From jericho at attrition.org Mon Aug 3 23:38:12 2009 From: jericho at attrition.org (security curmudgeon) Date: Mon, 3 Aug 2009 23:38:12 +0000 (UTC) Subject: [VIM] recent MSIE vulns and value Message-ID: http://www.microsoft.com/technet/security/bulletin/MS09-034.mspx Acknowledgments Microsoft thanks the following for working with us to help protect customers: Peter Vreugdenhil of VeriSign iDefense Labs for reporting the Memory Corruption Vulnerability (CVE-2009-1917) Peter Vreugdenhil, working with TippingPoint and the Zero Day Initiative, for reporting the Uninitialized Memory Corruption Vulnerability (CVE-2009-1919) -- This is interesting. I wonder if we can read into this to mean that iDefense and ZDI disagreed on the value of the vulnerabilities, and Vreugdenhil sold to the company who put more value on each? From jericho at attrition.org Wed Aug 5 05:54:34 2009 From: jericho at attrition.org (security curmudgeon) Date: Wed, 5 Aug 2009 05:54:34 +0000 (UTC) Subject: [VIM] so was CVE-2009-0696 discovered in the wild? Message-ID: Discovered in the wild, or someone wrote an exploit after information leaked out? https://www.isc.org/node/474 Posting date: 2009-07-28 Urgent: this exploit is public. Please upgrade immediately. From rbu at gentoo.org Wed Aug 5 21:03:45 2009 From: rbu at gentoo.org (Robert Buchholz) Date: Wed, 5 Aug 2009 23:03:45 +0200 Subject: [VIM] so was CVE-2009-0696 discovered in the wild? In-Reply-To: References: Message-ID: <200908052303.47911.rbu@gentoo.org> On Wednesday 05 August 2009, security curmudgeon wrote: > Discovered in the wild, or someone wrote an exploit after information > leaked out? The original public report was this: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=538975 I have no insight into how the original reporter came to find the bug, but the public availability of an exploit mentioned in the ISC advisory most probably refers to that Debian bug. Robert -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part. Url : http://www.attrition.org/pipermail/vim/attachments/20090805/b989b894/attachment.bin From che at secunia.com Thu Aug 6 07:18:49 2009 From: che at secunia.com (Carsten H. Eiram) Date: Thu, 06 Aug 2009 09:18:49 +0200 Subject: [VIM] SA35195 / OSVDB 54734 Message-ID: <1249543129.23771.141.camel@TS-HQ-4> Steve, this one doesn't seem to have a CVE identifier assigned. When verifying it, one of my guys determined that the core problem is a stack-based buffer overflow, not a heap-based as the reporter states. Furthermore, the general nature of the vulnerable function means that not only MP3 files are a valid vector; titles obtained from other metadata storage formats may be vectors as well (e.g. FLAC has been confirmed). -- Med venlig hilsen / Kind regards Carsten H. Eiram Chief Security Specialist Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 From str0ke at milw0rm.com Fri Aug 7 13:32:52 2009 From: str0ke at milw0rm.com (str0ke) Date: Fri, 07 Aug 2009 08:32:52 -0500 Subject: [VIM] [MIL] #9260 - vendor fix v.7.1295 Message-ID: <4A7C2D04.3070603@milw0rm.com> Dear webmaster, I found that you posted that SkaDate software has vulnerabilities http://www.milw0rm.com/exploits/9260. I want to declare that we fixed all the security issues in the latest build SkaDate 7.1295. Read more about this new build here: http://www.skalfa.com/press/new-build-of-skadate-community-software-released-%E2%80%93-7-1295.html From theall at tenablesecurity.com Sat Aug 8 00:18:05 2009 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 7 Aug 2009 20:18:05 -0400 Subject: [VIM] PhotoPost PHP 3.3.1 (XSS/bSQL) Multiple Remote Vulnerabilities Message-ID: <2E6239F5-5F8C-4E5F-8BA6-354E5BFBD8EF@tenablesecurity.com> It looks like milw0rm 9402 / BID 35996 is just a rehash of Gulftech's advisory from early 2005: . Anyone else notice that? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Aug 10 14:33:20 2009 From: str0ke at milw0rm.com (str0ke) Date: Mon, 10 Aug 2009 09:33:20 -0500 Subject: [VIM] PhotoPost PHP 3.3.1 (XSS/bSQL) Multiple Remote Vulnerabilities In-Reply-To: <2E6239F5-5F8C-4E5F-8BA6-354E5BFBD8EF@tenablesecurity.com> References: <2E6239F5-5F8C-4E5F-8BA6-354E5BFBD8EF@tenablesecurity.com> Message-ID: <4A802FB0.3030207@milw0rm.com> Removing it from the front end ty brother. George A. Theall wrote: > It looks like milw0rm 9402 / BID 35996 is just a rehash of Gulftech's > advisory from early 2005: > . > Anyone else notice that? > > George From str0ke at milw0rm.com Mon Aug 10 18:58:49 2009 From: str0ke at milw0rm.com (str0ke) Date: Mon, 10 Aug 2009 13:58:49 -0500 Subject: [VIM] [MIL #9388] Mac OS X 10.5.7 (.CHM File) Local Finder.app Denial of Service Exploit (removed) Message-ID: <4A806DE9.6070704@milw0rm.com> The vulnerability isn't there, trust was an issue on posting this one. I'm guessing its some other app he has installed waiting back on a reply. Tested via ppc / x86 osx versions. /str0ke From che at secunia.com Mon Aug 17 11:32:01 2009 From: che at secunia.com (Carsten H. Eiram) Date: Mon, 17 Aug 2009 13:32:01 +0200 Subject: [VIM] SA31294 / CVE-2008-3408 / OSVDB 47194 Message-ID: <1250508721.9194.155.camel@TS-HQ-4> While the original exploit triggers one vulnerability, then there are actually two stack-based buffer overflow vulnerabilities in the same part of the code. The one triggered depends on whether the string starts with a backslash or not. Furthermore, as the vulnerabilities are in a part of the code not used solely for M3U parsing, they can be exploited via other playlist formats as well (e.g. PLS). Our advisory, SA31294, contains a bit more information. -- Med venlig hilsen / Kind regards Carsten H. Eiram Chief Security Specialist Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 From jericho at attrition.org Tue Aug 18 07:24:42 2009 From: jericho at attrition.org (security curmudgeon) Date: Tue, 18 Aug 2009 07:24:42 +0000 (UTC) Subject: [VIM] "wp-syntax Plugin exploit from yesterday" Message-ID: Stefan Esser posted: i0n1c LOL... wp-syntax Plugin exploit from yesterday was tried on my blog on 26th DECEMBER 2008 http://twitter.com/i0n1c/statuses/3378620240 From theall at tenablesecurity.com Tue Aug 18 17:33:46 2009 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 18 Aug 2009 13:33:46 -0400 Subject: [VIM] Dreampics Builder (exhibition_id) Remote SQL Injection Vulnerability Message-ID: milw0rm 9451 looks rather similar to an issue discovered by xoron earlier this year and covered by milw0rm 7968 / OSVDB 51741 / CVE-2009-0445. Except that xoron says it's a blind SQL injection vuln while Mr. SQL suggests a plain SQL injection attack works. Anybody have access to the source and can confirm either way? Do they involve different versions? George -- theall at tenablesecurity.com From coley at linus.mitre.org Wed Aug 19 19:57:58 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 19 Aug 2009 15:57:58 -0400 (EDT) Subject: [VIM] milw0rm and Packet Storm both down? Message-ID: are both milw0rm and Packet Storm down, or is it just me? - Steve From jericho at attrition.org Wed Aug 19 19:59:46 2009 From: jericho at attrition.org (security curmudgeon) Date: Wed, 19 Aug 2009 19:59:46 +0000 (UTC) Subject: [VIM] milw0rm and Packet Storm both down? In-Reply-To: References: Message-ID: str0ke twittered, milw0rm down. outage in area, no ETA. On Wed, 19 Aug 2009, Steven M. Christey wrote: : : are both milw0rm and Packet Storm down, or is it just me? : : - Steve : From coley at linus.mitre.org Thu Aug 20 17:23:10 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 20 Aug 2009 13:23:10 -0400 (EDT) Subject: [VIM] heads up - CVE web site outage this weekend Message-ID: Hey peeps, the CVE web site is going to be inaccessible from Friday night to Saturday night or Sunday morning for electrical system work. We've had this happen before, but given the continued outages of milw0rm and packet storm, I didn't want any conspiracy theorists to get all excited ;-) - Steve From coley at linus.mitre.org Sun Aug 23 19:07:12 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Sun, 23 Aug 2009 15:07:12 -0400 (EDT) Subject: [VIM] Pigyard Art Gallery - site-specific Message-ID: an oldie from 2008... MILW0RM:5181 OSVDB:51163 Researchers: ZoRLu, Aria Security (The-0utl4w) This is most likely site-specific. ZoRLu points to a "how to buy" page at http://www.pigyardgallery.com/how_to_buy.php but this is for how customers can buy art that is offered on the www.pigyardgallery.com site. An inurl:show_picture_full Google dork string only returns that site. - Steve From str0ke at milw0rm.com Tue Aug 25 13:46:32 2009 From: str0ke at milw0rm.com (str0ke) Date: Tue, 25 Aug 2009 08:46:32 -0500 Subject: [VIM] [MILW0RM #9502] com_ninjamonial Message-ID: <4A93EB38.7000608@milw0rm.com> Wrong info. Information: Name : NinjaMonials - Testimonials Manager. Version : 1.6.0 Date : Aug 2009 Licence : GLP Type : Comercial Compatibility : 1.5 Native web : http://www.ninjaforge.com more info & demo : http://ninjaforge.com/index.php?option=com_ninjacentral&page=show_package&id=56&Itemid=245 Correct info. Information: Name : NinjaMonials - Testimonials Manager. Version : 1.1.0 Date : Jan 2009 Licence : GPL Type : Commercial Compatibility : 1.0 Native web : http://www.ninjaforge.com more info & demo : http://ninjaforge.com/index.php?option=com_ninjacentral&page=show_package&id=56&Itemid=245 A fix has been released version 1.2 From coley at linus.mitre.org Tue Aug 25 18:05:11 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 25 Aug 2009 14:05:11 -0400 (EDT) Subject: [VIM] @1 File Store PRO SQL injection - the old gray dupe Message-ID: from 2008: http://www.milw0rm.com/exploits/6040 These vectors for the id parameter in config.php and download.php were also disclosed by eVuln in 2006, albeit for a different version (version 2006.03.07, non-pro). See CVE-2006-1278. - Steve ====================================================== Name: CVE-2006-1278 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-1278 Reference: BUGTRAQ:20060324 [eVuln] @1 File Store Multiple XSS and SQL Injection Vulnerabilities Reference: URL:http://www.securityfocus.com/archive/1/archive/1/428659/100/0/threaded Reference: MISC:http://evuln.com/vulns/95/summary.html Reference: BID:17090 Reference: URL:http://www.securityfocus.com/bid/17090 Reference: VUPEN:ADV-2006-0943 Reference: URL:http://www.frsirt.com/english/advisories/2006/0943 Reference: OSVDB:23851 Reference: URL:http://www.osvdb.org/23851 Reference: OSVDB:23852 Reference: URL:http://www.osvdb.org/23852 Reference: OSVDB:23853 Reference: URL:http://www.osvdb.org/23853 Reference: OSVDB:23854 Reference: URL:http://www.osvdb.org/23854 Reference: OSVDB:23855 Reference: URL:http://www.osvdb.org/23855 Reference: OSVDB:23856 Reference: URL:http://www.osvdb.org/23856 Reference: OSVDB:23857 Reference: URL:http://www.osvdb.org/23857 Reference: OSVDB:23858 Reference: URL:http://www.osvdb.org/23858 Reference: OSVDB:23859 Reference: URL:http://www.osvdb.org/23859 Reference: OSVDB:23860 Reference: URL:http://www.osvdb.org/23860 Reference: OSVDB:23861 Reference: URL:http://www.osvdb.org/23861 Reference: OSVDB:23862 Reference: URL:http://www.osvdb.org/23862 Reference: OSVDB:23863 Reference: URL:http://www.osvdb.org/23863 Reference: OSVDB:23864 Reference: URL:http://www.osvdb.org/23864 Reference: OSVDB:24106 Reference: URL:http://www.osvdb.org/24106 Reference: SECTRACK:1015826 Reference: URL:http://securitytracker.com/id?1015826 Reference: SECUNIA:19224 Reference: URL:http://secunia.com/advisories/19224 Reference: SREASON:619 Reference: URL:http://securityreason.com/securityalert/619 Reference: XF:filestore-multiple-sql-injection(25183) Reference: URL:http://xforce.iss.net/xforce/xfdb/25183 SQL injection vulnerability in @1 File Store 2006.03.07 allows remote attackers to execute arbitrary SQL commands via the id parameter to (1) functions.php and (2) user.php in the libs directory, (3) edit.php and (4) delete.php in control/files/, (5) edit.php and (6) delete.php in control/users/, (7) edit.php, (8) access.php, and (9) in control/folders/, (10) access.php and (11) delete.php in control/groups/, (12) confirm.php, and (13) download.php; (14) the email parameter in password.php, and (15) the id parameter in folder.php. From str0ke at milw0rm.com Tue Aug 25 18:50:29 2009 From: str0ke at milw0rm.com (str0ke) Date: Tue, 25 Aug 2009 13:50:29 -0500 Subject: [VIM] @1 File Store PRO SQL injection - the old gray dupe In-Reply-To: References: Message-ID: <4A943275.4020107@milw0rm.com> Steven M. Christey wrote: > from 2008: http://www.milw0rm.com/exploits/6040 > > These vectors for the id parameter in config.php and download.php were > also disclosed by eVuln in 2006, albeit for a different version (version > 2006.03.07, non-pro). See CVE-2006-1278 Are you counting [MIL] 6040 as a dupe from CVE-2006-1278? From coley at linus.mitre.org Tue Aug 25 21:14:10 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 25 Aug 2009 17:14:10 -0400 (EDT) Subject: [VIM] @1 File Store PRO SQL injection - the old gray dupe In-Reply-To: <4A943275.4020107@milw0rm.com> References: <4A943275.4020107@milw0rm.com> Message-ID: On Tue, 25 Aug 2009, str0ke wrote: > > These vectors for the id parameter in config.php and download.php were > > also disclosed by eVuln in 2006, albeit for a different version (version > > 2006.03.07, non-pro). See CVE-2006-1278 > > Are you counting [MIL] 6040 as a dupe from CVE-2006-1278? Yes, though I'm half-expecting George to pipe up and throw a whole wrench into my logic ;-) - Steve From str0ke at milw0rm.com Tue Aug 25 22:17:05 2009 From: str0ke at milw0rm.com (str0ke) Date: Tue, 25 Aug 2009 17:17:05 -0500 Subject: [VIM] @1 File Store PRO SQL injection - the old gray dupe In-Reply-To: References: <4A943275.4020107@milw0rm.com> Message-ID: <4A9462E1.3000302@milw0rm.com> Steven M. Christey wrote: > On Tue, 25 Aug 2009, str0ke wrote: > > >>> These vectors for the id parameter in config.php and download.php were >>> also disclosed by eVuln in 2006, albeit for a different version (version >>> 2006.03.07, non-pro). See CVE-2006-1278 >>> >> Are you counting [MIL] 6040 as a dupe from CVE-2006-1278? >> > > Yes, though I'm half-expecting George to pipe up and throw a whole wrench > into my logic ;-) > > - Steve > > The vendor stated they fixed the issue in 2006 and released a new version 2. something. You can tell by looking at the .zip files 3.2 came out in 2007 and if you look at the files they have been updated in 2009. So version information wouldn't be correct since they update source code without putting out new versions. An extra variable is used on the milw0rm's version as well, not sure if that could of bypassed the fix? The last sql injection that we actually have isn't ' 'ed so did they add the single quotes around the query to fix the issues back in 2006 and not sanitize? I'm betting by looking at timestamps they probably patched the 2008 vuln in 2009 after missing something or built their 3.x version off of old source. Gah so many possibilities. From coley at linus.mitre.org Sat Aug 29 23:50:17 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 29 Aug 2009 19:50:17 -0400 (EDT) Subject: [VIM] SourceForge kills Changelog URLs Message-ID: Looks like SourceForge's facelift has gone and killed a whole bunch of URLs that CVE uses for pointing to changelogs. They serve up blank pages. Hooray! CVE-2009-2368 http://sourceforge.net/project/shownotes.php?release_id=695068 CVE-2009-2343 http://sourceforge.net/project/shownotes.php?release_id=694128 CVE has approximately 824 URLs that point to shownotes.php. Can anybody beat us? (maybe it's not the great Bugtraq whiteout of 2001-2003 but it's still incredibly inconvenient) - Steve From jericho at attrition.org Sat Aug 29 23:54:28 2009 From: jericho at attrition.org (security curmudgeon) Date: Sat, 29 Aug 2009 23:54:28 +0000 (UTC) Subject: [VIM] SourceForge kills Changelog URLs In-Reply-To: References: Message-ID: On Sat, 29 Aug 2009, Steven M. Christey wrote: : Looks like SourceForge's facelift has gone and killed a whole bunch of : URLs that CVE uses for pointing to changelogs. They serve up blank : pages. Hooray! Did you just notice this today? I have been using some changelogs on there earlier this week (looking at new ones, not referencing old ones) : CVE-2009-2368 : http://sourceforge.net/project/shownotes.php?release_id=695068 : : CVE-2009-2343 : http://sourceforge.net/project/shownotes.php?release_id=694128 : : CVE has approximately 824 URLs that point to shownotes.php. Can anybody : beat us? OSVDB has 1,410 =) Product of me spending too much time reading changelogs. : (maybe it's not the great Bugtraq whiteout of 2001-2003 but it's still : incredibly inconvenient) The white page is odd. Seems it would give a 404 if really gone. Wonder if this is a temporary error. Anyone know a SF admin type that could potentially answer? .b From coley at linus.mitre.org Sun Aug 30 00:08:00 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 29 Aug 2009 20:08:00 -0400 (EDT) Subject: [VIM] SourceForge kills Changelog URLs In-Reply-To: References: Message-ID: On Sat, 29 Aug 2009, security curmudgeon wrote: > Did you just notice this today? I have been using some changelogs on > there earlier this week (looking at new ones, not referencing old ones) I did notice that the place I usually go to for changelogs for a project, the file downloads page, no longer actually points to changelogs. I realize the extent of the problem till just now. > The white page is odd. Seems it would give a 404 if really gone. Wonder > if this is a temporary error. Anyone know a SF admin type that could > potentially answer? I found some kind of contact email and CC'ed you on my inquiry to them. No idea if it'll be heard. - Steve From jericho at attrition.org Sun Aug 30 07:56:10 2009 From: jericho at attrition.org (security curmudgeon) Date: Sun, 30 Aug 2009 07:56:10 +0000 (UTC) Subject: [VIM] Why the censorship? (was re: Inquira: Multiple Vulnerabilities) Message-ID: Hi Neohapsis, The mail to Full-disclosure on Mar 20, 2009 has been edited on the archives of Neohapsis: http://archives.neohapsis.com/archives/fulldisclosure/2009-03/0326.html Every occurrence of "Inquira" has been redacted. Since the original disclosure suggests the vendor was contacted, and chose not to reply, it is curious that their name would be removed from your archive. Could you explain why, or at the very least share what I suspect was a C&D style letter demanding their name be removed? I ask because other archives do not redact their name for whatever reason: http://seclists.org/fulldisclosure/2009/Mar/0300.html http://marc.info/?l=full-disclosure&m=123753854425289&w=2 http://www.derkeiler.com/Mailing-Lists/Full-Disclosure/2009-03/msg00300.html http://www.opensubscriber.com/message/full-disclosure at lists.grok.org.uk/11725824.html [..] - security curmudgeon ---------- Forwarded message ---------- From: Kristian Erik Hermansen To: full-disclosure at lists.grok.org.uk Date: Fri, 20 Mar 2009 01:34:28 -0700 Subject: [Full-disclosure] Inquira: Multiple Vulnerabilities Bonjour, During a recent penetration test, we discovered and worked with Inquira to close numerous web-based issues. The vendor has not replied back about a formal release of these issues, so I am posting this notice here to inform customers to check for an update for their products. You can contact Inquira via the link below. http://www.inquira.com/ Additionally, it is also advised that customers change the default passwords used by the affected software. For instance, the default Apache Tomcat administrator account details are listed below and should probably be added to publicly listed default password databases (phenoelit, etc). Vendor: Inquira Products: (multiple) Username: inquira Password: inquira123 Cheers, -- Kristian Erik Hermansen http://www.linkedin.com/in/kristianerikhermansen _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ From jericho at attrition.org Sun Aug 30 20:02:19 2009 From: jericho at attrition.org (security curmudgeon) Date: Sun, 30 Aug 2009 20:02:19 +0000 (UTC) Subject: [VIM] question about article last year [SAP NetWeaver] Message-ID: Mail bounced. I couldn't find a big NetWeaver disclosure that would cover the vulnerabilities described in this. Anyone seen anything? ---------- Forwarded message ---------- From: security curmudgeon To: Mmorejon at cmp.com Date: Sun, 30 Aug 2009 19:55:07 +0000 (UTC) Subject: question about article last year Hi Mario, In reference to "Hacking Into a Billion-Dollar SAP Solution" (http://www.crn.com/software/208400258), could you tell me if the research and details have been published since? Thanks, Brian Content Manager OSVDB.org From str0ke at milw0rm.com Mon Aug 31 15:33:59 2009 From: str0ke at milw0rm.com (str0ke) Date: Mon, 31 Aug 2009 10:33:59 -0500 Subject: [VIM] [MIL 8718] Douran Portal Security Message-ID: <4A9BED67.7060308@milw0rm.com> 8718 was fixed with releases 3.9.5.01 and 3.9.6.0. http://www.douran.com/