From theall at tenablesecurity.com Mon May 10 18:14:46 2010 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 10 May 2010 14:14:46 -0400 Subject: [VIM] Slooze PHP Web Photo Album v0.2.7 Command Execution Vulnerability Message-ID: <61D17F66-F8F8-448C-9062-5794BA543244@tenablesecurity.com> Exploit DB 12515 / Bugtraq 39948 looks bogus to me. Sn!pEr.S!Te hacker's advisory has this: system('del "' . $this->cachePath . $file . '"'); /* Windows platforms */ line :1003 Yet if you look at the actual code, either linked in via the Exploit DB advisory or in version 0.2.7 from SourceForge directly, here's what you find around that line: /* private: clear the cache */ function cacheClear() { if ($handle = opendir($this->cachePath)) { while ($file = readdir($handle)) { /* if is cache file */ if(ereg('.+\.tmp$', $file)) { unlink($this->cachePath . $file); // system('del "' . $this->cachePath . $file . '"'); /* Windows platforms */ } } closedir($handle); } } Looking at the larger snippet, it doesn't look exploitable as Sn!pEr.S! Te hacker suggests, does it? George -- theall at tenablesecurity.com From coley at linus.mitre.org Tue May 18 17:14:51 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 18 May 2010 13:14:51 -0400 (EDT) Subject: [VIM] www.frsirt.com links broken Message-ID: I guess it's been long overdue, but the www.frsirt.com URLs for FRSIRT/VUPEN records are now redirecting to google.fr. I coulda sworn I cleaned these up in CVE when we changed our reference names to "VUPEN" but instead we're looking at about 13,800 URL changes... ouch. Simple search-and-replace seems to take care of it. - Steve From team at vupen.com Tue May 18 22:36:26 2010 From: team at vupen.com (VUPEN Security) Date: Wed, 19 May 2010 00:36:26 +0200 Subject: [VIM] www.frsirt.com links broken References: Message-ID: <99322E18A72D4A1580E963FC7FCC2424@Webmail> Hi Steve, All links are up again. T.J. ----- Original Message ----- From: "Steven M. Christey" To: Sent: Tuesday, May 18, 2010 7:14 PM Subject: [VIM] www.frsirt.com links broken > > I guess it's been long overdue, but the www.frsirt.com URLs for > FRSIRT/VUPEN records are now redirecting to google.fr. > > I coulda sworn I cleaned these up in CVE when we changed our reference > names to "VUPEN" but instead we're looking at about 13,800 URL changes... > ouch. Simple search-and-replace seems to take care of it. > > - Steve > From jericho at attrition.org Thu May 27 18:18:17 2010 From: jericho at attrition.org (security curmudgeon) Date: Thu, 27 May 2010 18:18:17 -0500 (CDT) Subject: [VIM] Vana CMS Remote File Download In-Reply-To: <201004130628.o3D6SwwD004529@www3.securityfocus.com> References: <201004130628.o3D6SwwD004529@www3.securityfocus.com> Message-ID: Can you download arbitrary files? Your example shows what appears to be intended functionality, and not necessarily a vulnerability. On Tue, 13 Apr 2010, info at securitylab.ir wrote: : ################################################################# : # Securitylab.ir : ################################################################# : # Application Info: : # Name: Vana CMS : # Vendor: http://www.vanasoft.com : ################################################################# : # Vulnerability Info: : # Type: Remote File Download : # Risk: Medium : # 2009-10-23 - Found Vulnerability : # 2010-04-09 - Vendor notified : # 2010-04-11 - Public disclosure : ################################################################# : Vulnerability: : http://site.com/download.php?filename=File.php : ################################################################# : # Discoverd By: Pouya Daneshmand : # Website: http://Pouya.Securitylab.ir : # Contacts: info[at]securitylab.ir & whh_iran[at]yahoo.com : ################################################################### :