From coley at linus.mitre.org Thu Nov 6 15:40:53 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 6 Nov 2008 10:40:53 -0500 (EST) Subject: [VIM] Vendor dispute / researcher retraction: Agavi (CVE-2008-4920) Message-ID: (also MILW0RM:6970) The report covered by CVE-2008-4920 is false. This was for a claimed directory traversal in Agavi involving the cmplang parameter. This parameter does not exist in Agavi. Further investigation by the vendor and original researcher show that it is due to a site-specific modification. See: http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports We have been notified by the original vendor as well as the original researcher. The researcher has retracted the claim that it is in Agavi. Since it's site-specific, it is outside CVE's scope, so we're rejecting it. - Steve ====================================================== Name: CVE-2008-4920 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4920 Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports Reference: MILW0RM:6970 Reference: URL:http://www.milw0rm.com/exploits/6970 Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports Reference: BID:32086 Reference: URL:http://www.securityfocus.com/bid/32086 ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this candidate was based on an incorrect claim regarding a directory issue in Agavi. The vendor has disputed the issue and the original researcher has retracted the original claim, so this is not a vulnerability. Further investigation by the vendor and original researcher show that the original issue was in a site-specific modification, which is outside the scope of CVE. Notes: CVE users should not use this identifier. From str0ke at milw0rm.com Thu Nov 6 16:00:02 2008 From: str0ke at milw0rm.com (str0ke) Date: Thu, 06 Nov 2008 10:00:02 -0600 Subject: [VIM] Vendor dispute / researcher retraction: Agavi (CVE-2008-4920) In-Reply-To: References: Message-ID: <49131482.5030503@milw0rm.com> Received this from the researcher which confirms the false vuln. Hi dude ! Can you remove the exploit AGAVI <=Agavi 1.0.0 beta 5 Directory Transversal Exploit, because after discussing with the developper of AGAVI, we saw that the vulnerability I found was only dur to a bad server configuration and not the value cmplang from AGAVI.... Steven M. Christey wrote: > (also MILW0RM:6970) > > The report covered by CVE-2008-4920 is false. This was for a claimed > directory traversal in Agavi involving the cmplang parameter. This > parameter does not exist in Agavi. Further investigation by the vendor > and original researcher show that it is due to a site-specific > modification. > > See: http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports > > We have been notified by the original vendor as well as the original > researcher. The researcher has retracted the claim that it is in Agavi. > Since it's site-specific, it is outside CVE's scope, so we're rejecting > it. > > - Steve > > ====================================================== > Name: CVE-2008-4920 > Status: Candidate > URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4920 > Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports > Reference: MILW0RM:6970 > Reference: URL:http://www.milw0rm.com/exploits/6970 > Reference: MISC:http://blog.agavi.org/post/58189391/false-agavi-vulnerability-reports > Reference: BID:32086 > Reference: URL:http://www.securityfocus.com/bid/32086 > > ** REJECT ** > > DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: None. Reason: this > candidate was based on an incorrect claim regarding a directory issue > in Agavi. The vendor has disputed the issue and the original > researcher has retracted the original claim, so this is not a > vulnerability. Further investigation by the vendor and original > researcher show that the original issue was in a site-specific > modification, which is outside the scope of CVE. Notes: CVE users > should not use this identifier. > > > > From str0ke at milw0rm.com Fri Nov 7 07:10:06 2008 From: str0ke at milw0rm.com (str0ke) Date: Fri, 07 Nov 2008 01:10:06 -0600 Subject: [VIM] [Fwd: XSS Vulnerability In Ucompass Educator Software] Message-ID: <4913E9CE.1060502@milw0rm.com> List, Alright to forward xss / vulnerabilities I don't post to this list? /str0ke -------------- next part -------------- An embedded message was scrubbed... From: Chad Subject: XSS Vulnerability In Ucompass Educator Software Date: Fri, 7 Nov 2008 01:12:01 -0500 Size: 2961 Url: http://www.attrition.org/pipermail/vim/attachments/20081107/2ef70acf/attachment.eml From coley at linus.mitre.org Sat Nov 8 20:27:03 2008 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 8 Nov 2008 15:27:03 -0500 (EST) Subject: [VIM] [Fwd: XSS Vulnerability In Ucompass Educator Software] In-Reply-To: <4913E9CE.1060502@milw0rm.com> References: <4913E9CE.1060502@milw0rm.com> Message-ID: On Fri, 7 Nov 2008, str0ke wrote: > Alright to forward xss / vulnerabilities I don't post to this list? Do you mean XSS vulns in live web sites, not necessarily distributable software? What about these reports would prevent you from posting on milw0rm? Just trying to understand the implications. (xssed.com and a couple others are set up for handling live-site XSS reports.) - Steve From str0ke at milw0rm.com Sat Nov 8 22:51:59 2008 From: str0ke at milw0rm.com (str0ke) Date: Sat, 08 Nov 2008 16:51:59 -0600 Subject: [VIM] [Fwd: XSS Vulnerability In Ucompass Educator Software] In-Reply-To: References: <4913E9CE.1060502@milw0rm.com> Message-ID: <4916180F.8010806@milw0rm.com> Steven M. Christey wrote: > On Fri, 7 Nov 2008, str0ke wrote: > > >> Alright to forward xss / vulnerabilities I don't post to this list? >> > > Do you mean XSS vulns in live web sites, not necessarily distributable > software? What about these reports would prevent you from posting on > milw0rm? I don't post xss vulnerabilities by itself. So pretty much anything thats just plain xss in any script. /str0ke From theall at tenablesecurity.com Wed Nov 12 14:39:42 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 12 Nov 2008 09:39:42 -0500 Subject: [VIM] Joomla Component com_marketplace 1.3.1 (catid) SQL Injection Vuln Message-ID: <3ED6E7F0-5AF6-471C-BA16-277B17EE24AC@tenablesecurity.com> Any anyone looked at milw0rm 7097 yet? It concerns a SQL injection issue in the Marketplace component for Joomla. The issue seems to have been covered already by milw0rm 5055. The only difference is that 7097 supposedly affects a more recent version of the component. Also, I don't think 1.3.1 is vulnerable. Looking at the source for that version (both downloaded from the link in 7097 and that I had downloaded last February) shows that 'catid' is sanitized in 'show_category.php' by a call to intval() before its value is used in any SQL queries. What am I missing? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Wed Nov 12 15:17:57 2008 From: str0ke at milw0rm.com (str0ke) Date: Wed, 12 Nov 2008 09:17:57 -0600 Subject: [VIM] Joomla Component com_marketplace 1.3.1 (catid) SQL Injection Vuln In-Reply-To: <3ED6E7F0-5AF6-471C-BA16-277B17EE24AC@tenablesecurity.com> References: <3ED6E7F0-5AF6-471C-BA16-277B17EE24AC@tenablesecurity.com> Message-ID: <491AF3A5.7090300@milw0rm.com> Sorry tested on 1.2.1 and it is affected. Changing the version information now. George A. Theall wrote: > Any anyone looked at milw0rm 7097 yet? It concerns a SQL injection > issue in the Marketplace component for Joomla. The issue seems to > have been covered already by milw0rm 5055. The only difference is that > 7097 supposedly affects a more recent version of the component. > > Also, I don't think 1.3.1 is vulnerable. Looking at the source for > that version (both downloaded from the link in 7097 and that I had > downloaded last February) shows that 'catid' is sanitized in > 'show_category.php' by a call to intval() before its value is used in > any SQL queries. What am I missing? > > > George From theall at tenablesecurity.com Thu Nov 13 01:15:24 2008 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 12 Nov 2008 20:15:24 -0500 Subject: [VIM] Quick Poll Script (code.php id) Remote SQL Injection Vulnerability Message-ID: <96CFF0F2-F824-4919-BC62-E481873DD0ED@tenablesecurity.com> Hey str0ke, did you miss milw0rm 7105 back when it came out in August? The advisory looks nearly identical to http://packetstorm.linuxsecurity.com/0808-exploits/quickpoll-sql.txt , which maps to CVE-2008-3765 / BID 30724. And it looks like SecurityFocus for some reason not only created BID 32279 for the milw0rm advisory but also reports the affected script incorrectly as the product link itself rather than what the advisory claims are affected. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Thu Nov 13 04:08:45 2008 From: str0ke at milw0rm.com (str0ke) Date: Wed, 12 Nov 2008 22:08:45 -0600 Subject: [VIM] Quick Poll Script (code.php id) Remote SQL Injection Vulnerability In-Reply-To: <96CFF0F2-F824-4919-BC62-E481873DD0ED@tenablesecurity.com> References: <96CFF0F2-F824-4919-BC62-E481873DD0ED@tenablesecurity.com> Message-ID: <491BA84D.1060103@milw0rm.com> George A. Theall wrote: > Hey str0ke, did you miss milw0rm 7105 back when it came out in August? > The advisory looks nearly identical to > http://packetstorm.linuxsecurity.com/0808-exploits/quickpoll-sql.txt, > which maps to CVE-2008-3765 / BID 30724. Yep, I stopped posting a lot of Hussin's vulnerabilities in the past. A lot of the scripts / pozscripts / ezone scripts were all the same scripts sold under different names. Future note, if it looks the same, exactly the same sql injection with the same script. I'm pretty sure you can place it in your book that its the same vulnerability. /str0ke From str0ke at milw0rm.com Sun Nov 23 04:43:24 2008 From: str0ke at milw0rm.com (str0ke) Date: Sat, 22 Nov 2008 22:43:24 -0600 Subject: [VIM] CVE Message-ID: <4928DF6C.6000804@milw0rm.com> CVE's site has been down all day, anyone else having this issue? /str0ke From jericho at attrition.org Sun Nov 23 05:32:45 2008 From: jericho at attrition.org (security curmudgeon) Date: Sun, 23 Nov 2008 05:32:45 +0000 (UTC) Subject: [VIM] CVE In-Reply-To: <4928DF6C.6000804@milw0rm.com> References: <4928DF6C.6000804@milw0rm.com> Message-ID: : CVE's site has been down all day, anyone else having this issue? Yep. Either pages don't load, or load very slow and incomplete. From coley at mitre.org Sun Nov 23 17:44:28 2008 From: coley at mitre.org (Steven M. Christey) Date: Sun, 23 Nov 2008 12:44:28 -0500 (EST) Subject: [VIM] CVE Message-ID: <200811231744.mANHiSRi029667@linus.mitre.org> str0ke said: >CVE's site has been down all day, anyone else having this issue? Jericho said: >Yep. Either pages don't load, or load very slow and incomplete. CVE's problems are part of a larger network connectivity issue we're dealing with, sorry about that. Looks like it's accessible again, though I'm not sure if my email will make it through. Again, sorry about that. I know that lots of people depend on CVE being online. We'll be looking into the cause of the connectivity problems. - Steve