From lyger at attrition.org Thu Sep 3 03:06:19 2009 From: lyger at attrition.org (lyger) Date: Thu, 3 Sep 2009 03:06:19 +0000 (UTC) Subject: [VIM] [MIL 8718] Douran Portal Security In-Reply-To: <4A9BED67.7060308@milw0rm.com> References: <4A9BED67.7060308@milw0rm.com> Message-ID: Updated in OSVDB 54650, 54651, 54652 On Mon, 31 Aug 2009, str0ke wrote: ": " 8718 was fixed with releases 3.9.5.01 and 3.9.6.0. ": " ": " http://www.douran.com/ ": " From coley at linus.mitre.org Thu Sep 3 23:38:43 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 3 Sep 2009 19:38:43 -0400 (EDT) Subject: [VIM] seclists.org/bugtraq gone? Message-ID: "sorry, that document is gone or never existed." only affects a handful of CVE URLs, but they were often for *old* Bugtraq posts... - Steve From jericho at attrition.org Thu Sep 3 23:41:41 2009 From: jericho at attrition.org (security curmudgeon) Date: Thu, 3 Sep 2009 23:41:41 +0000 (UTC) Subject: [VIM] seclists.org/bugtraq gone? In-Reply-To: References: Message-ID: Was twitter activity earlier, suggesting ISP troubles. Apparently http://insecure.org/ was not answering. It is now, but appears to have issues with images. I assume it will all be back soon. On Thu, 3 Sep 2009, Steven M. Christey wrote: : : "sorry, that document is gone or never existed." : : only affects a handful of CVE URLs, but they were often for *old* Bugtraq : posts... : : - Steve : From coley at linus.mitre.org Fri Sep 4 00:03:06 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 3 Sep 2009 20:03:06 -0400 (EDT) Subject: [VIM] SourceForge kills Changelog URLs In-Reply-To: References: Message-ID: All, Jericho and I got a quick response from SourceForge and they were able to restore the URLs within a couple days. I hand-checked a couple - some going back to 2005 - and they seem to be working again. On an ironic note, apparently we temporarily disabled our www.cve.mitre.org alias and did the same thing to untold numbers of people, including hundreds of advisories from a major software vendor :-/ - Steve From che at secunia.com Fri Sep 4 09:08:32 2009 From: che at secunia.com (Carsten H. Eiram) Date: Fri, 04 Sep 2009 11:08:32 +0200 Subject: [VIM] SA34559 / CVE-2007-4475 / OSVDB 53066 Message-ID: <1252055312.8408.16.camel@ts-hq-2> The vulnerability is actually not in the EAI WebViewer3D ActiveX control, but in MonikerUtil_dll.dll when creating monikers based on a supplied file path. The ActiveX control's "SaveViewToSessionFile()" method is, therefore, just an attack vector. SAP initially addressed the vulnerability by preventing the ActiveX control from being instantiated via IE, but since the vulnerability is not within that particular ActiveX control, there could be other vectors (we didn't identify any, though). During analysis, I also noticed two more vulnerabilities in MonikerUtil_dll.dll, which were reachable via other provided properties and methods of the EAI WebViewer3D ActiveX control. SAP was informed about the core problem of the original vulnerability along with the two new vulnerabilities and had the MonikerUtil_dll.dll software vendor fix them after which new versions of SAP GUI were released + a new SAP note issued. -- Med venlig hilsen / Kind regards Carsten H. Eiram Chief Security Specialist Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 From jericho at attrition.org Fri Sep 4 18:59:41 2009 From: jericho at attrition.org (security curmudgeon) Date: Fri, 4 Sep 2009 18:59:41 +0000 (UTC) Subject: [VIM] Seclists.org still down (fwd) Message-ID: ---------- Forwarded message ---------- From: Ron To: Juha-Matti Laurio Cc: funsec at linuxbox.org Date: Fri, 04 Sep 2009 13:56:35 -0500 Subject: Re: [funsec] Seclists.org still down One of the servers it's hosted on went offline, and Fyodor is incommunicado this week to get it back up. Bad timing. :) Ron On 09/04/2009 10:24 AM, Juha-Matti Laurio wrote: > And > http://nmap.org/ says 403 Forbidden > You don't have permission to access / on this server. > > http://insecure.org/ is working, but pictures are hosted at http://nmap.org/5/screenshots/.... > and doesn't work... > > Nmap.org, insecure.org and seclists.org are hosted by Titan Networks (3 IPs). > > Juha-Matti > > Juha-Matti Laurio [juha-matti.laurio at netti.fi] kirjoitti: >> http://seclists.org/ >> >> says "Sorry, that document is gone or never existed" >> >> However, there are single (empty) directories >> http://seclists.org/fulldisclosure/ >> and >> http://seclists.org/bugtraq/ >> reporting Apache/2.2.2 (Fedora) platform. >> > _______________________________________________ > Fun and Misc security discussion for OT posts. > https://linuxbox.org/cgi-bin/mailman/listinfo/funsec > Note: funsec is a public and open mailing list. _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list. From jericho at attrition.org Sat Sep 5 23:33:18 2009 From: jericho at attrition.org (security curmudgeon) Date: Sat, 5 Sep 2009 23:33:18 +0000 (UTC) Subject: [VIM] OT Humor: Ridiculous QOTD as spotted by Alexander Sotirov Message-ID: Sotirov found this gem of a quote, take note of the first line in bullet 4: http://lorelle.wordpress.com/2009/09/04/old-wordpress-versions-under-attack/ [..] 4. WordPress is Not Secure: WordPress is incredibly secure and monitored constantly by experts in web security. This attack was well anticipated and so far, WordPress 2.8.4 is holding. If necessary, WordPress will immediately release a update with further security improvements. WordPress is used by governments, huge corporations, and me, around the world. Millions of bloggers are using WordPress.com. Have faith they are working overtime to monitor this situation and protect your blog. [..] From coley at linus.mitre.org Sun Sep 6 22:45:13 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Sun, 6 Sep 2009 18:45:13 -0400 (EDT) Subject: [VIM] Joomla! developer: Being "The Vendor" for Security Issues Message-ID: This is basically a commentary on typical VDB practices shared by most of us. The Joomla! folks have a couple solid points, especially on proper distinction of third-party extensions from core, and their desire for accuracy. http://community.joomla.org/blogs/community/1029-on-being-qthe-vendorq.html I'm thinking on a constructive response. The apparent practice of removing vulnerable extensions from their directory is probably adversely affecting all of us - certainly CVE, who tries to verify that an extension is not just site-specific before we create an entry. I ran across this while trying to track down the 1,768th Aria/S at BUN posting of questionable utility from 2008. - Steve From jericho at attrition.org Mon Sep 7 00:58:59 2009 From: jericho at attrition.org (security curmudgeon) Date: Mon, 7 Sep 2009 00:58:59 +0000 (UTC) Subject: [VIM] seclists update Message-ID: http://twitter.com/nmap/statuses/3808846928 nmap Sorry for the down time. We suffered a hard drive failure on our main server and are working on recovery+upgrade now. From jericho at attrition.org Mon Sep 7 21:16:07 2009 From: jericho at attrition.org (security curmudgeon) Date: Mon, 7 Sep 2009 21:16:07 +0000 (UTC) Subject: [VIM] seclists.org is back Message-ID: http://twitter.com/nmap/statuses/3825547383 nmap Yay, we're back online! Just in time for a lazy Labor Day afternoon of BBQ and port scanning. From jpbradle at us.ibm.com Tue Sep 8 02:08:37 2009 From: jpbradle at us.ibm.com (John P Bradley) Date: Mon, 7 Sep 2009 22:08:37 -0400 Subject: [VIM] AUTO: John P Bradley is out of the office. (returning 09/14/2009) Message-ID: I am out of the office until 09/14/2009. For any urgent matters, please contact Scott Moore or Vernon Jackson Note: This is an automated response to your message "[VIM] seclists.org is back" sent on 9/7/09 17:16:07. This is the only notification you will receive while this person is away. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20090907/eae2a434/attachment.html From fyodor at insecure.org Tue Sep 8 08:56:02 2009 From: fyodor at insecure.org (Fyodor) Date: Tue, 8 Sep 2009 01:56:02 -0700 Subject: [VIM] seclists.org/bugtraq gone? In-Reply-To: References: Message-ID: <20090908085602.GC13174@syn.titan.net> On Thu, Sep 03, 2009 at 11:41:41PM +0000, security curmudgeon wrote: > > Was twitter activity earlier, suggesting ISP troubles. Apparently > http://insecure.org/ was not answering. It is now, but appears to have > issues with images. > > I assume it will all be back soon. Yes, we suffered a hard drive failure while I was off in the Nevada desert at Burning Man :(. Everything should be up again now. Cheers, -F From jericho at attrition.org Thu Sep 10 00:10:30 2009 From: jericho at attrition.org (security curmudgeon) Date: Thu, 10 Sep 2009 00:10:30 +0000 (UTC) Subject: [VIM] "Irresponsible Disclosure" Message-ID: http://www.caughq.org/advisories/disclosure.html Computer Academic Underground Disclosure Policy "Irresponsible Disclosure" All the rage these days seems to be practicing the so-called "Responsible Disclosure" route of vulnerability disclosure, wherein Vendors are hand-held through the process of being notified of their bugs, spoon-fed the vulnerability information, and allowed months and months of time for them to create, test, and release a patch. We think that's bullshit. We don't have the time, nor the desire, to hold a Vendor's hand during the process of fixing their crappy product. Full-Disclosure, hereafter referred to as "Irresponsible Disclosure", specifically to mock the existence of this other sluggish and resource-intensive method of vulnerability disclosure which has been brought to the security research community and branded as "Responsible Disclosure" by the very Vendors that have the most face to lose, is the official policy of the Computer Academic Underground. Irresponsible Disclosure has been proved time and time again to not only allow consumers with vulnerable products to immediately test those products to identify if they are in fact vulnerable, but has also been proved to cause Vendors to develop and release patches much more diligently. It is folly to assume that because a vulnerability has not been publicly disclosed it is not being exploited in the wild. By causing Vendors to patch more quickly, the window of opportunity for exploitation is drastically shortened, and therefore is better serving those who are vulnerable rather than the vendors who introduced the vulnerability to the consumers in the first place. Responsible Disclosure is analogous to Gun Law; When you take away the guns from law-abiding people, the only ones with guns are the criminals. Such is the case for vulnerability information; When you don't allow the public to have the information, the only ones who likely have it are the malicious folk who want to keep it private and use it for nefarious purposes. In all seriousness though, the Computer Academic Underground has no official disclosure policy. Each member of CAU makes their own decisions about what and when to disclose, made on a case-by-case basis regarding individual vulnerabilities, the impact they pose, and the consumers and vendors involved. From jericho at attrition.org Fri Sep 11 00:24:20 2009 From: jericho at attrition.org (security curmudgeon) Date: Fri, 11 Sep 2009 00:24:20 +0000 (UTC) Subject: [VIM] CVE-2009-3111 (FreeRadius) is VulnDisco material Message-ID: http://twitter.com/elegerov/status/3890083169 freeradius bug is fixed - http://bit.ly/3oyBXF Which links to http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3111 >From VulnDisco: Name: FreeRADIUS 1.1.7 DoS Status: 0day Details: The exploit crashes 'radiusd' daemon.Found with ProtoVer testsuite. Listener: not necessary Platform: Linux x86 Vulndisco: 7.6 From jericho at attrition.org Thu Sep 17 19:07:24 2009 From: jericho at attrition.org (security curmudgeon) Date: Thu, 17 Sep 2009 19:07:24 +0000 (UTC) Subject: [VIM] Recent Horde vuln.. Message-ID: OSVDB 58107 / Secunia 36665 / (think Steve made CVE last night?) http://twitter.com/i0n1c/statuses/4004670780 i0n1c Horde released a security update today with my vulnerability in it.Release announcement downplays the impact of the arbitrary file overwrite Stefan Esser about 4h ago via Nambu http://twitter.com/i0n1c/statuses/4004707181 i0n1c In any Horde application using image fileupload form field it is possible to upload/overwrite arbitrary files = arbitrary PHP code execution Stefan Esser about 4h ago via Nambu From str0ke at milw0rm.com Fri Sep 18 16:18:28 2009 From: str0ke at milw0rm.com (str0ke) Date: Fri, 18 Sep 2009 11:18:28 -0500 Subject: [VIM] Patch for BigAnt Server Vulnerabilities Message-ID: <4AB3B2D4.1000405@milw0rm.com> Hello, This is Chris from BigAntSoft. We released a patch for the issue reported on your website http://www.milw0rm.com/exploits/9690 regarding the BigAnt Messenger AntServer Module Buffer Overflow Vulnerability. The new server version can be downloaded from the link below. www.bigantsoft.com/software/BigAntServer_Enu_Setup0917patch.exe Should you have any question please feel free let me know. Cheers! Best Regards, Chris From coley at linus.mitre.org Fri Sep 25 21:17:45 2009 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 25 Sep 2009 17:17:45 -0400 (EDT) Subject: [VIM] milw0rm overlaps - 4696 and 9284 Message-ID: FYI, 4696 and 9284 both discuss the same vectors, although the versions are slightly different. Hey str0ke, on a side note, what's your practice of handling dupes these days? Do you change the dupe so that it mentions the original, or do you just blank it out entirely? Think I've seen it happen both ways. - Steve