From theall at tenable.com  Wed Feb  9 10:35:11 2011
From: theall at tenable.com (George A. Theall)
Date: Wed, 9 Feb 2011 11:35:11 -0500
Subject: [VIM] Coppermine Photo Gallery 1.5.x Remote Command Execution
Message-ID: <537456BA-AA83-490C-AF47-F36AE1AA2B00@tenable.com>

Exploit DB 16142 / Bugtraq 46288 cover a remote command execution  
issue in Coppermine Photo Gallery 1.5.x reported by Sn!pEr.S!Te.  This  
person's success record has been rather spotty in the past, and this  
one seems just as bogus. Here's the code from include/picmgmt.inc.php  
in 1.5.12:

                                      ----- snip, snip, snip -----
   if (!defined('IN_COPPERMINE')) { die('Not in Coppermine...');}
   ...
   function resize_image($src_file, $dest_file, $new_size, $method,  
$thumb_use, $watermark="false", $sharpen=0, $media_type="false")
   {
   ...
                         if ($superCage->env->getMatched('OS', '/win/ 
i')) {
                           $cmd = "\"".str_replace("\\","/",  
$CONFIG['impath'])."convert\" -resize ".$wm_resize."% ".str_replace("\ 
\","/" ,$CONFIG['watermark_file'] )." ".str_replace("\\","/" , 
$path_to_tmp_wm );
                           exec ("\"$cmd\"", $output, $retval);
                                      ----- snip, snip, snip -----

The 'IN_COPPERMINE' check occurs in the first non-comment line after  
the initial PHP opening tag so right from the start, we can see that  
the issue can't be exploited as Sn!pEr.S!Te claims.

Also, the 'exec()' call that's supposedly affected occurs in a  
function definition and the file basically just holds function calls;  
there's no way to call the affected 'resize_image()' function by  
requesting picmgmt.inc.php.

And finally, the 'output' and 'retval' parameters actually appear in  
the 'exec()' call as the 2nd and 3rd args, not part of the first as Sn! 
pEr.S!Te claims. This difference is significant, as PHP uses those  
parameter values to store the output of the command and its return  
value respectively; they are not simply appended to the command and  
passed to a shell.


George
-- 
theall at tenablesecurity.com




From jericho at attrition.org  Thu Feb 10 23:38:05 2011
From: jericho at attrition.org (security curmudgeon)
Date: Thu, 10 Feb 2011 23:38:05 -0600 (CST)
Subject: [VIM] CVE-2011-0049: majordomo directory traversal vulnerability
Message-ID: <alpine.LNX.2.00.1102102335530.2402@forced.attrition.org>


OSVDB 70762, CVE-2011-0049, Secunia 43125, BID 46127, ISS 65113


Tenable Network Security discovered that the patch included in 20110130 
was not sufficient to fully remediate this vulnerability. The patch 
applied to snapshot 20110204 appears to remediate the issue correctly. 
Please update your solutions to reflect this!


-------- Original Message --------

as you may be aware, there was a directory traversal vulnerability in
majordomo. PoC:

http://www.example.com/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=../../../../../../../etc/passwd

the VDBs all appear to be reporting build 20110130 as the fix, to include:

https://sitewat.ch/en/Advisory/View/1
http://secunia.com/advisories/43125

however, the patch included in 20110130 isn't sufficient. it can be 
circumvented with the following PoC:

http://www.example.com/mj_wwwusr?passw=&list=GLOBAL&user=&func=help&extra=./../././../././../././../././../././../././../././../././../././../././.././etc/passwd

it appears this issue was fixed with 20110204.


From theall at tenable.com  Mon Feb 28 15:06:19 2011
From: theall at tenable.com (George A. Theall)
Date: Mon, 28 Feb 2011 16:06:19 -0500
Subject: [VIM] Home FTP SERVER 1.12 Directory Traversal
Message-ID: <6B09C888-3783-4607-BF85-3940405ACC96@tenable.com>

Exploit DB 16259 / Bugtraq 46600 concern a directory traversal issue  
in Home FTP SERVER 1.12 and give as a PoC:

   RETR ../../../../boot.ini

Exploit DB 15349 / Bugtraq 44543 concern a series of directory  
traversal issues in an earlier version of the same software; one of  
the PoCs is:

   GET ../../../boot.ini

Since an FTP client translates a "GET" into the command "RETR" when  
speaking to an FTP server, the new VDB identifiers seem to be just  
rehashes of the earlier ones. Or am I missing something. Rob?


George
-- 
theall at tenablesecurity.com




From rkeith at securityfocus.com  Mon Feb 28 15:20:58 2011
From: rkeith at securityfocus.com (rkeith)
Date: Mon, 28 Feb 2011 14:20:58 -0700
Subject: [VIM] Home FTP SERVER 1.12 Directory Traversal
In-Reply-To: <6B09C888-3783-4607-BF85-3940405ACC96@tenable.com>
References: <6B09C888-3783-4607-BF85-3940405ACC96@tenable.com>
Message-ID: <4D6C11BA.8090009@securityfocus.com>

Seems like a reasonable conclusion they are the same issue.

We'll make some changes at our end to reflect that.

-Rob

On 02/28/2011 02:06 PM, George A. Theall wrote:
> Exploit DB 16259 / Bugtraq 46600 concern a directory traversal issue in
> Home FTP SERVER 1.12 and give as a PoC:
> 
>   RETR ../../../../boot.ini
> 
> Exploit DB 15349 / Bugtraq 44543 concern a series of directory traversal
> issues in an earlier version of the same software; one of the PoCs is:
> 
>   GET ../../../boot.ini
> 
> Since an FTP client translates a "GET" into the command "RETR" when
> speaking to an FTP server, the new VDB identifiers seem to be just
> rehashes of the earlier ones. Or am I missing something. Rob?
> 
> 
> George