From noamr at beyondsecurity.com Thu Jan 1 15:38:13 2009 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 1 Jan 2009 17:38:13 +0200 Subject: [VIM] First CVE of 2009 :) Message-ID: <200901011738.14175.noamr@beyondsecurity.com> Hi, Can someone tell me when was the first CVE of 2009 issued? -- Noam Rathaus CTO noamr at beyondsecurity.com http://www.beyondsecurity.com "Know that you are safe." Beyond Security Finalist for the "Red Herring 100 Global" Awards 2007 From coley at linus.mitre.org Fri Jan 2 17:24:55 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 2 Jan 2009 12:24:55 -0500 (EST) Subject: [VIM] First CVE of 2009 :) In-Reply-To: <200901011738.14175.noamr@beyondsecurity.com> References: <200901011738.14175.noamr@beyondsecurity.com> Message-ID: On Thu, 1 Jan 2009, Noam Rathaus wrote: > Can someone tell me when was the first CVE of 2009 issued? Do you mean when the first "CVE-2009-xxxx" got published? It'll probably happen sometime within the next couple hours. It probably won't be CVE-2009-0001, which is part of a larger pool that was given to a candidate numbering authority. - Steve From jericho at attrition.org Fri Jan 2 21:26:22 2009 From: jericho at attrition.org (security curmudgeon) Date: Fri, 2 Jan 2009 21:26:22 +0000 (UTC) Subject: [VIM] First CVE of 2009 :) In-Reply-To: References: <200901011738.14175.noamr@beyondsecurity.com> Message-ID: : > Can someone tell me when was the first CVE of 2009 issued? : : Do you mean when the first "CVE-2009-xxxx" got published? It'll : probably happen sometime within the next couple hours. : : It probably won't be CVE-2009-0001, which is part of a larger pool that : was given to a candidate numbering authority. Bah! The 0001 of a given year should always be in your hands, and should always be published ten minutes after New Years rings in! From jericho at attrition.org Sat Jan 3 07:40:28 2009 From: jericho at attrition.org (security curmudgeon) Date: Sat, 3 Jan 2009 07:40:28 +0000 (UTC) Subject: [VIM] CVE-2006-7184 / OSVDB 33999 (Exhibit Engine) Message-ID: CVE shows provenance unknown. I noticed that CVE/osvdb say "fstyles.php" and "fetchsettings.php" are vulnerable. Nessus plugin 23640 shows "styles.php" and I presume the author (not Tenable) tested the script. Download requires registration, EE2_upgrade.zip (don't see a full download, or a 1.x package) shows evidence of 'fetchsettings.php' (basecode directory) and 'styles.php' (admin directory). There is no evidence of 'fstyles.php'. Note: CVE-2006-7183 covers Exhibit Engine and "styles.php" specifically. Best guess is that fstyles.php is either a typo, or part of an install/upgrade I don't see available after a brief search. From theall at tenablesecurity.com Mon Jan 5 00:59:57 2009 From: theall at tenablesecurity.com (George A. Theall) Date: Sun, 4 Jan 2009 19:59:57 -0500 Subject: [VIM] CVE-2006-7184 / OSVDB 33999 (Exhibit Engine) In-Reply-To: References: Message-ID: On Jan 3, 2009, at 2:40 AM, security curmudgeon wrote: > CVE shows provenance unknown. I noticed that CVE/osvdb say > "fstyles.php" and "fetchsettings.php" are vulnerable. Nessus plugin > 23640 shows "styles.php" and I presume the author (not Tenable) > tested the script. I grabbed the source for version 1.22 when Justin wrote the Nessus plugin. The distribution tarball contains 'fetchsettings.php' and a 'styles.php' but no 'fstyles.php'. I also have the source for the earlier 1.5 RC4 -- that contains 'fetchsettings.php' but not 'styles.php' or 'fstyles.php'. George -- theall at tenablesecurity.com From coley at linus.mitre.org Mon Jan 5 21:45:49 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 5 Jan 2009 16:45:49 -0500 (EST) Subject: [VIM] First CVE of 2009 :) In-Reply-To: <200901011738.14175.noamr@beyondsecurity.com> References: <200901011738.14175.noamr@beyondsecurity.com> Message-ID: OK, 2 out of 3 ain't bad. The first CVE that was originally public in 2009 was CVE-2008-2381 (reserved), public on 20090102. The first public CVE with a 2009 tag was CVE-2009-0022 (reserved by Red Hat), public on 20090105. (Last year's winner was CVE-2008-0061, public on 20080103; in 2007, CVE-2007-0015 was public on 20070101). Due to an odd little blip in CVE content creation, the first non-reserved CVE built on public data is still forthcoming, though many are waiting in the wings for the final editing step, including two that were published January 1 that will likely appear after higher-priority issues that were published later than that. Its sequence number will be 0041 or greater. As you may surmise, CVE numbers don't go public sequentially. That's because of the reserved CVEs, our internal prioritization for which issues to publish first, and vacation/holiday oddities. More useless trivia to follow, no doubt... - Steve ====================================================== Name: CVE-2008-2381 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2381 Reference: CONFIRM:http://gforge.org/scm/viewvc.php/branches/Branch_4_5/gforge/common/include/GroupJoinRequest.class?root=gforge&r1=4590&r2=6709 Reference: CONFIRM:http://gforge.org/scm/viewvc.php/branches/Branch_4_5/gforge/common/include/GroupJoinRequest.class?root=gforge&view=log Reference: CONFIRM:http://security-tracker.debian.net/tracker/CVE-2008-2381 Reference: SECUNIA:33229 Reference: URL:http://secunia.com/advisories/33229 SQL injection vulnerability in the create function in common/include/GroupJoinRequest.class in GForge 4.5 and 4.6 allows remote attackers to execute arbitrary SQL commands via the comments variable. ====================================================== Name: CVE-2009-0022 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0022 Reference: CONFIRM:http://www.samba.org/samba/security/CVE-2009-0022.html Reference: SECUNIA:33379 Reference: URL:http://secunia.com/advisories/33379 Samba 3.2.0 through 3.2.6, when registry shares are enabled, allows remote authenticated users to access the root filesystem via a crafted connection request that specifies a blank share name. From coley at linus.mitre.org Wed Jan 7 18:43:26 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 7 Jan 2009 13:43:26 -0500 (EST) Subject: [VIM] First CVE of 2009 :) In-Reply-To: References: <200901011738.14175.noamr@beyondsecurity.com> Message-ID: here's the first "real" CVE of 2009. btw I'm not always comfortable with vague pre-announcements in CVE but as we all know the vuln information world is not perfect :) ====================================================== Name: CVE-2009-0066 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0066 Reference: MISC:http://blackhat.com/html/bh-dc-09/bh-dc-09-speakers.html#Wojtczuk Reference: MISC:http://invisiblethingslab.com/press/itl-press-2009-01.pdf Reference: MISC:http://theinvisiblethings.blogspot.com/2009/01/attacking-intel-trusted-execution.html Reference: BID:33119 Reference: URL:http://www.securityfocus.com/bid/33119 Multiple unspecified vulnerabilities in Intel system software for Trusted Execution Technology (TXT) allow attackers to bypass intended loader integrity protections, as demonstrated by exploitation of tboot. NOTE: as of 20090107, the only disclosure is a vague pre-advisory with no actionable information. However, because it is from a well-known researcher, it is being assigned a CVE identifier for tracking purposes. From aviram at beyondsecurity.com Wed Jan 7 20:13:17 2009 From: aviram at beyondsecurity.com (Aviram Jenik) Date: Wed, 7 Jan 2009 12:13:17 -0800 Subject: [VIM] First CVE of 2009 :) In-Reply-To: References: <200901011738.14175.noamr@beyondsecurity.com> Message-ID: <74e840980901071213s11c1005ch52fcb30871f674f3@mail.gmail.com> On Wed, Jan 7, 2009 at 10:43 AM, Steven M. Christey wrote: > > here's the first "real" CVE of 2009. > Name: CVE-2009-0066 I thought the first 'real' one was CVE-2009-0022? What am I missing? - Avi From coley at linus.mitre.org Wed Jan 7 20:22:17 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 7 Jan 2009 15:22:17 -0500 (EST) Subject: [VIM] First CVE of 2009 :) In-Reply-To: <74e840980901071213s11c1005ch52fcb30871f674f3@mail.gmail.com> References: <200901011738.14175.noamr@beyondsecurity.com> <74e840980901071213s11c1005ch52fcb30871f674f3@mail.gmail.com> Message-ID: On Wed, 7 Jan 2009, Aviram Jenik wrote: > > Name: CVE-2009-0066 > > I thought the first 'real' one was CVE-2009-0022? Sorry, I meant that CVE-2009-0066 was the first 2009 number that we assigned based entirely on externally-discovered sources, instead of being prompted by a reserved CVE. - Steve From coley at linus.mitre.org Fri Jan 9 21:25:32 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 9 Jan 2009 16:25:32 -0500 (EST) Subject: [VIM] unverifiable: CVE-2008-5850 / Check Point "SPLAT" issue Message-ID: All, A clarification on a Check Point issue that's been going around. We published CVE-2008-5850 for a Full-Disclosure post by an unknown party who may be selling exploit details for auction. We've had inconsistent policy on how to handle claims that contain no actionable details. We used to do this for bug auctions, but it was too unwieldy and you never actually knew what was being reported. Lately, we have generally limited this practice to reliable parties - which usually means pre-announcements. This also has its down side (e.g. assigning one generic CVE when multiple issues may be disclosed). At any rate, the assignment of CVE-2008-5850 probably wasn't consistent with our normal practices. But now the CVE is out, and of course the original Full-Disclosure post is archived in many places. Unless there is some clear public claim from a reliable party, or otherwise verifiable information is provided, we are marking the CVE as "UNVERIFIABLE." - Steve ====================================================== Name: CVE-2008-5850 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5850 Acknowledged: unknown Announced: 20081211 Flaw: unk Reference: FULLDISC:20081211 Checkpoint Sources plus SPLAT Remote Root Exploit Reference: URL:http://archives.neohapsis.com/archives/fulldisclosure/2008-12/0343.html Reference: MLIST:[scadasec] 20081211 Checkpoint Sources plus SPLAT Remote Root Exploit. Reference: URL:http://news.infracritical.com/pipermail/scadasec/2008-December/002627.html Reference: MISC:http://packetstormsecurity.org/0812-advisories/checkpwnt-src.txt ** UNVERIFIABLE ** Unspecified vulnerability in the SmartCenter server for Check Point VPN-1 R55 through R65, as used in SecurePlatform, allows remote attackers to change the admin and expert passwords, and possibly have other impact, via unknown vectors involving a TCP session on the Check Point Management Interface (CPMI) port (18190/tcp), aka "SPLAT Remote Root Exploit." NOTE: this issue has no actionable details and was disclosed by a person of unknown reliability who did not coordinate with the vendor. As of 20090109, there has not been an independent public confirmation of this issue by a reliable party. CVE has no additional information regarding whether the original claim was valid or not. Analysis: INCLUSION: This was posted anonymously to FULLDISC. There were no disputes or other followup posts on FULLDISC. On a separate mailing list, a third party (Francisco Guerreiro) states that "yes, it IS real." The third party apparently has some subject matter expertise (e.g., see www.linkedin.com/in/francisg). There was one followup (002629.html) from a reliable researcher (Jeremy Brown) who stated that it was an "Interesting post" and did not dispute the original FULLDISC claims. Also, the original FULLDISC post was picked up by packet storm. WIKI: Note that SPLAT is another name for the Check Point SecurePlatform product. SPLAT is not the name of the exploit code. From jericho at attrition.org Sat Jan 10 20:27:31 2009 From: jericho at attrition.org (security curmudgeon) Date: Sat, 10 Jan 2009 20:27:31 +0000 (UTC) Subject: [VIM] Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: Team SHATTER Cc: bugtraq at securityfocus.com, secalert_us at oracle.com Date: Sat, 10 Jan 2009 11:11:41 +0000 (UTC) Subject: Re: Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) Hi Team SHATTER, Apologies for the very late reply, but I had a question regarding your advisory. I am CC'ing Oracle's security contact in hopes they can also reply with clarification. : Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) : Details: : Oracle Database Server provides the SYS.KUPF$FILE_INT package. This : package contains the procedure GET_FULL_FILENAME which is vulnerable to : buffer overflow attacks. : : Impact: : Any Oracle database user with EXECUTE privilege on the package : SYS.KUPF$FILE_INT can exploit this vulnerability. By default, users : granted EXECUTE_CATALOG_ROLE have the required privilege. Exploitation : of this vulnerability allows an attacker to execute arbitrary code. It : can also be exploited to cause DoS (Denial of service) killing the : Oracle server process. Cliff notes: SYS.KUPF$FILE_INT.GET_FULL_FILENAME remote overflow, "execute arbitrary code .. also .. cause DoS". CVE-2008-1820 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html >From the Oracle advisory: DB11 Data Pump Oracle Net Execute on KUPF$FILE_INT No 4.0 Network Low Single None None Partial Cliff notes: Confidentiality = None. Integrity = None. Availability = Partial. Summary: Team SHATTER says this is a remote overflow that allows for the execution of arbitrary code (CVSS2 9.0). Oracle says this is a limited DoS condition (CVSS2 4.0). That is a big discrepancy. Based on disclosure history, Team SHATTER has a higher confidence rating and is generally considered more trustworthy than Oracle. As a responsible security professional, I have to assume their research is accurate and their advisory should be taken more seriously than Oracle's. Any input from either side to help clarify? - security curmudgeon p.s. Same exact question and CVSS2 scores for SYS.DBMS_AQJMS_INTERNAL (DB15), CVE-2008-1821, same Oracle CPU. From cji at attrition.org Wed Jan 14 21:45:33 2009 From: cji at attrition.org (cji) Date: Wed, 14 Jan 2009 21:45:33 +0000 (UTC) Subject: [VIM] [bugtraq] Fones Clinic Mart SQL Message-ID: Hello, I have been looking into the Fones Clinic Mart SQL Injection vulnerabilty sent to Bugtraq on 4/14/2008 (http://archives.neohapsis.com/archives/bugtraq/2008-04/0170.html). I believe this is a site specific vulnerabilty. I could only find two sites that use this software, and they actually both appear to be the same, just hosted on different domains: http://fc-mart.co.uk/ http://gsmsol.co.uk/fc-mart/ It appears this is a bespoke application developed by http://www.it-sol.co.uk, according to the credit at the bottom of the pages. Let me know if you have any questions. Thanks, Craig Ingram cji at attrition.org From jericho at attrition.org Thu Jan 15 01:04:41 2009 From: jericho at attrition.org (security curmudgeon) Date: Thu, 15 Jan 2009 01:04:41 +0000 (UTC) Subject: [VIM] Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer Overflow (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: bugtraq at securityfocus.com Cc: trees at assurent.com, support at bea.com, Oracle Security Alerts Date: Thu, 15 Jan 2009 01:01:06 +0000 (UTC) Subject: Re: Assurent VR - Oracle BEA WebLogic Server Apache Connector Buffer Overflow Hello Assurent & Oracle, On Tue, 13 Jan 2009, VR-Subscription-noreply at assurent.com wrote: : Oracle BEA WebLogic Server Apache Connector Buffer Overflow : : Reference: http://www.bea.com/weblogic/server/ : : 2. Vulnerability Summary : : A remotely exploitable vulnerability has been discovered in the Apache : Connector component of Oracle BEA WebLogic Server. Specifically, the : vulnerability is due to a boundary error when processing incoming HTTP : requests and can lead to a buffer overflow condition. This boundary : error can lead to a Denial of Service (DoS) condition for the Apache : HTTP server. : : 3. Vulnerability Analysis : : A remote unauthenticated attacker can exploit the vulnerability by : sending a malicious HTTP request to the target system. A successful : attack will result in a Denial of Service (DoS) condition for the Apache : HTTP server, including all Apache-negotiated HTTP traffic to the : WebLogic Server. : Reference: https://support.bea.com/application_content/product_portlets/securityadvisories/2809.html According to Assurent, this is a remote overflow that creates a DoS condition. No mention of running arbitrary code. Oracle's advisory says: CVSS Severity Score: 10.0 (High) Attack Range (AV): Network Attack Complexity (AC): Low Authentication Level (Au): None Impact Type:Complete confidentiality, integrity and availability violation Vulnerability Type: Denial of Service CVSS Base Score Vector: (AV:N/AC:L/Au:N/C:C/I:C/A:C) So it is a "Denial of Service" but results in a complete compromise of confidentiality, integrity and availability. A 10.0 score typically means remote, unauthenticated execution of attacker-controlled code. Which is correct? Further, Oracle's advisory says this affects "Security vulnerability in WebLogic plug-ins for Apache, Sun and IIS Web servers", implying this affects multiple plug-ins, not just the one for Apache. The advisory also uses this wording further suggesting three separate plug-ins: "This vulnerability may impact the availability, confidentiality or integrity of WebLogic Server applications, which use the Apache, Sun or IIS web server configured with the WebLogic plug-in for Apache, Sun or IIS respectively." Is it really one plug-in that works with all three? Or does this only affect an Apache plug-in? From jericho at attrition.org Thu Jan 15 01:05:22 2009 From: jericho at attrition.org (security curmudgeon) Date: Thu, 15 Jan 2009 01:05:22 +0000 (UTC) Subject: [VIM] Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: Team SHATTER Cc: bugtraq at securityfocus.com, secalert_us at oracle.com Date: Sat, 10 Jan 2009 11:11:41 +0000 (UTC) Subject: Re: Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) Hi Team SHATTER, Apologies for the very late reply, but I had a question regarding your advisory. I am CC'ing Oracle's security contact in hopes they can also reply with clarification. : Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) : Details: : Oracle Database Server provides the SYS.KUPF$FILE_INT package. This : package contains the procedure GET_FULL_FILENAME which is vulnerable to : buffer overflow attacks. : : Impact: : Any Oracle database user with EXECUTE privilege on the package : SYS.KUPF$FILE_INT can exploit this vulnerability. By default, users : granted EXECUTE_CATALOG_ROLE have the required privilege. Exploitation : of this vulnerability allows an attacker to execute arbitrary code. It : can also be exploited to cause DoS (Denial of service) killing the : Oracle server process. Cliff notes: SYS.KUPF$FILE_INT.GET_FULL_FILENAME remote overflow, "execute arbitrary code .. also .. cause DoS". CVE-2008-1820 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html >From the Oracle advisory: DB11 Data Pump Oracle Net Execute on KUPF$FILE_INT No 4.0 Network Low Single None None Partial Cliff notes: Confidentiality = None. Integrity = None. Availability = Partial. Summary: Team SHATTER says this is a remote overflow that allows for the execution of arbitrary code (CVSS2 9.0). Oracle says this is a limited DoS condition (CVSS2 4.0). That is a big discrepancy. Based on disclosure history, Team SHATTER has a higher confidence rating and is generally considered more trustworthy than Oracle. As a responsible security professional, I have to assume their research is accurate and their advisory should be taken more seriously than Oracle's. Any input from either side to help clarify? - security curmudgeon p.s. Same exact question and CVSS2 scores for SYS.DBMS_AQJMS_INTERNAL (DB15), CVE-2008-1821, same Oracle CPU. From jericho at attrition.org Thu Jan 15 06:46:51 2009 From: jericho at attrition.org (security curmudgeon) Date: Thu, 15 Jan 2009 06:46:51 +0000 (UTC) Subject: [VIM] iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server login.php Command Injection Vulnerability In-Reply-To: <496D256A.5090502@idefense.com> References: <496D256A.5090502@idefense.com> Message-ID: iDefense, CVE or Oracle; The two iDefense advisories present a bit of confusion over the CVE assignments and number of vulnerabilities. There appear to be two vulnerabilities (login.php and common.php) that may have 3 CVE numbers assigned. Could anyone clarify? First advisory, mail list post and original jibe suggesting common.php issue is CVE-2008-5449: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://archives.neohapsis.com/archives/bugtraq/2009-01/0111.html The vulnerability is in a function of common.php which is called from the login.php page. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-5449 to this issue. Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=769 The vulnerability is in a function of common.php which is called from the login.php page. The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-5449 to this issue. Second advisory, mail list post and original do not match, mentioning CVE-2008-4006 and then CVE-2008-5448 for what appear to be login.php and common.php. This implies that common.php may have had two CVE assigned: iDefense Security Advisory 01.13.09: Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://archives.neohapsis.com/archives/bugtraq/2009-01/0110.html The first vulnerability is in "php/login.php". The second vulnerability is in "php/common.php". The Common Vulnerabilities and Exposures (CVE) project has assigned the name CVE-2008-4006 to this issue. Oracle Secure Backup Administration Server login.php Command Injection Vulnerability http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=768 The first vulnerability is in "php/login.php". The second vulnerability is in "php/common.php". The Common Vulnerabilities and Exposures (CVE) project has assigned the names CVE-2008-4006 and CVE-2008-5448 to this issue. Any clarification would be appreciated. From jericho at attrition.org Fri Jan 16 00:40:11 2009 From: jericho at attrition.org (security curmudgeon) Date: Fri, 16 Jan 2009 00:40:11 +0000 (UTC) Subject: [VIM] Oracle CPU Jan 2009 Advisories. (fwd) Message-ID: Per the researcher, two of his three advisories do not correspond to the recent CPU: ---------- Forwarded message ---------- From: Alexandr Polyakov To: security curmudgeon Date: Thu, 15 Jan 2009 18:50:45 +0300 Subject: Re[2]: Oracle CPU Jan 2009 Advisories. > Hi Alexandr, > : Advisories for Oracle CPU January 2009 vulnerabilities Attached. > DSECRG-09-002__Oracle_BEA_Weblogic_10_Linked__SS_vulnerability.txt > DSECRG-09-003__Oracle_Database_11g__EXFSYS_plsql_injection_vulnerability.txt > Do you know which CVE these correspond with? this advisories is under the Security-In-Depth program and they will be fixed in future releases but not so critical to make a patch in this CPU. Oracle says: "I would like to clarify that the bug has been fixed in the future release of WLS. We do not plan to include this fix in a CPU as the issue reported was a problem in a sample application and we do not believe that presents a vulnerability for production applications." So Oracle said that we can disclosure this advisories now. Polyakov Alexandr Information Security Analyst From jericho at attrition.org Sat Jan 17 10:59:07 2009 From: jericho at attrition.org (security curmudgeon) Date: Sat, 17 Jan 2009 10:59:07 +0000 (UTC) Subject: [VIM] Comment about Milw0rm 5724 In-Reply-To: References: Message-ID: On Wed, 4 Jun 2008, George A. Theall wrote: (note the date of the original post) : In case anyone's interested, I have verified the issue in milw0rm 5724. : The catch, though, is that the affected application is not a Drupal : module as listed in DreamTurk's advisory but an older incarnation of : Lifetype known as pLog. I tested against version 1.0.1, which you can : find in the project archives here: : : : http://sourceforge.net/project/showfiles.php?group_id=83964&package_id=86556 : : P.S. I noticed that SecurityFocus seems to have completely removed : Bugtraq ID 29495, which had been created for this issue. Does anyone : know if this is because of confusion about the "vendor"? BID 29495 is public again and reflects 'LifeType'. Not sure when it was restored, presumably shortly after this post. From theall at tenablesecurity.com Sat Jan 17 16:10:30 2009 From: theall at tenablesecurity.com (George A. Theall) Date: Sat, 17 Jan 2009 11:10:30 -0500 Subject: [VIM] Comment about Milw0rm 5724 In-Reply-To: References: Message-ID: <1F5163D4-2D83-4675-BE0C-189F7BDDEAB7@tenablesecurity.com> On Jan 17, 2009, at 5:59 AM, security curmudgeon wrote: > > On Wed, 4 Jun 2008, George A. Theall wrote: > > (note the date of the original post) > > : In case anyone's interested, I have verified the issue in milw0rm > 5724. > : The catch, though, is that the affected application is not a Drupal > : module as listed in DreamTurk's advisory but an older incarnation of > : Lifetype known as pLog. I tested against version 1.0.1, which you > can > : find in the project archives here: > : > : > : http://sourceforge.net/project/showfiles.php?group_id=83964&package_id=86556 > : > : P.S. I noticed that SecurityFocus seems to have completely removed > : Bugtraq ID 29495, which had been created for this issue. Does anyone > : know if this is because of confusion about the "vendor"? > > BID 29495 is public again and reflects 'LifeType'. Not sure when it > was > restored, presumably shortly after this post. It seems to have been modified in June 2008. Probably in response to this . As for the product name in the Bugtraq entry, I'm not sure why it doesn't mention the older incarnation; eg, pBlog 1.0.1. They appear to have received some vendor confirmation; there's no link to it, though, so perhaps it was a private email. George -- theall at tenablesecurity.com From jericho at attrition.org Mon Jan 19 22:05:51 2009 From: jericho at attrition.org (security curmudgeon) Date: Mon, 19 Jan 2009 22:05:51 +0000 (UTC) Subject: [VIM] CVE-2008-2991 Adobe RoboHelp - XSS or SQLi? Message-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-2991 Cross-site scripting (XSS) vulnerability in Adobe RoboHelp Server 6 and 7 allows remote attackers to inject arbitrary web script or HTML via vectors related to the Help Errors log. BID 30137 calls it SQLi, no mention of XSS. FRSIRT ADV-2008-2026 lists both. SecurityTracker 1020442 mentions XSS only. Secunia 31001 mentions both XSS and SQLi. OSVDB 46867 is the same as CVE, calling it XSS. Checking the Adobe bulletin, they mention SQLi and their timeline points out: July 9, 2008 Bulletin updated to include SQL Injection issue The original research also says SQLi and likely is the original source: http://archives.neohapsis.com/archives/fulldisclosure/2008-07/0092.html [..] 2. Vulnerability Summary There exists an SQL injection vulnerability in Adobe RoboHelp Server that allows attackers to inject and execute arbitrary SQL statements. The SQL would run against the RoboHelp back-end database within the security context of the application's database connection. [..] Recommend updating CVE-2008-2991 to reflect both. I'll be creating an additional OSVDB for this issue most likely. From jericho at attrition.org Tue Jan 20 10:34:12 2009 From: jericho at attrition.org (security curmudgeon) Date: Tue, 20 Jan 2009 10:34:12 +0000 (UTC) Subject: [VIM] Remote Cisco IOS FTP exploit (fwd) Message-ID: ---------- Forwarded message ---------- From: security curmudgeon To: Andy Davis Cc: bugtraq at securityfocus.com, psirt at cisco.com Date: Tue, 20 Jan 2009 10:33:26 +0000 (UTC) Subject: Re: Remote Cisco IOS FTP exploit (Note the date, late reply I know..) On Tue, 29 Jul 2008, Andy Davis wrote: : The IOS FTP server vulnerabilities were published in an advisory by : Cisco in May 2007. The FTP server does not run by default, it is not : widely used and has since been removed from new versions of IOS. : Therefore, I took the decision to release this exploit code in order to : show that IOS can be reliably exploited to provide remote level 15 exec : shell access. This clearly demonstrates that patching your router is : just as important as patching your servers. : Cisco IOS FTP server remote exploit by Andy Davis 2008 : : Cisco Advisory ID: cisco-sa-20070509-iosftp - May 2007 >From the Cisco advisory: The Cisco IOS FTP Server feature contains multiple vulnerabilities that can result in a denial of service (DoS) condition, improper verification of user credentials, and the ability to retrieve or write any file from the device filesystem, including the device's saved configuration. This configuration file may include passwords or other sensitive information. None of those sound like "remote overflow" to me. If this exploit code included in this mail is accurate, that means the Cisco advisory used crafty wording to hide the nate of the bug. Given they scored CSCek55259 / CVE-2007-2586 as 10.0 (and the other issue 2.0), that means that "improper verification of user credentials" and "Improper authorization checking in IOS FTP server" is really "remote overflow that allows unauthenticated code execution". Andy or Cisco, could you confirm? From jericho at attrition.org Tue Jan 20 23:09:26 2009 From: jericho at attrition.org (security curmudgeon) Date: Tue, 20 Jan 2009 23:09:26 +0000 (UTC) Subject: [VIM] CVE-2009-0125 (fwd) Message-ID: Renaud has contacted CVE about this, posting here for others. ---------- Forwarded message ---------- > From: Renaud Deraison > Date: January 18, 2009 10:43:29 PM CEST > > I wanted to dispute the existence of CVE-2009-0125 (libnasl misusing the > return value of DSA_do_verify()) : while we do misuse this function (this is > a bug), it has absolutely no security ramification. > > To give you some context, the function DSA_do_verify() is called by the nasl > function dsa_do_verify() which is used when Nessus attempts to log into a > remote SSH server. > > If an attacker were to control a rogue SSH server, then he would be better > off submitting a perfectly valid signature instead of a malformed one, and we > would log into it anyways. Hence, there is absolutely no security risk > associated with the misuse of this function. From str0ke at milw0rm.com Tue Jan 27 16:08:34 2009 From: str0ke at milw0rm.com (str0ke) Date: Tue, 27 Jan 2009 10:08:34 -0600 Subject: [VIM] [Fwd: NewsCMSlite Insecure Cookie Handling] Message-ID: <497F3182.9070203@milw0rm.com> Already found? http://archive.cert.uni-stuttgart.de/bugtraq/2006/05/msg00529.html -------------- next part -------------- An embedded message was scrubbed... From: admin at bugreport.ir Subject: NewsCMSlite Insecure Cookie Handling Date: Tue, 27 Jan 2009 10:30:53 +0330 Size: 3377 Url: http://www.attrition.org/pipermail/vim/attachments/20090127/a37e83a0/attachment.eml From coley at linus.mitre.org Wed Jan 28 00:18:38 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 27 Jan 2009 19:18:38 -0500 (EST) Subject: [VIM] [Fwd: NewsCMSlite Insecure Cookie Handling] In-Reply-To: <497F3182.9070203@milw0rm.com> References: <497F3182.9070203@milw0rm.com> Message-ID: On Tue, 27 Jan 2009, str0ke wrote: > Already found? > > http://archive.cert.uni-stuttgart.de/bugtraq/2006/05/msg00529.html Agree. Too bad we created CVE-2009-0300 before seeing this :-( (CVE-2006-2636 is correct). - Steve From coley at linus.mitre.org Fri Jan 30 23:50:19 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 30 Jan 2009 18:50:19 -0500 (EST) Subject: [VIM] SOBI2 showbiz SQL injection - false, or site-specific Message-ID: http://www.milw0rm.com/exploits/7841 BID:33378 says the vendor disputed. I downloaded and grepped for "showbiz" and "bid" and didn't find anything. Maybe this was some site-specific modification? - Steve From theall at tenablesecurity.com Sat Jan 31 00:57:08 2009 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 30 Jan 2009 19:57:08 -0500 Subject: [VIM] SOBI2 showbiz SQL injection - false, or site-specific In-Reply-To: References: Message-ID: On Jan 30, 2009, at 6:50 PM, Steven M. Christey wrote: > http://www.milw0rm.com/exploits/7841 > > BID:33378 says the vendor disputed. > > I downloaded and grepped for "showbiz" and "bid" and didn't find > anything. > > Maybe this was some site-specific modification? When I looked last week, the site mentioned in the milw0rm advisory appeared to be running SOBI2 RC 2.8.2. I have 2.8.4 as well as 2.9.1.0; there is no mention in either of 'showbiz'. And if you google for 'inurl:option inurl:com_sobi2 inurl:showbiz', you only turn up that one site. I initially wasn't sure if the issue affected only older versions or it was site-specific, but with the vendor disputing the report, I'm inclined to believe them. George -- theall at tenablesecurity.com