From theall at tenablesecurity.com Sun Jan 3 01:57:29 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Sat, 2 Jan 2010 20:57:29 -0500 Subject: [VIM] e-topbiz Slide Popups 1 php (Auth Bypass) SQL Injection Vulnerabilit Message-ID: <3B03D650-18DE-49DC-A04F-93F0004359EA@tenablesecurity.com> Exploit DB #10832 / Bugtraq 37540 looks like a dup of an issue reported in November 2008 by D3ViL iR at Q and covered by CVE-2008-6264 / Bugtraq 32171 / OSVDB 52278. The difference is in the script name -- the earlier ids all talk about 'admin.php' while SecurityFocus in the newer BID says 'slidepop1.php'. If you look at Exploit DB 10832, though, 'slidepop1.php' is actually listed as part of the product URL, not the affected script. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Sun Jan 3 03:01:31 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Sat, 2 Jan 2010 22:01:31 -0500 Subject: [VIM] QuizShock v1.5.5 XSS Vulnerability Message-ID: Exploit DB 10854 / Bugtraq 37552 looks like the same issue reported in April 2007 by John Martinelli and covered by CVE-2007-1905 / Bugtraq 23368 / OSVDB 34777 -- both involve the 'forward_to' parameter of the 'auth.php' script in QuizShock, although indoushka's recent advisory covers an earlier version (1.5.5) compared with Martinelli (1.6.1). George -- theall at tenablesecurity.com From theall at tenablesecurity.com Tue Jan 5 14:44:02 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 5 Jan 2010 09:44:02 -0500 Subject: [VIM] W-Agora v.4.2.1 Multiple Vulnerabilities Message-ID: <730E678A-21CF-463B-A549-225F33219228@tenablesecurity.com> Exploit DB 10999 / Bugtraq 37610 concern a file inclusion vulnerability in w-agora 4.2.1 and include the following PoC: http://127.0.0.1/w-agora/rss.php?site=http127001wagora&bn=http://127.0.0.1/c.txt ? Here's the code from the affected file, as included in the distribution file included with the Exploit DB advisory: ----- snip, snip, snip ----- $bn = preg_replace("/[^a-zA-Z0-9_]/", "", getFormVar('bn')); $site = preg_replace("/[^a-zA-Z0-9_]/", "", getFormVar('site')); ... if (empty ($bn) ) { $site = basename($site); include ("$cfg_dir/site_${site}.$ext"); } else { $bn = basename($bn); include ("$cfg_dir/$bn.$ext"); } ----- snip, snip, snip ----- [There are two calls before this snippet to 'include()', but tracing through those, I don't see any place where the 'bn' parameter could be used to include PHP code.] The preg_replace() calls sanitize '$bn' and '$site' by removing any characters that aren't alphanumeric or an underscore so I don't see how indoushka's PoC can work. Nor do I see how this could be a *remote* file include attack, as the PoC suggests and SecurityFocus claims. George -- theall at tenablesecurity.com From deapesh at gmail.com Thu Jan 7 18:55:36 2010 From: deapesh at gmail.com (Deapesh Misra) Date: Thu, 7 Jan 2010 13:55:36 -0500 Subject: [VIM] IBM Apar IO11778 Message-ID: <22b0e07b1001071055j12b68285x84dfe4cd3be04f3@mail.gmail.com> Hi, Not too sure if this is the list to ask such questions, but anyway here it goes: Is this recent update: IO11778: NFS MOUNTD INFORMATION DISCLOSURE VULNERABILITY (http://www-01.ibm.com/support/docview.wss?uid=swg1IO11778) for CVE-1999-1225 ? thanks, Deapesh. From jericho at attrition.org Sat Jan 16 01:23:31 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 16 Jan 2010 01:23:31 +0000 (UTC) Subject: [VIM] Oracle intentionally requesting duplicate CVEs? Message-ID: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html Drop down to the BEA Product Suite matrix, first entry is for CVE-2010-0079 covering the JRocket component with 'See Note 1': Notes: Sun MicroSystems released a Security Alert in November 2009 to address multiple vulnerabilities affecting the Sun Java Runtime Environment. Oracle CVE-2010-0079 refers to the advisories that were applicable to JRockit from the Sun Alert. The CVSS score of this vulnerability CVE# reflects the highest among those fixed in JRockit. The score is calculated by National Vulnerability Database (NVD), not Oracle. The complete list of all advisories addressed in JRockit under CVE-2010-0079 is as follows: CVE-2009-3867, CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877. -- This wording seems pretty clear that Oracle takes 2010-0079 to be a 'summary' CVE that covers ten previously assigned CVE candidates. This seems to go against the publicly defined CVE assigning process. From coley at linus.mitre.org Sat Jan 16 02:17:14 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 15 Jan 2010 21:17:14 -0500 (EST) Subject: [VIM] Oracle intentionally requesting duplicate CVEs? In-Reply-To: References: Message-ID: This was an accident by Oracle, which I've already clarified with them. The intention was to use the JRE CVE that had the highest CVSS score. Duplicate assignments happen sometimes. Generally, I can handle them with a "** REJECT **" statement that discourages CVE consumers and vendors from using them. In this case, interestingly enough, because CVE-2010-0079 effectively doubles as a patch ID, removing or "rejecting" it would limit the utility of the CVE for Oracle's customers. So I think we kinda have to live with the dupe. - Steve On Sat, 16 Jan 2010, security curmudgeon wrote: > http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html > Drop down to the BEA Product Suite matrix, first entry is for CVE-2010-0079 > covering the JRocket component with 'See Note 1': > > Notes: > Sun MicroSystems released a Security Alert in November 2009 to address > multiple vulnerabilities affecting the Sun Java Runtime Environment. Oracle > CVE-2010-0079 refers to the advisories that were applicable to JRockit from > the Sun Alert. The CVSS score of this vulnerability CVE# reflects the highest > among those fixed in JRockit. The score is calculated by National > Vulnerability Database (NVD), not Oracle. The complete list of all advisories > addressed in JRockit under CVE-2010-0079 is as follows: CVE-2009-3867, > CVE-2009-3868, CVE-2009-3869, CVE-2009-3871, CVE-2009-3872, CVE-2009-3873, > CVE-2009-3874, CVE-2009-3875, CVE-2009-3876, CVE-2009-3877. > > -- > > This wording seems pretty clear that Oracle takes 2010-0079 to be a 'summary' > CVE that covers ten previously assigned CVE candidates. > > This seems to go against the publicly defined CVE assigning process. > From jericho at attrition.org Sun Jan 24 11:06:57 2010 From: jericho at attrition.org (security curmudgeon) Date: Sun, 24 Jan 2010 11:06:57 +0000 (UTC) Subject: [VIM] [OSVDB Mods] Internet explorer 6, 7 and 8 URL Validation Vulnerability (fwd) Message-ID: (sent to VIM with permission from lostmon. He indicated he is updating his blog with these dates as well) ---------- Forwarded message ---------- From: Lostmon lords To: security curmudgeon Date: Sun, 24 Jan 2010 11:24:27 +0100 Subject: Re: [OSVDB Mods] Internet explorer 6, 7 and 8 URL Validation Vulnerability Hi Brian : The time line for this vulnerability is discovered 05-11-2009 Reported to vendor 15-11-2009 vendor patch 21-01-2010 the first initial contact 15-11-2009 and they accept it in the case manager at 19-11-2009 i planning to disclose details about it in 09-02-2010 now i continue testing it with the patch because i thnk that not all is patched and now the patch has create a two new posible vectors of attack Thnx for interesting :) 2010/1/24 security curmudgeon : > > Hi Lostmon, > > Do you remember when you disclosed this to Microsoft? > > Thanks, > > brian > OSVDB.org From jericho at attrition.org Sat Jan 30 00:37:13 2010 From: jericho at attrition.org (security curmudgeon) Date: Sat, 30 Jan 2010 00:37:13 +0000 (UTC) Subject: [VIM] VDB nightmares come to life Message-ID: [At first, I thought this was 1000 new and was curious how VDBs would handle. Reading the .dat file though, says that they are *mostly* compiled from advisories and milw0rm. Ugh..] http://ha.ckers.org/blog/20100129/large-list-of-rfis-1000/ Large List of RFIs (1000+) I started on this project over a year ago, and then I stopped, and then I started it again, and then I stopped again, and finally today, I mostly got it finished (or as far as I.m willing to take it for today). I wanted to create a master list of a mess load of RFI (remote file include) attacks. I got the list from various sources and I.m sure I.m missing a ton so yes, if you think there.s some I.ve missed, go ahead and forward them on to me and I.ll add them in. You can download the full list here (1002 RFIs at the time of writing). But because of how I built this it.s got a few issues. The first one is that it doesn.t take into account the path to the vulnerable function. So if it.s http://www.vulnerable.com/bob/something. you have to add that in. The second issue is that sometimes the trailing question mark is needed but it.s not added in the string. But you may require the additional question mark so that you don.t get /r57.txt.somegarbage but rather /r57.txt?.somegarbage which will work. So if you use this, you may have to add in your own question marks after your RFI URL. Anyway, thoughts are welcome, and big thanks for the hundreds of people who found these in the first place!