From sullo at cirt.net  Wed Oct  1 15:10:56 2008
From: sullo at cirt.net (Sullo)
Date: Wed, 01 Oct 2008 11:10:56 -0400
Subject: [VIM] Secunia SA32060 - WordPress MU "s" and "ip_address"
 Cross-Site Scripting Vulnerabilities
Message-ID: <48E39300.1080504@cirt.net>

WordPress MU "s" and "ip_address" Cross-Site Scripting Vulnerabilities
http://secunia.com/advisories/32060/

Points to this post:
http://lists.grok.org.uk/pipermail/full-disclosure/2008-September/064748.html

>From Post:
"In /wp-admin/wpmu-blogs.php an attacker can inject javascript code,
the input variables "s" and "ip_address" of GET method aren't properly
sanitized  "


>From Secunia Description:
"Input passed to the "s" and "ip_address" parameters in
wp-admin/wp-blogs.php is not properly sanitised before being returned to
the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site."

Note the wp-blogs.php vs wpmu-blogs.php. I've confirmed that
"wp-blogs.php" doesn't exist in the MU downloads below 2.6.0, so the
Secunia text is incorrect.

Just wanted to make sure everyone caught that and see if Secunia can
correct.

-Sullo

From noamr at beyondsecurity.com  Thu Oct  2 11:59:18 2008
From: noamr at beyondsecurity.com (Noam Rathaus)
Date: Thu, 2 Oct 2008 14:59:18 +0300
Subject: [VIM] Fwd: Internet Information Service remote set password
Message-ID: <200810021459.18429.noamr@beyondsecurity.com>

Hi,

Has anyone been able to confirm this vulnerability?

I can't manage to get a vulnerable setup to 'work' with this exploit.

-- 
Noam Rathaus
CTO
noamr at beyondsecurity.com
http://www.beyondsecurity.com

"Know that you are safe."

Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007
-------------- next part --------------
An embedded message was scrubbed...
From: hamedata at gmail.com
Subject: Internet Information Service remote set password
Date: 24 Sep 2008 12:40:07 -0000
Size: 3907
Url: http://www.attrition.org/pipermail/vim/attachments/20081002/7ec1f4ee/attachment.mht 

From str0ke at milw0rm.com  Thu Oct  2 13:54:58 2008
From: str0ke at milw0rm.com (str0ke)
Date: Thu, 02 Oct 2008 08:54:58 -0500
Subject: [VIM] Fwd: Internet Information Service remote set password
In-Reply-To: <200810021459.18429.noamr@beyondsecurity.com>
References: <200810021459.18429.noamr@beyondsecurity.com>
Message-ID: <48E4D2B2.30000@milw0rm.com>

Hey Noam,

Noam Rathaus wrote:
> Hi,
>
> Has anyone been able to confirm this vulnerability?
>
> I can't manage to get a vulnerable setup to 'work' with this exploit.
>
>   

Ciph3r, the_3dit0r in the email should of been the give away that this
wouldn't work, but hey they could of thieved it from someone :).  all of
their bof / activex vulns sent in were all fakes, changed clsid's on old
code / etc.  or stolen code.

From coley at linus.mitre.org  Fri Oct  3 22:19:55 2008
From: coley at linus.mitre.org (Steven M. Christey)
Date: Fri, 3 Oct 2008 18:19:55 -0400 (EDT)
Subject: [VIM] CVE-2008-4189 (Xerox) dupe of CVE-2008-1105 (Samba)
Message-ID: <Pine.GSO.4.51.0810031818321.9068@faron.mitre.org>


Josh Bressers of Red Hat spoke to Xerox, and they confirmed that their
vague advisory http://www.xerox.com/downloads/usa/en/c/cert_XRX08_009.pdf
was talking about CVE-2008-1105 when they mentioned "un-validated user
input in the Samba third-party code."

We're keeping CVE-2008-1105.

- Steve

From coley at linus.mitre.org  Tue Oct  7 23:37:31 2008
From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue, 7 Oct 2008 19:37:31 -0400 (EDT)
Subject: [VIM] root cause for Crux Gallery cookie-handling issue?
Message-ID: <Pine.GSO.4.51.0810071923020.6161@faron.mitre.org>


Ref: http://milw0rm.com/exploits/6586

The root cause of the Crux Gallery "Insecure Cookie Handling" issue seems
to be an improper conditional.

main.php has the following code:

    if (($_GET['name'] != "users" && $_GET['op']!=logon) &&
        ($_COOKIE['pass'] != $dbpass || $_COOKIE['user'] != $dbuser)) {
    $user = "Anonymous";
    $pass = "";
    $admin = "";
  } else {
    $admin = TRUE;
    setcookie('user', $_COOKIE['user'], mktime(12,0,0,1, 1, 2014), '/', '');
    setcookie('pass', $_COOKIE['pass'], mktime(12,0,0,1, 1, 2014), '/', '');
  }
}


So if name = users, the rest of the check is completely bypassed and the
$admin=TRUE block is evaluated.  Much of the remaining processing in
index.php just checks the $admin variable.

Note that this is wrapped in a check for the existence of
$_COOKIE['user'], and the $_COOKIE['pass'] check would seem to suggest
that it would fail on the second access.  I'm lost in the remaining logic,
so I can't tell if you can only do one access per session or not.

- Steve

From jericho at attrition.org  Fri Oct 10 23:56:20 2008
From: jericho at attrition.org (security curmudgeon)
Date: Fri, 10 Oct 2008 23:56:20 +0000 (UTC)
Subject: [VIM] ZDI upcoming - 500+ days
Message-ID: <Pine.LNX.4.64.0810102354400.2491@forced.attrition.org>


I should set up a script to auto-post this to VIM every few weeks, but 
this was interesting. Along the lines of what eEye did, showing the days 
since vendor informed:

http://www.zerodayinitiative.com/advisories/upcoming/

ZDI-CAN-391	Microsoft 		High	2008-09-23, 17 days ago
ZDI-CAN-390	Mozilla Firefox 	High	2008-09-23, 17 days ago
ZDI-CAN-389	Microsoft 		High	2008-09-23, 17 days ago
[..]
ZDI-CAN-200	IBM 			High	2007-05-22, 507 days ago
ZDI-CAN-174	Symantec 		High	2007-05-22, 507 days ago
ZDI-CAN-186	Microsoft 		High	2007-03-29, 561 days ago
ZDI-CAN-177	Hewlett-Packard 	High	2007-03-19, 571 days ago
ZDI-CAN-175	Microsoft 		High	2007-03-19, 571 days ago
ZDI-CAN-160	Oracle / PeopleSoft 	High	2007-01-29, 620 days ago
ZDI-CAN-105	Hewlett-Packard 	High	2006-10-10, 731 days ago

From kcnight_train at yahoo.com  Sat Oct 25 17:22:00 2008
From: kcnight_train at yahoo.com (Larry Lucas)
Date: Sat, 25 Oct 2008 10:22:00 -0700 (PDT)
Subject: [VIM] Harassing e-mails
Message-ID: <346584.29088.qm@web90303.mail.mud.yahoo.com>

I am receiving harassing e-mails from sshrspncr at aol.com?
I would love to find out if there is a way to get this?account creators name and address/location of the computer it is being sent from. I have warned them to stop, but it does not. This has been going on for over a year now.?Can anyone help me please???????
Thanks!
kcnightrain
?
??


      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.attrition.org/pipermail/vim/attachments/20081025/3d8d67a5/attachment.html 

From noamr at beyondsecurity.com  Tue Oct 28 12:14:10 2008
From: noamr at beyondsecurity.com (Noam Rathaus)
Date: Tue, 28 Oct 2008 14:14:10 +0200
Subject: [VIM] Spelling mistake in CVE-2008-4070 (minor)
Message-ID: <200810281414.10624.noamr@beyondsecurity.com>

In here:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4070

Cancelling is spelled badly written as canceling

-- 
Noam Rathaus
CTO
noamr at beyondsecurity.com
http://www.beyondsecurity.com

"Know that you are safe."

Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007

From coley at linus.mitre.org  Tue Oct 28 16:27:58 2008
From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue, 28 Oct 2008 12:27:58 -0400 (EDT)
Subject: [VIM] Spelling mistake in CVE-2008-4070 (minor)
In-Reply-To: <200810281414.10624.noamr@beyondsecurity.com>
References: <200810281414.10624.noamr@beyondsecurity.com>
Message-ID: <Pine.GSO.4.51.0810281224001.7363@faron.mitre.org>


On Tue, 28 Oct 2008, Noam Rathaus wrote:

> In here:
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4070
>
> Cancelling is spelled badly written as canceling

This was a direct quote from the Mozilla advisory, so we typically don't
try to change those.

- Steve

From noamr at beyondsecurity.com  Tue Oct 28 16:36:40 2008
From: noamr at beyondsecurity.com (Noam Rathaus)
Date: Tue, 28 Oct 2008 18:36:40 +0200
Subject: [VIM] Spelling mistake in CVE-2008-4070 (minor)
In-Reply-To: <Pine.GSO.4.51.0810281224001.7363@faron.mitre.org>
References: <200810281414.10624.noamr@beyondsecurity.com>
	<Pine.GSO.4.51.0810281224001.7363@faron.mitre.org>
Message-ID: <200810281836.40953.noamr@beyondsecurity.com>

Hi Steve,

No problem.

On Tuesday 28 October 2008 18:27:58 Steven M. Christey wrote:
> On Tue, 28 Oct 2008, Noam Rathaus wrote:
> > In here:
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-4070
> >
> > Cancelling is spelled badly written as canceling
>
> This was a direct quote from the Mozilla advisory, so we typically don't
> try to change those.
>
> - Steve


-- 
Noam Rathaus
CTO
noamr at beyondsecurity.com
http://www.beyondsecurity.com

"Know that you are safe."

Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007

From coley at linus.mitre.org  Tue Oct 28 16:39:56 2008
From: coley at linus.mitre.org (Steven M. Christey)
Date: Tue, 28 Oct 2008 12:39:56 -0400 (EDT)
Subject: [VIM] Spelling mistake in CVE-2008-4070 (minor)
In-Reply-To: <200810281836.40953.noamr@beyondsecurity.com>
References: <200810281414.10624.noamr@beyondsecurity.com>
	<Pine.GSO.4.51.0810281224001.7363@faron.mitre.org>
	<200810281836.40953.noamr@beyondsecurity.com>
Message-ID: <Pine.GSO.4.51.0810281238250.7363@faron.mitre.org>


On Tue, 28 Oct 2008, Noam Rathaus wrote:

> No problem.

By the way, thanks for pointing it out :)

- Steve