From coley at mitre.org Thu May 2 09:00:10 2013 From: coley at mitre.org (Christey, Steven M.) Date: Thu, 2 May 2013 14:00:10 +0000 Subject: [VIM] CMSLogik XSS - not a vuln, or maybe CSRF? Message-ID: Researcher: LiquidWorm http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5136.php http://packetstormsecurity.com/files/121303/CMSLogik-1.2.1-Cross-Site-Scripting.html This XSS seems to be targeting admin-only functionality, such as cmslogik/admin/settings, inserting the XSS into an admin_email parameter and header-title parameter. Seems like an admin would probably already have privileges to insert HTML if they want. So it doesn't seem like this would cross privilege boundaries, yet (a) it's LiquidWorm and (b) he says the vendor is working on a patch. Is this really CSRF at the core? - Steve From coley at mitre.org Wed May 15 08:53:23 2013 From: coley at mitre.org (Christey, Steven M.) Date: Wed, 15 May 2013 13:53:23 +0000 Subject: [VIM] vendor dispute - CVE-2013-3525 / Request Tracker SQL injection Message-ID: Researcher: cheki The Request Tracker vendor has disputed CVE-2013-3525. The following vendor comment will be in NVD shortly: Request Tracker is not vulnerable to the "exploit" detailed in CVE-2013-3525. We were unable to replicate it, and the individual that reported it retracted their report [1] on April 19th. Thus, this CVE should be considered an erroneous vulnerability report. For additional information, see our blog post on the topic[2]. [1] http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html [2] http://blog.bestpractical.com/2013/04/on-our-security-policies.html Note that the PacketStorm reference has been removed. - Steve ====================================================== Name: CVE-2013-3525 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-3525 Reference: MISC:http://blog.bestpractical.com/2013/04/on-our-security-policies.html Reference: MISC:http://cxsecurity.com/issue/WLB-2013040083 Reference: MISC:http://packetstormsecurity.com/files/121245/RT-Request-Tracker-4.0.10-SQL-Injection.html Reference: BID:59022 Reference: URL:http://www.securityfocus.com/bid/59022 Reference: OSVDB:92265 Reference: URL:http://osvdb.org/92265 Reference: XF:requesttracker-showpending-sql-injection(83375) Reference: URL:http://xforce.iss.net/xforce/xfdb/83375 ** DISPUTED ** SQL injection vulnerability in Approvals/ in Request Tracker (RT) 4.0.10 and earlier allows remote attackers to execute arbitrary SQL commands via the ShowPending parameter. NOTE: the vendor disputes this issue, stating "We were unable to replicate it, and the individual that reported it retracted their report," and "we had verified that the claimed exploit did not function according to the author's claims." From gtheall at tenable.com Fri May 17 13:35:39 2013 From: gtheall at tenable.com (George Theall) Date: Fri, 17 May 2013 18:35:39 +0000 Subject: [VIM] Microsoft Internet Explorer CVE-2013-2551 Unspeficied Remote Code Execution Vulnerability Message-ID: <91AF78F5-CB77-450A-967A-BC236C6594F3@tenable.com> SecurityFocus seems to have two BIDs for CVE-2013-2551 -- 58570, created after Pwn2Own, and 59755, created last Tuesday. Venkat / Rob / Narayan : is this intentional? George -- theall at tenable.com From Narayan_Agarwalla at symantec.com Mon May 20 06:12:52 2013 From: Narayan_Agarwalla at symantec.com (Narayan Agarwalla) Date: Mon, 20 May 2013 04:12:52 -0700 Subject: [VIM] Microsoft Internet Explorer CVE-2013-2551 Unspeficied Remote Code Execution Vulnerability In-Reply-To: <91AF78F5-CB77-450A-967A-BC236C6594F3@tenable.com> References: <91AF78F5-CB77-450A-967A-BC236C6594F3@tenable.com> Message-ID: <96CC6D276D1CC043905F0666B28DA2CB2AACF46C61@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Hi George, BID 59755 is retired as a duplicate of BID 58570. Thanks!! Narayan -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: Saturday, May 18, 2013 12:06 AM To: Vulnerability Information Managers Subject: [VIM] Microsoft Internet Explorer CVE-2013-2551 Unspeficied Remote Code Execution Vulnerability SecurityFocus seems to have two BIDs for CVE-2013-2551 -- 58570, created after Pwn2Own, and 59755, created last Tuesday. Venkat / Rob / Narayan : is this intentional? George -- theall at tenable.com From vuln at secunia.com Thu May 23 03:54:50 2013 From: vuln at secunia.com (Secunia Research) Date: Thu, 23 May 2013 10:54:50 +0200 Subject: [VIM] [Secunia] ERADAS ER Viewer Stack Based Overflow In-Reply-To: References: <004201ce4bc2$6c699340$453cb9c0$@secunia.com> Message-ID: <00ac01ce5793$2f85f400$8e91dc00$@secunia.com> Hi James, We have confirmed two new vulnerabilities in ERDAS ER Viwer and have started the coordination process on your behalf. We will let you know when we hear back from the vendor. Thank you for reporting these issues to us. -- Kind regards, Chaitanya Sharma Advisory Team Lead Secunia, Mikado House, Rued Langgaards Vej 8, 2300 Copenhagen S, Denmark. http://www.secunia.com Phone: +45 7020 5144 Fax: +45 7020 5145 -----Original Message----- From: Secunia Research [mailto:vuln at secunia.com] Sent: Tuesday, May 14, 2013 3:48 PM To: 'James Fitts' Cc: Vuln at secunia.com Subject: RE: [Secunia] ERADAS ER Viewer Stack Based Overflow Hello James, Apologies for not responding earlier. Thank you for reporting this issue to us. We tested the vulnerability report on the latest version of Erdas ER Viewer and after quick review it appears that the vulnerability you reported is a distinct vulnerability than described in CVE-2013-0726. It could also be a new vector for the vulnerability which the vendor failed to fix properly (the patch is currently available a restricted audience only). We will investigate this further and keep you updated with the progress. Thank you for your patience. -- Kind regards, Chaitanya Sharma Advisory Team Lead Secunia, Mikado House, Rued Langgaards Vej 8, 2300 Copenhagen S, Denmark. http://www.secunia.com Phone: +45 7020 5144 Fax: +45 7020 5145 -----Original Message----- From: James Fitts [mailto:fitts.james at gmail.com] Sent: Thursday, May 09, 2013 1:52 AM To: Secunia Research Subject: Re: [Secunia] ERADAS ER Viewer Stack Based Overflow Heh, it looks like my module exploits the vulnerability found in http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0726 If you send a file with just a long string of A's and nothing else, you can crash the application in rf_report_error() .text:100762D0 mov cl, [eax] .text:100762D2 mov [esi+eax], cl .text:100762D5 inc edx .text:100762D6 inc eax .text:100762D7 cmp cl, 0Ah .text:100762DA jz short loc_100762E8 .text:100762DC cmp edx, 0C7h .text:100762E2 jge short loc_100762E8 .text:100762E4 cmp eax, edi .text:100762E6 jb short loc_100762D0 ermapper_u.dll, a bit interesting. On Wed, May 8, 2013 at 4:02 AM, Secunia Research wrote: Hello James, This is to acknowledge that we have received your report. We will get back to you when we have finished our analysis. Thank you and kind regards, Lars Wiebusch --- Med venlig hilsen / Kind Regards, Lars Wiebusch Security Specialist Secunia Mikado House Rued Langgaardsvej 8 2300 Copenhagen S Denmark Phone +45 7020 5144 Fax +45 7020 5145 Please visit our corporate website: http://www.secunia.com Follow us on Twitter: http://twitter.com/secunia From gtheall at tenable.com Tue May 28 20:12:55 2013 From: gtheall at tenable.com (George Theall) Date: Wed, 29 May 2013 01:12:55 +0000 Subject: [VIM] ModSecurity CVE-2013-2765 NULL Pointer Dereference Remote Denial of Service Vulnerability Message-ID: <81222001-29A3-4CC6-BC98-B6244DD55A25@tenable.com> SecurityFocus appears to have created two BID today for the recent DoS in ModSecurity / CVE-2013-2765 -- BIDs 60182 and 60185. Venkat / Rob / Narayan : is this intentional? George -- theall at tenable.com From Narayan_Agarwalla at symantec.com Thu May 30 08:25:46 2013 From: Narayan_Agarwalla at symantec.com (Narayan Agarwalla) Date: Thu, 30 May 2013 06:25:46 -0700 Subject: [VIM] ModSecurity CVE-2013-2765 NULL Pointer Dereference Remote Denial of Service Vulnerability In-Reply-To: <81222001-29A3-4CC6-BC98-B6244DD55A25@tenable.com> References: <81222001-29A3-4CC6-BC98-B6244DD55A25@tenable.com> Message-ID: <96CC6D276D1CC043905F0666B28DA2CB2AAD47C813@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Hi, Retired BID 60185 as it was duplicate to BID 60182. Thanks and Regards, Narayan -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: 29 May 2013 06:43 To: Vulnerability Information Managers Subject: [VIM] ModSecurity CVE-2013-2765 NULL Pointer Dereference Remote Denial of Service Vulnerability SecurityFocus appears to have created two BID today for the recent DoS in ModSecurity / CVE-2013-2765 -- BIDs 60182 and 60185. Venkat / Rob / Narayan : is this intentional? George -- theall at tenable.com From Narayan_Agarwalla at symantec.com Thu May 30 13:33:38 2013 From: Narayan_Agarwalla at symantec.com (Narayan Agarwalla) Date: Thu, 30 May 2013 11:33:38 -0700 Subject: [VIM] (no subject) In-Reply-To: <96CC6D276D1CC043905F0666B28DA2CB2AA8F26C9B@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> References: <96CC6D276D1CC043905F0666B28DA2CB2AA8F26C9B@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Message-ID: <96CC6D276D1CC043905F0666B28DA2CB2AAD47C9A4@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Hi ZDI team The advisory referenced by this URI http://www.zerodayinitiative.com/advisories/ZDI-13-104/ points to CVE-2013-1305. The advisory also points to https://technet.microsoft.com/en-us/security/bulletin/ms13-037 advisory from Microsoft. In the Microsoft advisory there is no such cve mentioned. CVE-2012-1305 is mentioned in https://technet.microsoft.com/en-us/security/bulletin/ms13-039 link. Looks like there is some error in CVE mentioned. Could you please check it and correct the record. Thanks! Narayan Agarwalla Supervisor, DeepSight Security Technology and Response Mobile: +91-8939922488 [cid:image001.jpg at 01CE5D91.A4ED9DC0] [cid:image002.gif at 01CE5D91.A4ED9DC0] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 1958 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.gif Type: image/gif Size: 751 bytes Desc: image002.gif URL: From Narayan_Agarwalla at symantec.com Thu May 30 13:36:57 2013 From: Narayan_Agarwalla at symantec.com (Narayan Agarwalla) Date: Thu, 30 May 2013 11:36:57 -0700 Subject: [VIM] ZDI-13-104 Advisory CVE number may be incorrect? Message-ID: <96CC6D276D1CC043905F0666B28DA2CB2AAD47C9A5@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Hi ZDI team The advisory referenced by this URI http://www.zerodayinitiative.com/advisories/ZDI-13-104/ points to CVE-2013-1305. The advisory also points to https://technet.microsoft.com/en-us/security/bulletin/ms13-037 advisory from Microsoft. In the Microsoft advisory there is no such cve mentioned. CVE-2012-1305 is mentioned in https://technet.microsoft.com/en-us/security/bulletin/ms13-039 link. Looks like there is some error in CVE mentioned. Could you please check it and correct the record. Thanks! Narayan Agarwalla Supervisor, DeepSight Security Technology and Response Mobile: +91-8939922488 [cid:image001.jpg at 01CE5D92.C3886F70] [cid:image002.gif at 01CE5D92.C3886F70] -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.jpg Type: image/jpeg Size: 1958 bytes Desc: image001.jpg URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image002.gif Type: image/gif Size: 751 bytes Desc: image002.gif URL: From zdi-disclosures at tippingpoint.com Thu May 30 13:54:56 2013 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Thu, 30 May 2013 13:54:56 -0500 Subject: [VIM] ZDI-13-104 Advisory CVE number may be incorrect? In-Reply-To: <96CC6D276D1CC043905F0666B28DA2CB2AAD47C9A5@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> References: <96CC6D276D1CC043905F0666B28DA2CB2AAD47C9A5@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Message-ID: <51A7A080.4030502@hp.com> Hello, Thank you for the information below. We are aware. Microsoft had erroneously assigned the CVE to both cases. We now have the correct CVE and will be updating our portal within the next few days. Regards, The ZDI Team On 5/30/2013 1:36 PM, Narayan Agarwalla wrote: > > Hi ZDI team > > The advisory referenced by this URI > http://www.zerodayinitiative.com/advisories/ZDI-13-104/ points to > CVE-2013-1305. The advisory also points to > https://technet.microsoft.com/en-us/security/bulletin/ms13-037 > advisory from Microsoft. In the Microsoft advisory there is no such > cve mentioned. CVE-2012-1305 is mentioned in > https://technet.microsoft.com/en-us/security/bulletin/ms13-039 link. > > Looks like there is some error in CVE mentioned. > > Could you please check it and correct the record. > > Thanks! > > Narayan Agarwalla > > Supervisor, DeepSight > > Security Technology and Response > > Mobile: +91-8939922488 > > cid:937b6475-308e-4b9b-8e75-9bbe57e29e33 > > http://syminfo.ges.symantec.com/marketing/globalcommunications/images/sig_green_bug.gif > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 1958 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 751 bytes Desc: not available URL: From zdi-disclosures at tippingpoint.com Thu May 30 13:58:33 2013 From: zdi-disclosures at tippingpoint.com (ZDI Disclosures) Date: Thu, 30 May 2013 13:58:33 -0500 Subject: [VIM] (no subject) In-Reply-To: <96CC6D276D1CC043905F0666B28DA2CB2AAD47C9A4@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> References: <96CC6D276D1CC043905F0666B28DA2CB2AA8F26C9B@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> <96CC6D276D1CC043905F0666B28DA2CB2AAD47C9A4@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Message-ID: <51A7A159.7010800@hp.com> Hello, You sent this message twice. One without a subject. We replied to the other thread. Regards, The ZDI Team On 5/30/2013 1:33 PM, Narayan Agarwalla wrote: > > Hi ZDI team > > The advisory referenced by this URI > http://www.zerodayinitiative.com/advisories/ZDI-13-104/ points to > CVE-2013-1305. The advisory also points to > https://technet.microsoft.com/en-us/security/bulletin/ms13-037 > advisory from Microsoft. In the Microsoft advisory there is no such > cve mentioned. CVE-2012-1305 is mentioned in > https://technet.microsoft.com/en-us/security/bulletin/ms13-039 link. > > Looks like there is some error in CVE mentioned. > > Could you please check it and correct the record. > > Thanks! > > Narayan Agarwalla > > Supervisor, DeepSight > > Security Technology and Response > > Mobile: +91-8939922488 > > cid:937b6475-308e-4b9b-8e75-9bbe57e29e33 > > http://syminfo.ges.symantec.com/marketing/globalcommunications/images/sig_green_bug.gif > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/jpeg Size: 1958 bytes Desc: not available URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: image/gif Size: 751 bytes Desc: not available URL: