my-yahoo-search-spam.bug -rw------- 1 jericho root 874 Jul 31 08:47 site-my6d.com-xss -rw------- 1 jericho root 1349 Jul 31 08:47 site-mydeardiary.com-xss -rw------- 1 jericho root 9021 Jul 31 08:47 site-myspace-bulletin_disclosure -rw------- 1 jericho root 10466 Jul 31 08:47 site-myspace-forum_post -rw------- 1 jericho root 858 Jul 31 08:47 site-myspace-id_box -rw------- 1 jericho root 7725 Dec 8 2005 site-myspace-injection -rw------- 1 jericho root 1144 Jul 31 08:47 site-myspace-td-phising -rw------- 1 jericho root 12798 Jul 31 08:47 site-myspace-xss_intricate -rw------- 1 jericho root 4759 Dec 8 2005 site-myspace.com -rw------- 1 jericho root 428 Jul 31 08:47 site-mytruehood.com-xss -rw------- 1 jericho root 503 Jul 31 08:47 site-myvideo.de-xss -rw------- 1 jericho root 1606 Jul 31 08:47 site-myyearbook.com-xss -rw------- 1 jericho root 803 Dec 8 2005 site-names.co.uk-xss -rw------- 1 jericho root 9636 Jul 31 08:47 site-neckermann_welten -rw------- 1 jericho root 4239 Dec 8 2005 site-netbank.commbank.com.au-xss -rw------- 1 jericho root 1281 Aug 4 2005 site-netflix-phising -rw------- 1 jericho root 1853 Jul 31 08:47 site-netscape.com-xss -rw------- 1 jericho root 490 Jul 31 08:47 site-newscientist.com-xss -rw------- 1 jericho root 359 Dec 27 2005 site-nist.gov-xss -rw------- 1 jericho root 825 Dec 8 2005 site-nordstroms.com -rw------- 1 jericho root 1689 Jul 31 08:47 site-nowtalking.com-xss -rw------- 1 jericho root 2583 Feb 15 22:36 site-nsa-multiple -rw------- 1 jericho root 810 Aug 4 2005 site-nsa.gov-xss -rw------- 1 jericho root 3680 Jul 31 08:47 site-onlinenode.com-xss -rw------- 1 jericho root 3039 Jul 31 08:47 site-opengaia.com-xss -rw------- 1 jericho root 1387 Jul 31 08:47 site-opengear.com-xss -rw------- 1 jericho root 742 Jul 31 08:47 site-openoffice.org-redirect -rw------- 1 jericho root 2606 Jul 31 08:47 site-orkut.com-xss2893742 -rw------- 1 jericho root 1274 Jul 31 08:47 site-palm.com-xss -rw------- 1 jericho root 608 Jul 31 08:47 site-patronet-xss -rw------- 1 jericho root 5163 Apr 16 2005 site-paymaxx -rw------- 1 jericho root 2080 Jul 31 08:47 site-paypal-phishing -rw------- 1 jericho root 3014 Jul 31 08:47 site-paypal-secureserver -rw------- 1 jericho root 932 Oct 26 2004 site-paypal-shoppingcart.bug -rw------- 1 jericho root 6452 Apr 16 2005 site-paypal-webscr -rw------- 1 jericho root 2924 Aug 4 2005 site-paypal_buttons -rw------- 1 jericho root 1493 Oct 26 2004 site-pcwelt.de-xss.bug -rw------- 1 jericho root 6467 Dec 8 2005 site-persianblog.com-sql -rw------- 1 jericho root 880 Apr 16 2005 site-phrack.org -rw------- 1 jericho root 75 Jul 31 08:47 site-phxcontacts -rw------- 1 jericho root 532 Jul 31 08:47 site-prdownloads.sourceforge.net-xss -rw------- 1 jericho root 382 Jul 31 08:47 site-race-event-manager.de-xss -rw------- 1 jericho root 1503 Jul 31 08:47 site-raindance-xss -rw------- 1 jericho root 1038 Feb 15 22:36 site-rapidshare.de-xss -rw------- 1 jericho root 1790 Jul 31 08:47 site-ratemylook.co.uk-xss -rw------- 1 jericho root 984 Jul 31 08:47 site-ratescene.co.uk-xss -rw------- 1 jericho root 934 Feb 15 22:36 site-recruitment-agency-software -rw------- 1 jericho root 7924 Jul 31 08:47 site-reviews.ebay.com-xss -rw------- 1 jericho root 1692 Dec 8 2005 site-rsasecurity.com-xss -rw------- 1 jericho root 1272 Apr 16 2005 site-sago_networks-cleartext -rw------- 1 jericho root 4054 Aug 4 2005 site-scottrade.com -rw------- 1 jericho root 4666 Apr 16 2005 site-scottrade1 -rw------- 1 jericho root 5396 Apr 16 2005 site-scottsave.com-history -rw------- 1 jericho root 523 Jul 31 08:47 site-shabablek-xss -rw------- 1 jericho root 907 Dec 8 2005 site-shop2.o2online.de-xss -rw------- 1 jericho root 1556 Jul 31 08:47 site-soe-forums -rw------- 1 jericho root 4289 Feb 15 22:36 site-sony-myive -rw------- 1 jericho root 1896 Apr 16 2005 site-sportswear-sites_multiple -rw------- 1 jericho root 3184 Jul 31 08:47 site-stargazoer.org-xss -rw------- 1 jericho root 11785 Aug 4 2005 site-statcounter.com-injection -rw------- 1 jericho root 1493 Oct 26 2004 site-suche.aol.de-xss.bug -rw------- 1 jericho root 2296 Dec 8 2005 site-superclick-popup-xss -rw------- 1 jericho root 2737 Feb 15 22:36 site-superonline.com-xss -rw------- 1 jericho root 1860 Aug 4 2005 site-support.msn.com-phishing -rw------- 1 jericho root 1662 Jul 31 08:47 site-swapitshop.com-browse.cgi-xss -rw------- 1 jericho root 688 Dec 8 2005 site-t-online.de-xss -rw------- 1 jericho root 843 Dec 8 2005 site-tanfoglio.it-popup -rw------- 1 jericho root 1608 Jul 31 08:47 site-technorati.com-xss -rw------- 1 jericho root 617 Jul 31 08:47 site-tempinbox.com-xss -rw------- 1 jericho root 1176 Apr 16 2005 site-thc.org -rw------- 1 jericho root 703 Jul 31 08:47 site-thestar.com-xss -rw------- 1 jericho root 508 Jul 31 08:47 site-timberland-xss -rw------- 1 jericho root 1637 Jul 31 08:47 site-titus.de-xss -rw------- 1 jericho root 2270 Jul 31 08:47 site-tlen.pl-xss -rw------- 1 jericho root 2176 Aug 4 2005 site-tmobile-email_disclosure -rw------- 1 jericho root 1338 Dec 8 2005 site-trendmicro.com-pagingreport.asp-xss -rw------- 1 jericho root 1587 Nov 11 2004 site-truste.org-invalidate.php-xss -rw------- 1 jericho root 3250 Apr 16 2005 site-u_o_phoenix-outlook -rw------- 1 jericho root 3253 Nov 11 2004 site-ureach.com-xss.bug -rw------- 1 jericho root 465 Jul 31 08:47 site-vampirefreaks.com-xss -rw------- 1 jericho root 2067 Jul 31 08:47 site-vbulletin.com-xss -rw------- 1 jericho root 2380 Dec 8 2005 site-verizon-wireless -rw------- 1 jericho root 316 Jul 31 08:47 site-vgm_forbin -rw------- 1 jericho root 2612 Jul 31 08:47 site-virtualtourist.com-xss -rw------- 1 jericho root 1289 Jul 31 08:47 site-vodafone.de-xss -rw------- 1 jericho root 949 Jul 31 08:47 site-wanderlist.com-xss -rw------- 1 jericho root 2492 Jul 31 08:47 site-webcrawler.com-xss -rw------- 1 jericho root 372 Dec 8 2005 site-webistanbul-sql -rw------- 1 jericho root 1712 Aug 4 2005 site-whatpulse.org-xss -rw------- 1 jericho root 4468 Dec 8 2005 site-whois.sc-email -rw------- 1 jericho root 1992 Jul 31 08:47 site-windowsitpro.com-xss -rw------- 1 jericho root 100 Apr 16 2005 site-xanga -rw------- 1 jericho root 2538 Aug 4 2005 site-yahoo-360-website -rw------- 1 jericho root 2210 Apr 16 2005 site-yahoo-div-xss.bug -rw------- 1 jericho root 910 Jul 31 08:47 site-yahoo-login.src -rw------- 1 jericho root 2925 Dec 27 2005 site-yahoo-mail-filter-xss -rw------- 1 jericho root 2777 Jul 31 08:47 site-yahoo-mail-xss.23498293 -rw------- 1 jericho root 1207 Jul 31 08:47 site-yahoo-mail-xss9823548273 -rw------- 1 jericho root 2502 Feb 15 22:36 site-yahoo-mail_filter-xss -rw------- 1 jericho root 699 Jul 31 08:47 site-yahoo-webmail-1day -rw------- 1 jericho root 1617 Oct 26 2004 site-yahoo.com-learn-spam.bug -rw------- 1 jericho root 3460 Dec 8 2005 site-yahoo.com-multiple-xss -rw------- 1 jericho root 3015 Dec 27 2005 site-yahoo.com-notepad-xss -rw------- 1 jericho root 3516 Dec 8 2005 site-yahoo.com-rss_xss -rw------- 1 jericho root 3069 Aug 4 2005 site-yahoo.com-userinfo_disc -rw------- 1 jericho root 12226 Jul 31 08:47 site-yahoo.multiple -rw------- 1 jericho root 1675 Jul 31 08:47 site-yahoo_webmail_xss -rw------- 1 jericho root 2081 Jul 31 08:47 site-yourfacesucks.com-xss -rw------- 1 jericho root 1273 Jul 31 08:47 site-yourfreeworld-xss -rw------- 1 jericho root 1195 Jul 31 08:47 site-youtube.com-muliple -rw------- 1 jericho root 1063 Jul 31 08:47 site-youtube.com-xss -rw------- 1 jericho root 982 Aug 4 2005 site-zabasearch-xss -rw-r--r-- 1 jericho root 182 Feb 26 2005 sun-cve1 -rw------- 1 jericho users 1201 Oct 14 2002 sun_com-java_engine_path_disclose.bug -rw-r--r-- 1 jericho root 1255 Nov 16 2004 thefacebook.com-xss-1.bug -rw-r--r-- 1 jericho root 760 Nov 16 2004 thefacebook.com-xss-2.bug -rw------- 1 jericho root 1176 Aug 25 2004 typepad-com-xss.bug -rw------- 1 jericho users 565 Mar 29 2002 yahoo-com-js.bug -rw------- 1 jericho root 4777 Aug 25 2004 yahoo-com-mail-activex.bug -rw------- 1 jericho root 2831 Sep 24 2004 yahoo-store.com-bug From coley at linus.mitre.org Mon Jul 31 17:45:28 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 31 Jul 2006 17:45:28 -0400 (EDT) Subject: [VIM] Xss in MttKe-php v2.6 Message-ID: ---------- Forwarded message ---------- Date: Mon, 31 Jul 2006 17:36:01 -0400 (EDT) Message-Id: <200607312136.k6VLa11T012990 at faron.mitre.org> From: "Steven M. Christey" To: R0t-K33Y at hotmail.com CC: bugtraq at securityfocus.com Subject: Re: Xss in MttKe-php v2.6 >Xss in MttKe-php v2.6 What product or web site is this? A Google search returns mostly references to the original post. - Steve From sullo at cirt.net Mon Jul 31 23:39:34 2006 From: sullo at cirt.net (Sullo) Date: Mon, 31 Jul 2006 23:39:34 -0400 Subject: [VIM] Do world's famous companies take care of their security? (fwd) In-Reply-To: References: <44CDF1E2.9040508@cirt.net> Message-ID: <44CECCF6.5070105@cirt.net> Steven M. Christey wrote: > On Mon, 31 Jul 2006, Sullo wrote: > > >> Personally, I think it would take away almost all of the "useful" FD >> content that isn't duplicated on bugtraq. >> > > Interesting observation. Not sure what that says about FD :) > well, that was my point... FD is pretty useless already. take that away and... i'll unsubscribe again :) > >> I just don't see the point. >> > > I don't think we collectively have much idea of the scope of the problem, > since VDB's don't track this. And "XYZ disclosure" practices don't really > exist/apply in the site-specific world, so vendors are not necessarily > pressured to address the issues. Such a beast might be useful for > awareness, assuming it registers with the right people. > i see the point of tracking, just not of having a list dedicated to it... -- http://www.cirt.net/ | http://www.osvdb.org/