From theall at tenablesecurity.com Tue Jun 3 14:03:42 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 3 Jun 2008 10:03:42 -0400 Subject: [VIM] Softpedia SiteXS CMS 0.1.1 Arbitrary File Upload Vulnerability Message-ID: Milw0rm 5726 / Bugtraq 29497 looks like a dup of an issue reported last month here: http://archives.neohapsis.com/archives/bugtraq/2008-05/0031.html which corresponds to Bugtraq 29029. Or am I missing something? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Tue Jun 3 14:17:57 2008 From: str0ke at milw0rm.com (str0ke) Date: Tue, 03 Jun 2008 09:17:57 -0500 Subject: [VIM] Softpedia SiteXS CMS 0.1.1 Arbitrary File Upload Vulnerability In-Reply-To: References: Message-ID: <48455295.4010903@milw0rm.com> yep its a dup, removing it from milw0rm's frontend. Thanks man, /str0ke George A. Theall wrote: > Milw0rm 5726 / Bugtraq 29497 looks like a dup of an issue reported > last month here: > > http://archives.neohapsis.com/archives/bugtraq/2008-05/0031.html > > which corresponds to Bugtraq 29029. Or am I missing something? > > > George From coley at linus.mitre.org Wed Jun 4 21:50:08 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 4 Jun 2008 17:50:08 -0400 (EDT) Subject: [VIM] rgod Message-ID: Does anybody know the truth of rgod's... uhhh... status? If he really died, that would be too bad. I consider him one of the best application researchers out there. Last I saw (a month or two ago), there was some debate about whether someone hacked his site. However, shinnai had a post "In memory of rgod" on his web site, and I figure shinnai would know more than the average full-disclosure mail header hacker. - Steve From str0ke at milw0rm.com Wed Jun 4 22:00:59 2008 From: str0ke at milw0rm.com (str0ke) Date: Wed, 04 Jun 2008 17:00:59 -0500 Subject: [VIM] rgod In-Reply-To: References: Message-ID: <4847109B.30408@milw0rm.com> Steven, shinnai only knows pretty much that he hasn't contacted me nor him in a long time. His website stated he passed away then another person stated he was alive and a new website was released on fd. I contacted the author on fd and asked him a private question regarding the email address he submitted his work into milw0rm from, he stated some email address that wasn't correct since it was rgod's personal email addy it would of been an obvious answer for him. I have sent emails to rgod's private email addresses as well and haven't heard back from him. Alot of people that are around the same area as him stated he has passed as well. May he rest in peace, /str0ke Steven M. Christey wrote: > Does anybody know the truth of rgod's... uhhh... status? If he really > died, that would be too bad. I consider him one of the best application > researchers out there. Last I saw (a month or two ago), there was some > debate about whether someone hacked his site. However, shinnai had a post > "In memory of rgod" on his web site, and I figure shinnai would know more > than the average full-disclosure mail header hacker. > > - Steve > > From theall at tenablesecurity.com Thu Jun 5 00:50:28 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 4 Jun 2008 20:50:28 -0400 Subject: [VIM] Comment about Milw0rm 5724 Message-ID: In case anyone's interested, I have verified the issue in milw0rm 5724. The catch, though, is that the affected application is not a Drupal module as listed in DreamTurk's advisory but an older incarnation of Lifetype known as pLog. I tested against version 1.0.1, which you can find in the project archives here: http://sourceforge.net/project/showfiles.php?group_id=83964&package_id=86556 P.S. I noticed that SecurityFocus seems to have completely removed Bugtraq ID 29495, which had been created for this issue. Does anyone know if this is because of confusion about the "vendor"? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Thu Jun 5 03:19:33 2008 From: str0ke at milw0rm.com (str0ke) Date: Wed, 04 Jun 2008 22:19:33 -0500 Subject: [VIM] Comment about Milw0rm 5724 In-Reply-To: References: Message-ID: <48475B45.9060509@milw0rm.com> George A. Theall wrote: > In case anyone's interested, I have verified the issue in milw0rm > 5724. The catch, though, is that the affected application is not a > Drupal module as listed in DreamTurk's advisory but an older > incarnation of Lifetype known as pLog. I tested against version 1.0.1, > which you can find in the project archives here: > I placed in the title the correct information but didn't check the download url :( I'll place the correct package url now. Thanks again as always George, /str0ke From coley at mitre.org Wed Jun 18 22:33:23 2008 From: coley at mitre.org (Steven M. Christey) Date: Wed, 18 Jun 2008 18:33:23 -0400 (EDT) Subject: [VIM] coffee maker hacks - yes or no? Message-ID: <200806182233.m5IMXNGP011750@faron.mitre.org> Regarding the Jura F90 Coffee maker hack: http://www.securityfocus.com/archive/1/493387 I'm tempted to include this in CVE, since physical damage can occur. (We used a similar rationale for an air-conditioning control system, CVE-2008-1546). If no - then where's the line between coffee makers, air conditioners, and SCADA products? - Steve From jericho at attrition.org Wed Jun 18 22:49:31 2008 From: jericho at attrition.org (security curmudgeon) Date: Wed, 18 Jun 2008 22:49:31 +0000 (UTC) Subject: [VIM] coffee maker hacks - yes or no? In-Reply-To: <200806182233.m5IMXNGP011750@faron.mitre.org> References: <200806182233.m5IMXNGP011750@faron.mitre.org> Message-ID: : Regarding the Jura F90 Coffee maker hack: : : http://www.securityfocus.com/archive/1/493387 : : I'm tempted to include this in CVE, since physical damage can occur. (We : used a similar rationale for an air-conditioning control system, : CVE-2008-1546). : : If no - then where's the line between coffee makers, air conditioners, : and SCADA products? This is definitely worth inclusion in OSVDB in my eyes. If we can't draw the line today, we will be able to in a year or years from now. At some point, the blur between computing device and household appliance will be too hard to distinguish. Rather than waste too much time arguing that line, why not put in a few now that are a bit primitive, but will surely show historic value if nothing else. From holisticinfosec at gmail.com Wed Jun 18 22:59:19 2008 From: holisticinfosec at gmail.com (Russ McRee) Date: Wed, 18 Jun 2008 15:59:19 -0700 Subject: [VIM] coffee maker hacks - yes or no? In-Reply-To: References: <200806182233.m5IMXNGP011750@faron.mitre.org> Message-ID: I agree entirely. On Wed, Jun 18, 2008 at 3:49 PM, security curmudgeon wrote: > > : Regarding the Jura F90 Coffee maker hack: > : > : http://www.securityfocus.com/archive/1/493387 > : > : I'm tempted to include this in CVE, since physical damage can occur. (We > : used a similar rationale for an air-conditioning control system, > : CVE-2008-1546). > : > : If no - then where's the line between coffee makers, air conditioners, > : and SCADA products? > > This is definitely worth inclusion in OSVDB in my eyes. If we can't draw > the line today, we will be able to in a year or years from now. At some > point, the blur between computing device and household appliance will be > too hard to distinguish. Rather than waste too much time arguing that > line, why not put in a few now that are a bit primitive, but will surely > show historic value if nothing else. > -- Russ McRee, GCIH, GCFA, CISSP 425-518-6998 cell holisticinfosec.org blog.holisticinfosec.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20080618/b4318436/attachment.html From bugtraq at cgisecurity.net Wed Jun 18 23:20:38 2008 From: bugtraq at cgisecurity.net (bugtraq at cgisecurity.net) Date: Wed, 18 Jun 2008 19:20:38 -0400 (EDT) Subject: [VIM] coffee maker hacks - yes or no? In-Reply-To: Message-ID: <20080618232038.31039.qmail@cgisecurity.net> Think of it this way. 1. coffee maker gets hacked 2. no coffee for development 3. no coffee means sleepy devs introducing additional vulns. This could be a national security issue so well worth including ;p > : Regarding the Jura F90 Coffee maker hack: > : > : http://www.securityfocus.com/archive/1/493387 > : > : I'm tempted to include this in CVE, since physical damage can occur. (We > : used a similar rationale for an air-conditioning control system, > : CVE-2008-1546). > : > : If no - then where's the line between coffee makers, air conditioners, > : and SCADA products? > > This is definitely worth inclusion in OSVDB in my eyes. If we can't draw > the line today, we will be able to in a year or years from now. At some > point, the blur between computing device and household appliance will be > too hard to distinguish. Rather than waste too much time arguing that > line, why not put in a few now that are a bit primitive, but will surely > show historic value if nothing else. > From ge at linuxbox.org Wed Jun 18 23:47:32 2008 From: ge at linuxbox.org (Gadi Evron) Date: Wed, 18 Jun 2008 18:47:32 -0500 (CDT) Subject: [VIM] coffee maker hacks - yes or no? In-Reply-To: <200806182233.m5IMXNGP011750@faron.mitre.org> References: <200806182233.m5IMXNGP011750@faron.mitre.org> Message-ID: On Wed, 18 Jun 2008, Steven M. Christey wrote: > > Regarding the Jura F90 Coffee maker hack: > > http://www.securityfocus.com/archive/1/493387 > > I'm tempted to include this in CVE, since physical damage can occur. > (We used a similar rationale for an air-conditioning control system, > CVE-2008-1546). > > If no - then where's the line between coffee makers, air conditioners, > and SCADA products? In a decade they will all be embedded *nix or equivalent devices with an IP address. it's a vulnerability which can spoil coffee. I'd say add it. > - Steve > From coley at mitre.org Fri Jun 20 00:36:41 2008 From: coley at mitre.org (Steven M. Christey) Date: Thu, 19 Jun 2008 20:36:41 -0400 (EDT) Subject: [VIM] strange bedfellows Message-ID: <200806200036.m5K0afjO022601@faron.mitre.org> http://www.milw0rm.com/exploits/5846 You know you're in a weird business when you barely blink as you write up a description for a vulnerability discovered by Islamic hackers, for software that's used to run sex sites, which is later reported in databases maintained by billion-dollar companies and the US government. - Steve From lyger at attrition.org Fri Jun 20 00:39:27 2008 From: lyger at attrition.org (lyger) Date: Fri, 20 Jun 2008 00:39:27 +0000 (UTC) Subject: [VIM] strange bedfellows In-Reply-To: <200806200036.m5K0afjO022601@faron.mitre.org> References: <200806200036.m5K0afjO022601@faron.mitre.org> Message-ID: http://osvdb.org/update/osvdb/1036448 :) On Thu, 19 Jun 2008, Steven M. Christey wrote: ": " ": " http://www.milw0rm.com/exploits/5846 ": " ": " You know you're in a weird business when you barely blink as you write ": " up a description for a vulnerability discovered by Islamic hackers, ": " for software that's used to run sex sites, which is later reported in ": " databases maintained by billion-dollar companies and the US ": " government. ": " ": " - Steve From lyger at attrition.org Fri Jun 20 00:42:46 2008 From: lyger at attrition.org (lyger) Date: Fri, 20 Jun 2008 00:42:46 +0000 (UTC) Subject: [VIM] strange bedfellows In-Reply-To: References: <200806200036.m5K0afjO022601@faron.mitre.org> Message-ID: DOH... i was still logged in and sent the update link, sorry... http://osvdb.org/show/osvdb/46287 On Fri, 20 Jun 2008, lyger wrote: ": " ": " http://osvdb.org/update/osvdb/1036448 ": " ": " :) ": " ": " ": " On Thu, 19 Jun 2008, Steven M. Christey wrote: ": " ": " ": " ": " ": " http://www.milw0rm.com/exploits/5846 ": " ": " ": " ": " You know you're in a weird business when you barely blink as you write ": " ": " up a description for a vulnerability discovered by Islamic hackers, ": " ": " for software that's used to run sex sites, which is later reported in ": " ": " databases maintained by billion-dollar companies and the US ": " ": " government. ": " ": " ": " ": " - Steve From theall at tenablesecurity.com Fri Jun 20 01:38:03 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 19 Jun 2008 21:38:03 -0400 Subject: [VIM] strange bedfellows In-Reply-To: <200806200036.m5K0afjO022601@faron.mitre.org> References: <200806200036.m5K0afjO022601@faron.mitre.org> Message-ID: <53463D0E-DA3A-4028-87EC-8912612A00FC@tenablesecurity.com> On Jun 19, 2008, at 8:36 PM, Steven M. Christey wrote: > for software that's used to run sex sites, which is later reported in > databases maintained by billion-dollar companies and the US > government. Really? I wasn't aware of the last part. Can you point me to a source? George -- theall at tenablesecurity.com From theall at tenablesecurity.com Mon Jun 23 00:27:15 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Sun, 22 Jun 2008 20:27:15 -0400 Subject: [VIM] Top Auction Pro (category) Remote SQL Injection Vulnerability Message-ID: <83C4B12A-E1CA-400A-AEE2-CE031A758C65@tenablesecurity.com> Milw0rm 5891 seems nearly the same as milw0rm 3456 / BID 15547 / OSVDB 21105 / CVE-2005-3952. I'm not clear what's the distinction between "Top Auction" and "Top Auction Pro", though. PHP Labs only seems to list the first in its list of products, but the demo for that claims to be for the second. Same product maybe? Same vulnerability? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Jun 23 01:06:23 2008 From: str0ke at milw0rm.com (str0ke) Date: Sun, 22 Jun 2008 20:06:23 -0500 Subject: [VIM] Top Auction Pro (category) Remote SQL Injection Vulnerability In-Reply-To: <83C4B12A-E1CA-400A-AEE2-CE031A758C65@tenablesecurity.com> References: <83C4B12A-E1CA-400A-AEE2-CE031A758C65@tenablesecurity.com> Message-ID: <485EF70F.60703@milw0rm.com> Yep its a dupe, removing from the frontend. Thanks George. /str0ke George A. Theall wrote: > Milw0rm 5891 seems nearly the same as milw0rm 3456 / BID 15547 / OSVDB > 21105 / CVE-2005-3952. I'm not clear what's the distinction between > "Top Auction" and "Top Auction Pro", though. PHP Labs only seems to > list the first in its list of products, but the demo for that claims > to be for the second. Same product maybe? Same vulnerability? > > > George From theall at tenablesecurity.com Thu Jun 26 21:10:09 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 26 Jun 2008 17:10:09 -0400 Subject: [VIM] Joomla Component YaNC (listid) SQL Injection Vulnerability Message-ID: Milw0rm 5943 seems to be a dup of milw0rm 3944 / CVE-2007-2792. Both involve a SQL injection issue in the 'listid' parameter. Btw, just so it's clear, I don't intend these sorts of posts to be critical of str0ke but to raise awareness among all vdb maintainers. If you'd rather I keep the messages private, let me know. George -- theall at tenablesecurity.com From aviram at beyondsecurity.com Thu Jun 26 21:13:14 2008 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Thu, 26 Jun 2008 17:13:14 -0400 Subject: [VIM] Joomla Component YaNC (listid) SQL Injection Vulnerability In-Reply-To: References: Message-ID: <74e840980806261413w726e5081j454186689593dfc@mail.gmail.com> We (for one) would appreciate if you keep sending these. - Aviram On Thu, Jun 26, 2008 at 5:10 PM, George A. Theall < theall at tenablesecurity.com> wrote: > Milw0rm 5943 seems to be a dup of milw0rm 3944 / CVE-2007-2792. Both > involve a SQL injection issue in the 'listid' parameter. > > Btw, just so it's clear, I don't intend these sorts of posts to be critical > of str0ke but to raise awareness among all vdb maintainers. If you'd rather > I keep the messages private, let me know. > > George > -- > theall at tenablesecurity.com > > > > -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20080626/415cfe86/attachment.html From str0ke at milw0rm.com Thu Jun 26 21:29:05 2008 From: str0ke at milw0rm.com (str0ke) Date: Thu, 26 Jun 2008 16:29:05 -0500 Subject: [VIM] Joomla Component YaNC (listid) SQL Injection Vulnerability In-Reply-To: References: Message-ID: <48640A21.9050907@milw0rm.com> Thanks George, 5943 has been removed from the frontend. /str0ke George A. Theall wrote: > Milw0rm 5943 seems to be a dup of milw0rm 3944 / CVE-2007-2792. Both > involve a SQL injection issue in the 'listid' parameter. > > Btw, just so it's clear, I don't intend these sorts of posts to be > critical of str0ke but to raise awareness among all vdb maintainers. > If you'd rather I keep the messages private, let me know. > > George From coley at linus.mitre.org Mon Jun 30 21:33:39 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 30 Jun 2008 17:33:39 -0400 (EDT) Subject: [VIM] Joomla Component YaNC (listid) SQL Injection Vulnerability In-Reply-To: <74e840980806261413w726e5081j454186689593dfc@mail.gmail.com> References: <74e840980806261413w726e5081j454186689593dfc@mail.gmail.com> Message-ID: > On Thu, Jun 26, 2008 at 5:10 PM, George A. Theall < > theall at tenablesecurity.com> wrote: > > > Btw, just so it's clear, I don't intend these sorts of posts to be critical > > of str0ke but to raise awareness among all vdb maintainers. That definitely helps us. You can send CVE dupes here too. We all have to deal with this mess, which is exactly what we created VIM for. - Steve