From coley at mitre.org Fri Sep 7 23:50:20 2007 From: coley at mitre.org (Steven M. Christey) Date: Fri, 7 Sep 2007 19:50:20 -0400 (EDT) Subject: [VIM] vendor coordination denied on account of "stupidity" Message-ID: <200709072350.l87NoKO2024172@faron.mitre.org> Gotta love disclosure comments on a Friday afternoon. from Luigi Auriemma: http://www.securityfocus.com/archive/1/archive/1/478628/100/0/threaded "The developer has not been contacted because he is too stupid for understanding a bug report: http://www.quakesrc.org/forums/viewtopic.php?t=6843&start=1 " This thread is for an older bug report that Luigi had made, and features the usual vendor/customer reactions to first disclosures. Buried in the discussion is the vendor's claim that Luigi gave a hard 2-week deadline and released earlier than that deadline. I don't know if this is true, and if so, whether it's a common practice with Luigi, but I don't recall seeing these kinds of critiques leveled against him in the past. For added simultaneous humor and depression, the vendor also calls him a "script kiddie". - Steve From coley at mitre.org Sat Sep 8 01:46:14 2007 From: coley at mitre.org (Steven M. Christey) Date: Fri, 7 Sep 2007 21:46:14 -0400 (EDT) Subject: [VIM] possibly true: Olate Download 3.4.2 userupload.php / upload Message-ID: <200709080146.l881kE8M026534@faron.mitre.org> Researcher: imei Addmimistrator, who's usually accurate http://www.securityfocus.com/archive/1/478359/100/0/threaded The researcher's http://myimei.com site is generating a server error currently. There's a dispute here: http://www.securityfocus.com/archive/1/478640/100/0/threaded that claims: Olate 3.4.2 check the extension of uploaded file and by default you can't upload anything. then there's a code extract: if (isset($_FILES['uploadfile'])) { $ext = strrchr($_FILES['uploadfile']['name'], '.') BUT... it seems to me like the code extract could be vulnerable with a double-extension like "abc.php.gif" on Apache or other servers that would process this as a PHP program. I don't have the time to investigate this more closely, however. - Steve From ascii at katamail.com Sat Sep 8 01:57:54 2007 From: ascii at katamail.com (ascii) Date: Sat, 08 Sep 2007 03:57:54 +0200 Subject: [VIM] vendor coordination denied on account of "stupidity" In-Reply-To: <200709072350.l87NoKO2024172@faron.mitre.org> References: <200709072350.l87NoKO2024172@faron.mitre.org> Message-ID: <46E201A2.1000207@katamail.com> Steven M. Christey wrote: > This thread is for an older bug report that Luigi had made, and > features the usual vendor/customer reactions to first disclosures. > > Buried in the discussion is the vendor's claim that Luigi gave a hard > 2-week deadline and released earlier than that deadline. I don't know > if this is true, and if so, whether it's a common practice with Luigi, > but I don't recall seeing these kinds of critiques leveled against him > in the past. > > For added simultaneous humor and depression, the vendor also calls him > a "script kiddie". I don't know him directly but: Luigi (http://aluigi.altervista.org/) is a talented researcher, he focus on games probably to downplay the drama of the security industry. This is just my guess but probably instead finding real vulnerabilities in real (and somehow boring) applications he prefers to find real vulnerabilities in multiplayer online games. This sounds like the classic "vendor is a bricks wall" situation that happened at last once at every security researcher. Surely responsible disclosure makes you 100% unattackable from all the points of view (moral, etc) but i don't see a big problem to put some "fun" also in public advisories, as long as the vulnerability is real, details correct and the advisory written in acceptable mixedcase or lowercase : ) For the coordination denied part an extreme case is Kornbrust vs Oracle. Are you willing to wait 2 years before releasing a finding? Do you feel like you are not on they pay roll and they don't deserve such treatment? This stands to you. Anyway funny and yes: Luigi is a legit researcher that doesn't release fake vulns and follow responsible disclosure when applicable. Damn, he has binary patched many of the vulns he found in unmaintained software (http://aluigi.altervista.org/patches.htm). Who does that?! Bye, Francesco `ascii` Ongaro http://www.ush.it/ From jericho at attrition.org Tue Sep 11 07:15:57 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 11 Sep 2007 07:15:57 +0000 (UTC) Subject: [VIM] OSVDB 33460 / CVE-2007-0190 - edit-x Message-ID: The original VIM post said this was false, but apparently only works when allow_url_fopen is enabled. ---------- Forwarded message ---------- From: < @edit-x.com> To: 'security curmudgeon' Date: Tue, 11 Sep 2007 01:51:07 -0400 Subject: RE: [OSVDB Mods] [WEB PAGE] - Removal You would have to have allow_url_fopen enabled in order for that vulnerability to exist which is disabled by default. http://www.webmasterworld.com/php/3181065.htm http://www.claroline.net/wiki/index.php/Security It just isn't completely accurate that it is a vulnerability considering it depends on how you configure your server. At anyrate those variables have been removed and those files do not look that way any longer so the page is complately inaccurate. R. Stacy Cook Edit-X :: Control Your Content www.edit-x.com -----Original Message----- From: security curmudgeon [mailto:jericho at attrition.org] Sent: Tuesday, September 11, 2007 1:41 AM To: R. Stacy Cook @ Edit-X Cc: OSVDB Mods Subject: RE: [OSVDB Mods] [WEB PAGE] - Removal : I would like it removed because this is no longer accurate. It would : also lead someone to believe it exists when a certain server : configuration would have to be set in order for this to work. I am : asking all sources to remove it. What server configuration would make it vulnerable exactly? register_globals or another PHP option? Brian OSVDB.org From str0ke at milw0rm.com Tue Sep 11 13:56:57 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 11 Sep 2007 08:56:57 -0500 Subject: [VIM] MIL 4383 Message-ID: <814b9d50709110656j4a6d9a71i83b74de714cdc67a@mail.gmail.com> The developer of Joomla Component Restaurante has stated the product was fixed 2 days ago. Link to the updated software below. http://detodo.masde50.net/index.php?option=com_remository&Itemid=27&func=fileinfo&id=99 /str0ke From coley at mitre.org Tue Sep 11 16:38:20 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 11 Sep 2007 12:38:20 -0400 (EDT) Subject: [VIM] true: fuzzylime (cms) path traversal Message-ID: <200709111638.l8BGcKQg000486@faron.mitre.org> Ref: http://www.milw0rm.com/exploits/4378 Researcher: [wHITe_ShEEp] of notsec The source code download has: $p = $_POST[p]; ... include "../gallery/$p.inc.php"; - Steve From gmdarkfig at gmail.com Tue Sep 11 21:25:27 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Tue, 11 Sep 2007 23:25:27 +0200 Subject: [VIM] Milw0rm 4392 - CVE-2007-3997 [Dupe] Message-ID: Hi all, This bug was reported by Dave Wilson on 2002. **2002 [PHP Bugs] http://bugs.php.net/bug.php?id=15408 [Exploit] http://www.securiteam.com/exploits/5LP03156AC.html **2003 [PHP Bugs] http://bugs.php.net/bug.php?id=23779 **2007 [Dupe] [Milw0rm] http://www.milw0rm.com/exploits/4392 [CVE] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3997 The PHP team patched this vulnerability on PHP 5.2.4 (5 years after the submission). They credited Mattias Bengtsson (I think that he is also ) who posted (in 2003 and 2007) another one text about this. So, the credits goes to Dave Wilson. mattias at secweb.se, po at secweb.se and php at jkt.wz.cz doesn't have to be credited for that. Next time, before writing a paper about a new vulnerability, they should search if the vulnerability has already been discovered. From str0ke at milw0rm.com Tue Sep 11 21:46:33 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 11 Sep 2007 16:46:33 -0500 Subject: [VIM] Milw0rm 4392 - CVE-2007-3997 [Dupe] In-Reply-To: References: Message-ID: <814b9d50709111446v6452e8dbib516922ab1135069@mail.gmail.com> Original link http://secweb.se/en/advisories/php-mysql-safe-mode-bypass-vulnerability/ Will check this out in a few and remove if its a dupe. /str0ke On 9/11/07, GM darkfig wrote: > Hi all, > This bug was reported by Dave Wilson on 2002. > > **2002 > [PHP Bugs] http://bugs.php.net/bug.php?id=15408 > [Exploit] http://www.securiteam.com/exploits/5LP03156AC.html > > **2003 > [PHP Bugs] http://bugs.php.net/bug.php?id=23779 > > **2007 [Dupe] > [Milw0rm] http://www.milw0rm.com/exploits/4392 > [CVE] http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-3997 > > The PHP team patched this vulnerability on PHP 5.2.4 (5 years after > the submission). > They credited Mattias Bengtsson (I think that he is also dot wz dot cz>) who posted (in 2003 and 2007) another one text about > this. > > So, the credits goes to Dave Wilson. > mattias at secweb.se, po at secweb.se and php at jkt.wz.cz doesn't have to be > credited for that. > > Next time, before writing a paper about a new vulnerability, they > should search if the vulnerability has already been discovered. > From coley at mitre.org Fri Sep 14 00:27:26 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 13 Sep 2007 20:27:26 -0400 (EDT) Subject: [VIM] a disclosure timeline from a vendor! Message-ID: <200709140027.l8E0RQMr004922@faron.mitre.org> I vaguely remember posting once or twice before about a vendor posting a timeline, but it's stull so rare that I remain surprised! http://www.samba.org/samba/security/CVE-2007-4138.html - Steve From coley at linus.mitre.org Fri Sep 14 17:49:55 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 14 Sep 2007 13:49:55 -0400 (EDT) Subject: [VIM] MIL 4383 In-Reply-To: <814b9d50709110656j4a6d9a71i83b74de714cdc67a@mail.gmail.com> References: <814b9d50709110656j4a6d9a71i83b74de714cdc67a@mail.gmail.com> Message-ID: On Tue, 11 Sep 2007, str0ke wrote: > The developer of Joomla Component Restaurante has stated the product > was fixed 2 days ago. Sorry, just to be clear - the developer told you it's fixed? The URL for the updated software doesn't say anything. I need to know whether to mark it as "vendor told reliable dude that a fix is ready" versus "who knows whether there's really a fix or not 'cause the vendor ain't speakin' clearly" ;-) - Steve From str0ke at milw0rm.com Sat Sep 15 00:10:57 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 14 Sep 2007 19:10:57 -0500 Subject: [VIM] MIL 4383 In-Reply-To: References: <814b9d50709110656j4a6d9a71i83b74de714cdc67a@mail.gmail.com> Message-ID: <814b9d50709141710y5ef1329cvde11fe7e2be72c15@mail.gmail.com> Emails received from the vendor. ############# Hi My name is Patricia. I made this little software. I was corrected this vulnerability, please delete this information. It is possible?, mi first language is spanish, sorry. Regards Patricia ################3 Hi strOke thank for your letter this is the link with the little software demo type (with out vulnerability) http://www.puertovaras.sibarita.cl And the link with download (with out vulnerability) http://detodo.masde50.net/index.php?option=com_remository&Itemid=27&func=fileinfo&id=99 On 9/14/07, Steven M. Christey wrote: > > On Tue, 11 Sep 2007, str0ke wrote: > > > The developer of Joomla Component Restaurante has stated the product > > was fixed 2 days ago. > > Sorry, just to be clear - the developer told you it's fixed? The URL for > the updated software doesn't say anything. > > I need to know whether to mark it as "vendor told reliable dude that a fix > is ready" versus "who knows whether there's really a fix or not 'cause the > vendor ain't speakin' clearly" ;-) > > - Steve > From theall at tenablesecurity.com Tue Sep 18 17:18:49 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 18 Sep 2007 13:18:49 -0400 Subject: [VIM] Milw0rm 4423 Message-ID: <46F00879.8070109@tenablesecurity.com> So, what product does Milw0rm 4423 cover? What's the vulnerability? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Tue Sep 18 18:27:29 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 18 Sep 2007 13:27:29 -0500 Subject: [VIM] Milw0rm 4423 In-Reply-To: <46F00879.8070109@tenablesecurity.com> References: <46F00879.8070109@tenablesecurity.com> Message-ID: <46F01891.1040709@milw0rm.com> Looks to be some chinnese script. Not sure of version information. Basic rfi vuln with probably a .htaccess file stating .html == .php /str0ke George A. Theall wrote: > So, what product does Milw0rm 4423 cover? What's the vulnerability? > > George From coley at mitre.org Tue Sep 18 18:45:27 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 18 Sep 2007 14:45:27 -0400 (EDT) Subject: [VIM] true: Focus/SIS RFI's (both vectors) Message-ID: <200709181845.l8IIjRtK008046@faron.mitre.org> Researcher: ThE TiGeR Ref: MILW0RM:4377 ThE TiGeR's disclosure was for FocusPath parameter in CategoryBreakdownTime.php (aka CVE-2007-4806); Secunia/FrSIRT added another executable, StudentFieldBreakdown.php, also with FocusPath. Source inspection shows that the first executable line of each of these files is: include($FocusPath."/assets/SWF/charts.php"); - Steve From coley at mitre.org Tue Sep 18 19:12:33 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 18 Sep 2007 15:12:33 -0400 (EDT) Subject: [VIM] arfis: automated grep-and-gripe Message-ID: <200709181912.l8IJCXJb008651@faron.mitre.org> Hey Jericho, Turns out that all our lost sleep was not in vain. the "arfis project", a simple perl script. It automatically downloads and extract PHP projects from sourceforge.net and checks for Remote File Inclusion vulnerabilities. It then post's the potential (now it's -potential-, cause the script is in an early stadium) vuln to this blog. http://arfis.wordpress.com/ CVE has picked up some of these and disputed a chunk of 'em, but some appear legit. At this instant, I'm of the mindset of de-prioritizing them as unreliable, but neither do I like the upward trend of increasing numbers of disputes. - Steve From str0ke at milw0rm.com Tue Sep 18 19:27:41 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 18 Sep 2007 14:27:41 -0500 Subject: [VIM] arfis: automated grep-and-gripe In-Reply-To: <200709181912.l8IJCXJb008651@faron.mitre.org> References: <200709181912.l8IJCXJb008651@faron.mitre.org> Message-ID: <46F026AD.7020602@milw0rm.com> Steven, I received a bunch of these as well. Out of 8 or so that were submitted, 2 were actual vulnerabilities. 1 of those 2 were already cve'ed in 2005. /str0ke Steven M. Christey wrote: > Hey Jericho, > > Turns out that all our lost sleep was not in vain. > > the "arfis project", a simple perl script. It automatically > downloads and extract PHP projects from sourceforge.net and checks > for Remote File Inclusion vulnerabilities. It then post's the > potential (now it's -potential-, cause the script is in an early > stadium) vuln to this blog. > > http://arfis.wordpress.com/ > > CVE has picked up some of these and disputed a chunk of 'em, but some > appear legit. At this instant, I'm of the mindset of de-prioritizing > them as unreliable, but neither do I like the upward trend of > increasing numbers of disputes. > > - Steve > > From sullo at cirt.net Tue Sep 18 19:45:37 2007 From: sullo at cirt.net (Sullo) Date: Tue, 18 Sep 2007 15:45:37 -0400 Subject: [VIM] arfis: automated grep-and-gripe In-Reply-To: <200709181912.l8IJCXJb008651@faron.mitre.org> References: <200709181912.l8IJCXJb008651@faron.mitre.org> Message-ID: <46F02AE1.5020402@cirt.net> Interesting. I proposed doing this as a Google Summer of Code project but CIRT didn't get chosen for participation. Of course, my hope was to go a bit beyond 'grep and gripe' and have eyes-on results before anyone would be notified (and then it would automatically notify the SourceForget project admin & track days since notification, etc.)... Steven M. Christey wrote: > Hey Jericho, > > Turns out that all our lost sleep was not in vain. > > the "arfis project", a simple perl script. It automatically > downloads and extract PHP projects from sourceforge.net and checks > for Remote File Inclusion vulnerabilities. It then post's the > potential (now it's -potential-, cause the script is in an early > stadium) vuln to this blog. > > http://arfis.wordpress.com/ > > CVE has picked up some of these and disputed a chunk of 'em, but some > appear legit. At this instant, I'm of the mindset of de-prioritizing > them as unreliable, but neither do I like the upward trend of > increasing numbers of disputes. > > - Steve > > From jericho at attrition.org Wed Sep 19 14:18:45 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 19 Sep 2007 14:18:45 +0000 (UTC) Subject: [VIM] arfis: automated grep-and-gripe In-Reply-To: <200709181912.l8IJCXJb008651@faron.mitre.org> References: <200709181912.l8IJCXJb008651@faron.mitre.org> Message-ID: : Turns out that all our lost sleep was not in vain. : : the "arfis project", a simple perl script. It automatically : downloads and extract PHP projects from sourceforge.net and checks : for Remote File Inclusion vulnerabilities. It then post's the : potential (now it's -potential-, cause the script is in an early : stadium) vuln to this blog. : : http://arfis.wordpress.com/ We should have patented the idea last year! =) : CVE has picked up some of these and disputed a chunk of 'em, but some : appear legit. At this instant, I'm of the mindset of de-prioritizing : them as unreliable, but neither do I like the upward trend of increasing : numbers of disputes. The number of disputes isn't just an 'upward trend', it is really straining the resources of VDBs more and more. .b From coley at mitre.org Wed Sep 19 17:28:39 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 19 Sep 2007 13:28:39 -0400 (EDT) Subject: [VIM] wtf: StylesDemo mod XSS Message-ID: <200709191728.l8JHSd33003094@faron.mitre.org> ("wtf" means, of course, "Well, THAT'S flaky!") Researcher: inj3ct-it Ref: http://www.milw0rm.com/exploits/4425 The title says "multiple vulns" and the description mentions XSS but there's no exploit code or demo URL that actually does XSS. To me, this amounts to unactionable rumors from a researcher of unknown reliability (or just a cut-and-paste error), so I'm tempted to ignore it. Unless someone else found something? - Steve From theall at tenablesecurity.com Wed Sep 19 20:25:32 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 19 Sep 2007 16:25:32 -0400 Subject: [VIM] wtf: StylesDemo mod XSS In-Reply-To: <200709191728.l8JHSd33003094@faron.mitre.org> References: <200709191728.l8JHSd33003094@faron.mitre.org> Message-ID: <46F185BC.4020902@tenablesecurity.com> On 09/19/07 13:28, Steven M. Christey wrote: > The title says "multiple vulns" and the description mentions XSS but > there's no exploit code or demo URL that actually does XSS. > > To me, this amounts to unactionable rumors from a researcher of > unknown reliability (or just a cut-and-paste error), so I'm tempted to > ignore it. Unless someone else found something? The XSS attack works because the value for 's' is returned as part of the SQL error message. Works for me on a quick and dirty install of version 1.0.9. George -- theall at tenablesecurity.com From mattmurphy at kc.rr.com Wed Sep 19 22:42:24 2007 From: mattmurphy at kc.rr.com (Matthew Murphy) Date: Wed, 19 Sep 2007 15:42:24 -0700 Subject: [VIM] AOL Security Contact Message-ID: <9F3CF5C0-3FBB-4C92-8BCB-2C36176DA578@kc.rr.com> List Readers: I have a contact who would like to report a security issue to AOL. Being familiar with the response history for AOL's lovely automated feedback form, I am hesitant to recommend he take that route. CVE-2004-0636 was handled in this way, and it was a disaster; from what others have told me, things have not improved measurably since August of 2004. Does anyone have a contact at AOL that a human being will read, and I can provide some assurance of this? OSVDB lists secvuln at aol.net, but aol.net doesn't resolve for me. - Matt From justinseitz at rogers.blackberry.net Wed Sep 19 22:43:53 2007 From: justinseitz at rogers.blackberry.net (Justin Seitz) Date: Wed, 19 Sep 2007 22:43:53 +0000 GMT Subject: [VIM] AOL Security Contact In-Reply-To: <9F3CF5C0-3FBB-4C92-8BCB-2C36176DA578@kc.rr.com> References: <9F3CF5C0-3FBB-4C92-8BCB-2C36176DA578@kc.rr.com> Message-ID: <2111026472-1190241880-cardhu_blackberry.rim.net-21922-@engine177> They were very good with me, when I dealt with them. -----Original Message----- From: Matthew Murphy Date: Wed, 19 Sep 2007 15:42:24 To:Vulnerability Information Managers Subject: [VIM] AOL Security Contact List Readers: I have a contact who would like to report a security issue to AOL. Being familiar with the response history for AOL's lovely automated feedback form, I am hesitant to recommend he take that route. CVE-2004-0636 was handled in this way, and it was a disaster; from what others have told me, things have not improved measurably since August of 2004. Does anyone have a contact at AOL that a human being will read, and I can provide some assurance of this? OSVDB lists secvuln at aol.net, but aol.net doesn't resolve for me. - Matt From aviram at beyondsecurity.com Fri Sep 21 00:38:30 2007 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Fri, 21 Sep 2007 02:38:30 +0200 Subject: [VIM] AOL Security Contact In-Reply-To: <9F3CF5C0-3FBB-4C92-8BCB-2C36176DA578@kc.rr.com> References: <9F3CF5C0-3FBB-4C92-8BCB-2C36176DA578@kc.rr.com> Message-ID: <200709210238.31009.aviram@beyondsecurity.com> Here's an answer from a guy from AOL's security team: secvuln at aol.net is the correct address for reporting AOL product, client, host or application security vulnerability and related security issues. I have no answer to why the requestor is unable to resolve aol.net, but it does exist and is read by human beings (This is my team). - Aviram On Thursday 20 September 2007 Matthew Murphy wrote: > List Readers: > > I have a contact who would like to report a security issue to AOL. > Being familiar with the response history for AOL's lovely automated > feedback form, I am hesitant to recommend he take that route. > CVE-2004-0636 was handled in this way, and it was a disaster; from > what others have told me, things have not improved measurably since > August of 2004. > > Does anyone have a contact at AOL that a human being will read, and I > can provide some assurance of this? OSVDB lists secvuln at aol.net, but > aol.net doesn't resolve for me. > > - Matt From jericho at attrition.org Sat Sep 22 00:03:00 2007 From: jericho at attrition.org (security curmudgeon) Date: Sat, 22 Sep 2007 00:03:00 +0000 (UTC) Subject: [VIM] milw0rm problems? Message-ID: Getting a ton of 404 messages the last two days, as if everything is gone. From str0ke at milw0rm.com Sat Sep 22 14:00:45 2007 From: str0ke at milw0rm.com (str0ke) Date: Sat, 22 Sep 2007 09:00:45 -0500 Subject: [VIM] milw0rm problems? In-Reply-To: References: Message-ID: <46F5200D.40500@milw0rm.com> I changed dns around 5 days ago and removed the site from the old server. Whats your dns information for milw0rm show/ /str0ke security curmudgeon wrote: > > Getting a ton of 404 messages the last two days, as if everything is > gone. > From coley at mitre.org Mon Sep 24 16:54:44 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 24 Sep 2007 12:54:44 -0400 (EDT) Subject: [VIM] CMS Made Simple eval injection is really an ADOdb Lite problem Message-ID: <200709241654.l8OGsiLX017398@faron.mitre.org> Ref: MILW0RM:4442 Researcher: irk4z at yahoo.pl lib/adodb_lite/adodb-perf-module.inc.php in CMS Made Simple is an exact copy of adodb-perf-module.inc.php as distributed in ADOdb Lite 1.42 from here: http://sourceforge.net/project/showfiles.php?group_id=140982 The first executable line contains: eval('class perfmon_parent_EXTENDER extends ' . $last_module . '_ADOConnection { }'); Note that adodb-perf.inc.php in the "regular" ADOdb doesn't have an eval at all, so this appears to be specific to ADOdb Lite. - Steve From theall at tenablesecurity.com Mon Sep 24 16:59:36 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 24 Sep 2007 12:59:36 -0400 Subject: [VIM] CMS Made Simple eval injection is really an ADOdb Lite problem In-Reply-To: <200709241654.l8OGsiLX017398@faron.mitre.org> References: <200709241654.l8OGsiLX017398@faron.mitre.org> Message-ID: <46F7ECF8.6050208@tenablesecurity.com> On 09/24/07 12:54, Steven M. Christey wrote: > lib/adodb_lite/adodb-perf-module.inc.php in CMS Made Simple is an > exact copy of adodb-perf-module.inc.php as distributed in ADOdb Lite > 1.42 from here: ... > Note that adodb-perf.inc.php in the "regular" ADOdb doesn't have an > eval at all, so this appears to be specific to ADOdb Lite. Right. ADOdb Lite is a lightweight version of ADOdb. Besides CMS Made Simple, it's also used in paFileDB 3.6 (but not 3.53), under "/includes/adodb". George -- theall at tenablesecurity.com From coley at mitre.org Tue Sep 25 00:31:58 2007 From: coley at mitre.org (Steven M. Christey) Date: Mon, 24 Sep 2007 20:31:58 -0400 (EDT) Subject: [VIM] broken Ubuntu advisory links Message-ID: <200709250031.l8P0Vwuj028660@faron.mitre.org> Well, Ubuntu's jumped on the bandwagon of vendors who don't like to keep security advisories in one place or at least use good redirection (I know I'm a hypocrite for complaining since our web site redesign accidentally broke stuff for a day or two, but we recovered quickly :)) Links like this are now broken: http://www.ubuntulinux.org/support/documentation/usn/usn-327-1 instead use these: http://www.ubuntu.com/usn/usn-464-1 I don't know when this happened, probably a few months ago, but CVE now has 350+ more broken links. Yay! I've got an inquiry into the webmaster. - Steve From coley at mitre.org Wed Sep 26 18:40:36 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 26 Sep 2007 14:40:36 -0400 (EDT) Subject: [VIM] true: sk.log 0.5.3 RFI Message-ID: <200709261840.l8QIea3e003772@faron.mitre.org> Ref: BUGTRAQ "sk.log v0.5.3 Remote File Inclusion" http://www.securityfocus.com/archive/1/archive/1/480484/100/0/threaded Researcher: Seph1roth first line of log.inc.php is as quoted, i.e.: include_once( "$SKIN_URL/php/logdisplay.inc.php" ); A QUICK glance at the code suggests that there MIGHT be vectors that are independent of register_globals (as the variable name suggests, which is why I investigated this in the first place). For example, in functions.inc.php, $SKIN_URL might be populated from per-user records in a database, although how that field is inserted into the database isn't immediately clear. - Steve From coley at linus.mitre.org Wed Sep 26 18:42:00 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 26 Sep 2007 14:42:00 -0400 (EDT) Subject: [VIM] broken Ubuntu advisory links In-Reply-To: <200709250031.l8P0Vwuj028660@faron.mitre.org> References: <200709250031.l8P0Vwuj028660@faron.mitre.org> Message-ID: Heard back from Ubuntu, and they've fixed the broken links. - Steve From str0ke at milw0rm.com Wed Sep 26 18:50:22 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 26 Sep 2007 13:50:22 -0500 Subject: [VIM] true: sk.log 0.5.3 RFI In-Reply-To: <200709261840.l8QIea3e003772@faron.mitre.org> References: <200709261840.l8QIea3e003772@faron.mitre.org> Message-ID: <46FAA9EE.3010503@milw0rm.com> He pretty much stole the last 2 vulns from w0cker http://www.milw0rm.com/exploits/4454 Steven M. Christey wrote: > Ref: BUGTRAQ "sk.log v0.5.3 Remote File Inclusion" > http://www.securityfocus.com/archive/1/archive/1/480484/100/0/threaded > Researcher: Seph1roth > > > first line of log.inc.php is as quoted, i.e.: > > include_once( "$SKIN_URL/php/logdisplay.inc.php" ); > > > A QUICK glance at the code suggests that there MIGHT be vectors that > are independent of register_globals (as the variable name suggests, > which is why I investigated this in the first place). For example, in > functions.inc.php, $SKIN_URL might be populated from per-user records > in a database, although how that field is inserted into the database > isn't immediately clear. > > - Steve > > From gmdarkfig at gmail.com Fri Sep 28 07:14:44 2007 From: gmdarkfig at gmail.com (GM darkfig) Date: Fri, 28 Sep 2007 09:14:44 +0200 Subject: [VIM] CVE-2007-5125 - dupe Message-ID: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-5125 Same as mine: http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1171 [me] # +nsbypass.php # 16. $tid = intval($tid); # 17. if(isset($_COOKIE['admin']) && !empty($_COOKIE['admin'])) { # 18. $abadmin = base64_decode($_COOKIE['admin']); # 19. $abadmin = explode(":", $abadmin); # 20. $a_aid = "$abadmin[0]"; # 21. $a_pas = "$abadmin[1]"; # 22. } #.... # +nsbypass.php # 24. $num = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors WHERE `aid`='$a_aid' AND `pwd`='$a_pas'")); # 25. $tum = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_nsnst_tracked_ips WHERE `tid`='$tid'")); # [him] ----------->[source code]<------------ if(isset($_COOKIE['admin']) && !empty($_COOKIE['admin'])) { $abadmin = base64_decode($_COOKIE['admin']); $abadmin = explode(":", $abadmin); $a_aid = "$abadmin[0]"; $a_pas = "$abadmin[1]"; } $num = $db->sql_numrows($db->sql_query("SELECT * FROM ".$prefix."_authors WHERE `aid`='$a_aid' AND `pwd`='$a_pas'")); ------------>[/source code]<-----------