From coley at linus.mitre.org Wed Nov 3 19:06:58 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 3 Nov 2010 20:06:58 -0400 (EDT) Subject: [VIM] Broken Oracle URLs (again) for most recent CPUs Message-ID: All, Oracle has apparently shifted the URLs again, this time for the most recent CPUs. Even the October CPU now redirects to a generic page. This is apparently due to some change in the internal directory URL structure. e.g.: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2010-175626.html is now: http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html Apparently, the URL I mentioned back in September still has the appropriate, up-to-date URLs to use: http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates Has anybody gotten any inquiries from their users about these broken URLs? I don't think we have at CVE. Weird. - Steve From theall at tenable.com Thu Nov 4 10:51:52 2010 From: theall at tenable.com (George A. Theall) Date: Thu, 4 Nov 2010 11:51:52 -0400 Subject: [VIM] Broken Oracle URLs (again) for most recent CPUs In-Reply-To: References: Message-ID: <4E7ECE00-1B9E-4D8F-935B-8107028194EA@tenable.com> On Nov 3, 2010, at 8:06 PM, Steven M. Christey wrote: > Oracle has apparently shifted the URLs again, this time for the most > recent CPUs. Even the October CPU now redirects to a generic page. ... > Has anybody gotten any inquiries from their users about these broken > URLs? I don't think we have at CVE. Weird. Not about the ones for the recent CPUs. But we did get several about the older 1-2x style links. We replaced those when possible with links to the cached pages on the Internet Archive's Wayback Machine. George -- theall at tenablesecurity.com From coley at linus.mitre.org Thu Nov 4 11:53:39 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 4 Nov 2010 12:53:39 -0400 (EDT) Subject: [VIM] possible rediscovery - Pay Roll Time Sheet & Punch Card SQL injection Message-ID: Refs: EXPLOIT-DB:15396 BID:44609 SECUNIA:42096 The "Password" parameter to login.asp, as stated in SECUNIA:42096, appears to be the same vector as CVE-2007-4106, whose references are: BID:25114 SECUNIA:26275 CVE-2007-4106 uses "CodeWidgets" as the vendor name (more like the web site name), and the current discovery uses Comrie Software (which appears to be the appropriate vendor name). These aren't exactly the same, though, since SECUNIA:42096 mentions an EmployeeNumber parameter, which is not covered by Aria-Security in CVE-2007-4106, and not explicitly stated by L0rd CrusAd3r in EXPLOIT-DB:15396. In addition, the older SECUNIA:26275 does not specifically mention POST for the Password parameter, where the newer SECUNIA:42096 does. - Steve From theall at tenable.com Tue Nov 9 08:26:34 2010 From: theall at tenable.com (George A. Theall) Date: Tue, 9 Nov 2010 09:26:34 -0500 Subject: [VIM] osTicket 1.6 - Local File Inclusion Message-ID: Bugtraq ID 44739 / Exploit DB 15471 cover a local file inclusion issue reported by d3v11 and affecting the 'module.php' script in osTicket 1.6. The sample PoC SecurityFocus gives is: http://www.example.com/module.php?module=osTicket&file=../../../../../../../../../../../../../../etc/passwd Trouble is, there's no file named 'module.php' in the distribution file of osTicket 1.6, either the one I just downloaded from the project itself or the one attached to the EDB advisory itself. To me this looks like it's a rehash of BID 19256. Or BID 39732, which seems to be a dup of the older BID. For example, do a Google search of 'osTicket "module.php" inurl:"view.php'"' and look at the sites turned up -- they say they're "Powered by Help Center Live". Btw, the EDB advisory says the issue's been verified. What exactly does that mean? Who's verified the vulnerability and how was it done? George -- theall at tenablesecurity.com From steve at vitriol.net Tue Nov 9 17:32:41 2010 From: steve at vitriol.net (Steve Tornio) Date: Tue, 9 Nov 2010 17:32:41 -0600 Subject: [VIM] osTicket 1.6 - Local File Inclusion In-Reply-To: References: Message-ID: On Tue, Nov 9, 2010 at 8:26 AM, George A. Theall wrote: > Bugtraq ID 44739 / Exploit DB 15471 cover a local file inclusion issue > reported by d3v11 and affecting the 'module.php' script in osTicket 1.6. The > sample PoC SecurityFocus gives is: Exploit-DB yanked this one a little while ago. Apparently, it was approved in error. > > Btw, the EDB advisory says the issue's been verified. What exactly does that > mean? Who's verified the vulnerability and how was it done? > From coley at linus.mitre.org Tue Nov 9 17:40:23 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 9 Nov 2010 18:40:23 -0500 (EST) Subject: [VIM] osTicket 1.6 - Local File Inclusion In-Reply-To: References: Message-ID: It would be good if Exploit-DB followed the practices that str0ke did with milw0rm (on CVE and OSVDB's request) by leaving some kind of note about what happened with the entry, instead of deleting it outright. This helps when you run across a broken URL 6 months later and you wonder if you had a typo or a duplicate or whatever. - Steve On Tue, 9 Nov 2010, Steve Tornio wrote: > On Tue, Nov 9, 2010 at 8:26 AM, George A. Theall wrote: >> Bugtraq ID 44739 / Exploit DB 15471 cover a local file inclusion issue >> reported by d3v11 and affecting the 'module.php' script in osTicket 1.6. The >> sample PoC SecurityFocus gives is: > > Exploit-DB yanked this one a little while ago. Apparently, it was > approved in error. > >> >> Btw, the EDB advisory says the issue's been verified. What exactly does that >> mean? Who's verified the vulnerability and how was it done? >> > From theall at tenable.com Wed Nov 10 14:00:50 2010 From: theall at tenable.com (George A. Theall) Date: Wed, 10 Nov 2010 15:00:50 -0500 Subject: [VIM] PHPShop 'name_new' Parameter Cross Site Scripting Vulnerability Message-ID: FYI: I think Bugtraq id 44763 lists as the vendor www.phpshop.org as claims version 2.1 EE is affected. If you go to that link, though, you're redirected to a Google Code project page saying the project is no longer active and featuring a download for version 0.8.1. There's no mention in the distribution file for that version of the 'name_new' parameter. Rob, how was it you folks at SecurityFocus determined the vendor here? I don't see it mentioned anywhere in mustlive's post to Bugtraq. George -- theall at tenablesecurity.com From rkeith at securityfocus.com Wed Nov 10 16:00:40 2010 From: rkeith at securityfocus.com (rkeith) Date: Wed, 10 Nov 2010 15:00:40 -0700 Subject: [VIM] PHPShop 'name_new' Parameter Cross Site Scripting Vulnerability In-Reply-To: References: Message-ID: <4CDB1608.4080303@securityfocus.com> Hey George, Looks like the vendor is phpshop.ru. We will have the BID updated. Thanks, Rob On 11/10/2010 01:00 PM, George A. Theall wrote: > FYI: I think Bugtraq id 44763 lists as the vendor www.phpshop.org as > claims version 2.1 EE is affected. If you go to that link, though, > you're redirected to a Google Code project page saying the project is no > longer active and featuring a download for version 0.8.1. There's no > mention in the distribution file for that version of the 'name_new' > parameter. > > Rob, how was it you folks at SecurityFocus determined the vendor here? I > don't see it mentioned anywhere in mustlive's post to Bugtraq. > > > George From coley at linus.mitre.org Wed Nov 10 16:12:11 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 10 Nov 2010 17:12:11 -0500 (EST) Subject: [VIM] E-PHP CMS rediscoveries Message-ID: Product: E-Php / article.php / es_id EXPLOIT-DB:15410 Researcher: Cru3l.b0y This appears to be a dupe of CVE-2008-4142 / http://www.exploit-db.com/exploits/6483/ - Steve From theall at tenable.com Tue Nov 16 20:32:10 2010 From: theall at tenable.com (George A. Theall) Date: Tue, 16 Nov 2010 21:32:10 -0500 Subject: [VIM] AT-TFTP Server Directory Traversal Vulnerability Message-ID: BID 44711 seems to have been created today for a simple directory traversal vulnerability reported 10 days ago by Pr0T3cT10n and covered by Exploit DB 15438. Isn't this the same issue reported by Luigi Auriemma in 2004 and covered by BID 11584? Rob??? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Wed Nov 17 12:32:08 2010 From: rkeith at securityfocus.com (rkeith) Date: Wed, 17 Nov 2010 11:32:08 -0700 Subject: [VIM] AT-TFTP Server Directory Traversal Vulnerability In-Reply-To: References: Message-ID: <4CE41FA8.9020203@securityfocus.com> Hey George, Looks like there were some changes in the vendor name on that one that we didn't catch. We will retire the new BID shortly. Thanks, Rob On 11/16/2010 07:32 PM, George A. Theall wrote: > BID 44711 seems to have been created today for a simple directory > traversal vulnerability reported 10 days ago by Pr0T3cT10n and covered > by Exploit DB 15438. > > Isn't this the same issue reported by Luigi Auriemma in 2004 and covered > by BID 11584? Rob??? > > George -- Rob Keith Symantec From jericho at attrition.org Thu Nov 18 04:10:36 2010 From: jericho at attrition.org (security curmudgeon) Date: Thu, 18 Nov 2010 04:10:36 -0600 (CST) Subject: [VIM] BID 31930 exploit Message-ID: http://www.securityfocus.com/bid/31930/exploit http://www.example.com/[path]/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users http://www.example.com/[path]/index.php?mod=0&cpage=-114) UNION ALL SELECT 0,0,0,0,0,version()-- -- Just want to confirm, it appears the "&" is actually some HTML decoding snafu that is essentially doing & and an encoded &? seems like that should be "&nid=" in the first example and "&cpage" in the second? From theall at tenable.com Thu Nov 18 19:46:31 2010 From: theall at tenable.com (George A. Theall) Date: Thu, 18 Nov 2010 20:46:31 -0500 Subject: [VIM] BID 31930 exploit In-Reply-To: References: Message-ID: <5AD3881B-7BA4-41B0-A32F-CF3214AED0A3@tenable.com> On Nov 18, 2010, at 5:10 AM, security curmudgeon wrote: > > http://www.securityfocus.com/bid/31930/exploit > > http://www.example.com/[path]/index.php?mod=2&nid=-268)%20UNION > %20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass), > 0,0,0,0,0,0,0,0,0%20FROM%20default_users > > http://www.example.com/[path]/index.php?mod=0&cpage=-114) UNION > ALL SELECT 0,0,0,0,0,version()-- > > -- > > Just want to confirm, it appears the "&" is actually some HTML > decoding snafu that is essentially doing & and an encoded &? seems > like that should be "&nid=" in the first example and "&cpage" in the > second? Seems to be in error in the BID -- look at the advisory on Packet Storm and SecurityReason: http://packetstormsecurity.org/files/view/71280/tandiscms-sql.txt http://securityreason.com/exploitalert/5013 George -- theall at tenablesecurity.com From coley at linus.mitre.org Fri Nov 19 09:55:55 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 19 Nov 2010 10:55:55 -0500 (EST) Subject: [VIM] BID 31930 exploit In-Reply-To: <5AD3881B-7BA4-41B0-A32F-CF3214AED0A3@tenable.com> References: <5AD3881B-7BA4-41B0-A32F-CF3214AED0A3@tenable.com> Message-ID: This kind of double encoding happens throughout the Bugtraq ID entries; I see it on a regular basis. I thought I sent an inquiry about this a couple years ago, but maybe I used the wrong email address. In the early days of the CVE web site, we used to have this problem in our search results. One routine would HTML-encode a single CVE description, then each description in the results would get encoded again when it got dumped into the full table (or something like that). I've seen this kind of problem on other security sites over the years. You can get similar issues related to SQL injection and double quoting of apostrophes. - Steve On Thu, 18 Nov 2010, George A. Theall wrote: > > On Nov 18, 2010, at 5:10 AM, security curmudgeon wrote: > >> >> http://www.securityfocus.com/bid/31930/exploit >> >> http://www.example.com/[path]/index.php?mod=2&nid=-268)%20UNION%20ALL%20SELECT%20version(),0,0,concat(username,0x3a,userpass),0,0,0,0,0,0,0,0,0%20FROM%20default_users >> >> http://www.example.com/[path]/index.php?mod=0&cpage=-114) UNION ALL >> SELECT 0,0,0,0,0,version()-- >> >> -- >> >> Just want to confirm, it appears the "&" is actually some HTML decoding >> snafu that is essentially doing & and an encoded &? seems like that should >> be "&nid=" in the first example and "&cpage" in the second? > > Seems to be in error in the BID -- look at the advisory on Packet Storm and > SecurityReason: > > http://packetstormsecurity.org/files/view/71280/tandiscms-sql.txt > http://securityreason.com/exploitalert/5013 > > > George > -- > theall at tenablesecurity.com > > > From theall at tenable.com Fri Nov 19 13:36:26 2010 From: theall at tenable.com (George A. Theall) Date: Fri, 19 Nov 2010 14:36:26 -0500 Subject: [VIM] Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch Message-ID: Core Security's advisory recent Mac OS X advisory (http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch ) seems to be creating confusion. For example, there's this entry in their timeline: "2010-11-11: Apple informs Core that due to a clerical error they used the identifier CVE-2010-1797 for their advisory, instead of CVE-2010-4010. " Fortunately, this doesn't seem to have introduced any problems with the two CVE entries themselves. Had you noticed this, Steve? SecurityFocus, though, has two BIDs that seem to be for CVE-2010-4010 -- BID 44729 created last week and BID 44984 created today. Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Fri Nov 19 14:22:24 2010 From: rkeith at securityfocus.com (rkeith) Date: Fri, 19 Nov 2010 13:22:24 -0700 Subject: [VIM] Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch In-Reply-To: References: Message-ID: <4CE6DC80.8090803@securityfocus.com> Definitely some confusion all around on this one. Apple's first issue of that advisory didn't include CVE-2010-4010, and there was no changelog, or indication that the advisory was updated after that fact. We only noticed the existence of that CVE today when Mitre published it. We'll retire 44984 shortly as a duplicate of 44729. -Rob On 11/19/2010 12:36 PM, George A. Theall wrote: > Core Security's advisory recent Mac OS X advisory > (http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch) > seems to be creating confusion. For example, there's this entry in their > timeline: > > "2010-11-11: Apple informs Core that due to a clerical error they used > the identifier CVE-2010-1797 for their advisory, instead of > CVE-2010-4010. " > > Fortunately, this doesn't seem to have introduced any problems with the > two CVE entries themselves. Had you noticed this, Steve? > > SecurityFocus, though, has two BIDs that seem to be for CVE-2010-4010 -- > BID 44729 created last week and BID 44984 created today. Rob? > > > George -- Rob Keith Symantec From coley at linus.mitre.org Sat Nov 20 15:24:48 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 20 Nov 2010 16:24:48 -0500 (EST) Subject: [VIM] Apple OS X ATSServer CFF CharStrings INDEX Sign Mismatch In-Reply-To: References: Message-ID: I think we caught this confusion before we created CVE-2010-4010, and we clarified by email with Apple that these weren't dupes. We inferred that the Apple advisory archives had been modified to use the new CVE. - Steve On Fri, 19 Nov 2010, George A. Theall wrote: > Core Security's advisory recent Mac OS X advisory > (http://www.coresecurity.com/content/Apple-OSX-ATSServer-CharStrings-Sign-Mismatch) > seems to be creating confusion. For example, there's this entry in their > timeline: > > "2010-11-11: Apple informs Core that due to a clerical error they used the > identifier CVE-2010-1797 for their advisory, instead of CVE-2010-4010. " > > Fortunately, this doesn't seem to have introduced any problems with the two > CVE entries themselves. Had you noticed this, Steve? > > SecurityFocus, though, has two BIDs that seem to be for CVE-2010-4010 -- BID > 44729 created last week and BID 44984 created today. Rob? > > > George > -- > theall at tenablesecurity.com > > > From jericho at attrition.org Wed Nov 24 01:21:19 2010 From: jericho at attrition.org (security curmudgeon) Date: Wed, 24 Nov 2010 01:21:19 -0600 (CST) Subject: [VIM] Stuxnet - little more clarification on one of two CVEs Message-ID: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3888 Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July 2010 by the Stuxnet worm, and identified by Kaspersky Lab researchers and other researchers. http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-3889 Unspecified vulnerability in Microsoft Windows on 32-bit platforms allows local users to gain privileges via unknown vectors, as exploited in the wild in July 2010 by the Stuxnet worm, and identified by Microsoft researchers and other researchers. -- This article points out exploit code has been written for one of the two local privilege escalation vulns: http://www.net-security.org/secworld.php?id=10202 The exploit: http://www.exploit-db.com/exploits/15589/ This is a vulnerability in the Windows Task Scheduler. I have not seen any information to refute the claim that this is one of the Stuxnet vulns. For now, OSVDB will be updating 68518 (tied to 2010-3888) to reference this. We are picking 3888 as it is the lower number and 'first' one, no other reason. From deapesh at gmail.com Wed Nov 24 11:27:29 2010 From: deapesh at gmail.com (Deapesh Misra) Date: Wed, 24 Nov 2010 12:27:29 -0500 Subject: [VIM] Java Deployment Toolkit 0-day CVEs Message-ID: Hi, I also have a doubt regarding these two CVEs: CVE-2010-1423 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1423 Argument injection vulnerability in the URI handler in (a) Java NPAPI plugin and (b) Java Deployment Toolkit in Java 6 Update 10, 19, and other versions, when running on Windows and possibly on Linux, allows remote attackers to execute arbitrary code via the (1) -J or (2) -XXaltjvm argument to javaws.exe, which is processed by the launch method. NOTE: some of these details are obtained from third party information. and CVE-2010-0886 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0886 Unspecified vulnerability in the Java Deployment Toolkit component in Oracle Java SE and Java for Business JDK and JRE 6 Update 10 through 19 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. ---------- CVE-2010-1423 is the 0-day issue which Tavis disclosed on April 9th (and later reported by Ruben). CVE-2010-0886 is for a out of band (OOB) patch from Oracle/Sun released on April 15th (http://www.oracle.com/technetwork/topics/security/alert-cve-2010-0886-094541.html) It seems like 0886 and 1423 are for the same vulnerability. exploit-db.com labels the exploits for CVE-2010-1423 as CVE-2010-0886: http://www.exploit-db.com/exploits/12117 http://www.exploit-db.com/exploits/12122 this was picked up by OSVDB too: http://osvdb.org/63798 As from the vendor's perspective, this release note from Oracle/Sun seems to be the only valuable source of usable information: http://www.oracle.com/technetwork/java/javase/6u20-142805.html I think these two CVEs are for the same issue. -Deapesh. From theall at tenable.com Wed Nov 24 12:36:32 2010 From: theall at tenable.com (George A. Theall) Date: Wed, 24 Nov 2010 13:36:32 -0500 Subject: [VIM] D-Link DIR-300 WiFi Key Security Bypass Vulnerability vs D-Link DIR-300 'tools_admin.php' Security Bypass Vulnerability Message-ID: <923492E5-5081-4D3A-AB09-49BB270D0A7E@tenable.com> BID 45038 seems to be a dup of BID 44743 since the listed exploits are identical and both are for D-Link DIR-300 routers. Rob? George -- theall at tenablesecurity.com From theall at tenable.com Sat Nov 27 20:48:09 2010 From: theall at tenable.com (George A. Theall) Date: Sat, 27 Nov 2010 21:48:09 -0500 Subject: [VIM] WordPress Register Plus 'wp-login.php' Multiple Cross Site Scripting Vulnerabilities Message-ID: <7356FA56-8EC5-4A96-B904-7426DF911012@tenable.com> Rob, is there any difference between BIDs 45057 and 45069? Both seem to derive from a recent advisory from mustlive involving the Register Plus plugin for WordPress. George -- theall at tenablesecurity.com From rkeith at securityfocus.com Mon Nov 29 10:58:35 2010 From: rkeith at securityfocus.com (rkeith) Date: Mon, 29 Nov 2010 09:58:35 -0700 Subject: [VIM] WordPress Register Plus 'wp-login.php' Multiple Cross Site Scripting Vulnerabilities In-Reply-To: <7356FA56-8EC5-4A96-B904-7426DF911012@tenable.com> References: <7356FA56-8EC5-4A96-B904-7426DF911012@tenable.com> Message-ID: <4CF3DBBB.5060400@securityfocus.com> Hey George, No difference that I can see. We'll have the latest one retired. Thanks -Rob On 11/27/2010 07:48 PM, George A. Theall wrote: > Rob, is there any difference between BIDs 45057 and 45069? Both seem to > derive from a recent advisory from mustlive involving the Register Plus > plugin for WordPress. > > George From jericho at attrition.org Tue Nov 30 18:48:25 2010 From: jericho at attrition.org (security curmudgeon) Date: Tue, 30 Nov 2010 18:48:25 -0600 (CST) Subject: [VIM] savannah.gnu.org compromised Message-ID: http://savannah.gnu.org/ Savannah downtime Savannah is currently down - details to follow. There's been a SQL injection leading to leaking of encrypted account passwords, some of them discovered by brute-force attack, leading in turn to project membership access. We're reinstalling the system and restoring the data from a safe backup, November 23th circa 12:00 GMT. Please prepare to recommit your changes since that date. While effort was made in the past to fix injection vulnerabilities in the Savane2 legacy codebase, it appears this was not enough :/ No firm ETA for the return online yet (but during the week). * 2010/11/29 21:30 GMT: access to the base host restored, extracting incremental backup from the 23th * 2010/11/29 23:30 GMT: finished diagnosing original attack * 2010/11/30 12:30 GMT: data transfers in progress * 2010/11/30 13:30 GMT: read-only access to source repositories * 2010/11/30 14:30 GMT: write access to source repositories * 2010/11/30 16:30 GMT: data transfers finished * 2010/11/30 18:00 GMT: access to downloads and GNU Arch * 2010/11/30 21:00 GMT: audited code and found no other SQL injection * 2010/11/30 22:30 GMT: found trace of earlier attack on Nov 23th 4h * 2010/11/30 22:45 GMT: stopped write access and preparing new backup from the 22th * 2010/11/30 23:45 GMT: found trace of earlier read-only SQL injections as back as January, but apparently none with actual account cracking; searching more TODO * [X] Put services online using backup, except for password-based ones (e.g. the web interface) * [X] Reset passwords * [X] Fix SQL injection and look for potential others * [ ] Implement crypt-md5 support (like /etc/shadow, strong and LDAP-compatible) hashes, or possibly crypt-sha2 * [ ] Implement password strength enforcement * [ ] Bring back web interface * [/] Audit changes between the 23th and the 27th to see what was compromised -- The Savannah Hackers Also see http://identi.ca/group/fsfstatus for information.