From gtheall at tenable.com Tue Oct 1 20:23:13 2013 From: gtheall at tenable.com (George Theall) Date: Wed, 2 Oct 2013 01:23:13 +0000 Subject: [VIM] Adtran Netvanta 7100 and 7060 CVE-2013-5210 Multiple Security Vulnerabilities Message-ID: <092EF61A-12D8-408A-AAD0-E62096F5CBB0@tenable.com> Dinesh / Narayan / Venkat / Rob : would you please provide clarification about the differences between BIDs 62754, created today, and 62498, created 9/19? Both concern multiple security vulnerabilities in Adtran Netvanta devices, credit J. Oquendo, and reference CVE-2013-5210. The more recent one only talks about a cross-site scripting vulnerability and an session renegotiation vulnerability and says Adtran Netvanta 7100 and 7060 are affected. The older one talks about a cross-site scripting, session renegotiation and multiple unspecified vulnerabilities and only talks about Adtran Netvanta 7100. George -- theall at tenable.com From Dinesh_Theerthagiri at symantec.com Wed Oct 2 00:32:27 2013 From: Dinesh_Theerthagiri at symantec.com (Dinesh Theerthagiri) Date: Tue, 1 Oct 2013 22:32:27 -0700 Subject: [VIM] AjaXplorer 'checkInstall.php' Remote Command Execution Vulnerability Message-ID: <86E9E90EE35E9041B100B9ED1D5C8B574529B92FB8@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Hi George, Thanks for correcting us. BID:62603 needs to be retired, as the source link itself saying that issue is covered in BID:39334. http://tools.cisco.com/security/center/viewAlert.x?alertId=30942 We wrote the BID:62603 from the above link, Refer:3320756 Versions prior to 2.6 are not vulnerable,.. so it is ok to update the BID:39334 with version 2.6.1. >From secunia advisory: The vulnerabilities are reported in versions prior to 2.6 and 2.6.1. http://secunia.com/advisories/39331/ >From OSVDB adv: Upgrade to version 2.6 or higher. http://www.osvdb.com/show/osvdb/63552 Vendor link: http://ajaxplorer.info/ajaxplorer-2-6-x/ Wrongly given "Cisco Secure Access Control Server" in the technical description of the BID:62603 , Replaced Cisco Secure Access Control Server with AjaXplorer. Retired BID:62603 and updated BID:39334 Thanks, T.Dinesh -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: Tuesday, September 24, 2013 7:30 PM To: Vulnerability Information Managers Subject: [VIM] AjaXplorer 'checkInstall.php' Remote Command Execution Vulnerability Dinesh / Narayan / Venkat / Rob : Is there any additional information that you can provide about BID 62603, which was created yesterday. I notice it coincides with an alert that Cisco published -- http://tools.cisco.com/security/center/viewAlert.x?alertId=30942. That explicitly references BugTraq ID 39334, though. So is this new BID a dup or does it truly cover a new vulnerability? George -- theall at tenable.com From Dinesh_Theerthagiri at symantec.com Wed Oct 2 00:41:58 2013 From: Dinesh_Theerthagiri at symantec.com (Dinesh Theerthagiri) Date: Tue, 1 Oct 2013 22:41:58 -0700 Subject: [VIM] RubyGems dupe CVE assignment? (for BID / CVE) In-Reply-To: References: Message-ID: <86E9E90EE35E9041B100B9ED1D5C8B574529B92FBD@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Hi, CVE-2013-4287 and CVE-2013-4363 are both different issues. >From the link: http://seclists.org/oss-sec/2013/q3/628 "Ok please please use CVE-2013-4363 for this issue (incomplete fix for CVE-2013-4287)." And Credit given in the osvdb link is wrong. If you go through the link : http://seclists.org/oss-sec/2013/q3/576 "This vulnerability was discovered by Damir Sharipov ". At this moment we are sure why this problem occurs. We are trying to fix this asap. Once it's done I'll let you know. But originally we have reference links in the vulnerability report and updated accordingly. Thanks, T.Dinesh -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of security curmudgeon Sent: Tuesday, September 24, 2013 2:49 AM To: vim at attrition.org Subject: [VIM] RubyGems dupe CVE assignment? (for BID / CVE) Importance: High http://www.securityfocus.com/bid/62442 CVE-2013-4363 http://osvdb.org/97163 CVE-2013-4287 These have different creditees. The BID entry is too vague to figure out if this is a dupe assignment or not. http://www.securityfocus.com/bid/62442/solution Solution: Updates are available. Please see the references or vendor advisory for more information. http://www.securityfocus.com/bid/62442/references References: (blank) It would be really nice if BID could treat the public database differently than their private one to avoid this, as it is very common and entirely frustrating. From Dinesh_Theerthagiri at symantec.com Wed Oct 2 00:43:34 2013 From: Dinesh_Theerthagiri at symantec.com (Dinesh Theerthagiri) Date: Tue, 1 Oct 2013 22:43:34 -0700 Subject: [VIM] RubyGems dupe CVE assignment? (for BID / CVE) References: Message-ID: <86E9E90EE35E9041B100B9ED1D5C8B574529B92FBF@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> At this moment we are NOT sure why this problem occurs. We are trying to fix this asap. Once it's done I'll let you know. -----Original Message----- From: Dinesh Theerthagiri Sent: Wednesday, October 02, 2013 11:12 AM To: vim at attrition.org Subject: RE: [VIM] RubyGems dupe CVE assignment? (for BID / CVE) Hi, CVE-2013-4287 and CVE-2013-4363 are both different issues. >From the link: http://seclists.org/oss-sec/2013/q3/628 "Ok please please use CVE-2013-4363 for this issue (incomplete fix for CVE-2013-4287)." And Credit given in the osvdb link is wrong. If you go through the link : http://seclists.org/oss-sec/2013/q3/576 "This vulnerability was discovered by Damir Sharipov ". At this moment we are sure why this problem occurs. We are trying to fix this asap. Once it's done I'll let you know. But originally we have reference links in the vulnerability report and updated accordingly. Thanks, T.Dinesh -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of security curmudgeon Sent: Tuesday, September 24, 2013 2:49 AM To: vim at attrition.org Subject: [VIM] RubyGems dupe CVE assignment? (for BID / CVE) Importance: High http://www.securityfocus.com/bid/62442 CVE-2013-4363 http://osvdb.org/97163 CVE-2013-4287 These have different creditees. The BID entry is too vague to figure out if this is a dupe assignment or not. http://www.securityfocus.com/bid/62442/solution Solution: Updates are available. Please see the references or vendor advisory for more information. http://www.securityfocus.com/bid/62442/references References: (blank) It would be really nice if BID could treat the public database differently than their private one to avoid this, as it is very common and entirely frustrating. From jericho at attrition.org Wed Oct 2 17:49:42 2013 From: jericho at attrition.org (security curmudgeon) Date: Wed, 2 Oct 2013 17:49:42 -0500 (CDT) Subject: [VIM] RubyGems dupe CVE assignment? (for BID / CVE) In-Reply-To: <86E9E90EE35E9041B100B9ED1D5C8B574529B92FBD@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> References: <86E9E90EE35E9041B100B9ED1D5C8B574529B92FBD@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Message-ID: Dinesh, On Tue, 1 Oct 2013, Dinesh Theerthagiri wrote: : CVE-2013-4287 and CVE-2013-4363 are both different issues. I see the confusion now. First, OSVDB does not split in these cases as CVE does if the incomplete fix was quickly discovered and properly fixed. If enough time lapses, or the fix introduces additional concerns, we will split. : And Credit given in the osvdb link is wrong. If you go through the link : : http://seclists.org/oss-sec/2013/q3/576 : : "This vulnerability was discovered by Damir Sharipov ". Yep, our mistake. I have fixed 97163 to reflect this. Thanks for the pointer! From Dinesh_Theerthagiri at symantec.com Thu Oct 3 14:00:46 2013 From: Dinesh_Theerthagiri at symantec.com (Dinesh Theerthagiri) Date: Thu, 3 Oct 2013 12:00:46 -0700 Subject: [VIM] Adtran Netvanta 7100 and 7060 CVE-2013-5210 Multiple Security Vulnerabilities In-Reply-To: <092EF61A-12D8-408A-AAD0-E62096F5CBB0@tenable.com> References: <092EF61A-12D8-408A-AAD0-E62096F5CBB0@tenable.com> Message-ID: <86E9E90EE35E9041B100B9ED1D5C8B574529B93817@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Thanks George Retired the latest BID: 62754 and updated the old BID: 62498 with additional information. -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: Wednesday, October 02, 2013 6:53 AM To: Vulnerability Information Managers Subject: [VIM] Adtran Netvanta 7100 and 7060 CVE-2013-5210 Multiple Security Vulnerabilities Dinesh / Narayan / Venkat / Rob : would you please provide clarification about the differences between BIDs 62754, created today, and 62498, created 9/19? Both concern multiple security vulnerabilities in Adtran Netvanta devices, credit J. Oquendo, and reference CVE-2013-5210. The more recent one only talks about a cross-site scripting vulnerability and an session renegotiation vulnerability and says Adtran Netvanta 7100 and 7060 are affected. The older one talks about a cross-site scripting, session renegotiation and multiple unspecified vulnerabilities and only talks about Adtran Netvanta 7100. George -- theall at tenable.com From gtheall at tenable.com Thu Oct 10 20:12:57 2013 From: gtheall at tenable.com (George Theall) Date: Fri, 11 Oct 2013 01:12:57 +0000 Subject: [VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability Message-ID: <22F560F0-3FBE-4272-87A9-78A5C8136FAC@tenable.com> Dinesh / Narayan / Venkat / Rob : would you help me understand the reasoning for SecurityFocus' retiring BID 62802? This is for the memory corruption vulnerability (CVE-2013-3871) that Microsoft noted was included by mistake in MS13-080 and intends to patch at a later date. There's still a memory corruption vulnerability regardless of whether it's been patched, right? George -- theall at tenable.com From Dinesh_Theerthagiri at symantec.com Fri Oct 11 14:25:17 2013 From: Dinesh_Theerthagiri at symantec.com (Dinesh Theerthagiri) Date: Fri, 11 Oct 2013 12:25:17 -0700 Subject: [VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability In-Reply-To: <22F560F0-3FBE-4272-87A9-78A5C8136FAC@tenable.com> References: <22F560F0-3FBE-4272-87A9-78A5C8136FAC@tenable.com> Message-ID: <86E9E90EE35E9041B100B9ED1D5C8B574529F9AC1D@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> George, We are sure yet weather CVE-2013-3871 is related to Memory Corruption Vulnerability types. There could be possibility that this CVE was reserved for some other Vulnerability type for future release, that we are not sure either. There is no much information from MS too. They also say that CVE-2013-3871 will be addressed in future release , may in November 2013. http://technet.microsoft.com/en-us/security/bulletin/ms13-080 In this bulletin they say " V1.3 (October 10, 2013): Bulletin revised to remove CVE-2013-3871 from the vulnerabilities addressed by this update. Including this CVE in the original security bulletin text was a documentation error. CVE-2013-3871 is scheduled to be addressed in a future security update. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action." Currently, we retired the BID 62802 to avoid more confusion and we'll update based on Microsoft's confirmed information. Thanks, T.Dinesh -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: Friday, October 11, 2013 6:43 AM To: Vulnerability Information Managers Subject: [VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability Dinesh / Narayan / Venkat / Rob : would you help me understand the reasoning for SecurityFocus' retiring BID 62802? This is for the memory corruption vulnerability (CVE-2013-3871) that Microsoft noted was included by mistake in MS13-080 and intends to patch at a later date. There's still a memory corruption vulnerability regardless of whether it's been patched, right? George -- theall at tenable.com From gtheall at tenable.com Fri Oct 11 15:12:31 2013 From: gtheall at tenable.com (George Theall) Date: Fri, 11 Oct 2013 20:12:31 +0000 Subject: [VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability In-Reply-To: <86E9E90EE35E9041B100B9ED1D5C8B574529F9AC1D@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> References: <22F560F0-3FBE-4272-87A9-78A5C8136FAC@tenable.com> <86E9E90EE35E9041B100B9ED1D5C8B574529F9AC1D@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Message-ID: <8C50DE30-991E-436B-9BA9-B79753406A26@tenable.com> On Oct 11, 2013, at 3:25 PM, Dinesh Theerthagiri wrote: > George, > > We are sure yet weather CVE-2013-3871 is related to Memory Corruption Vulnerability types. There could be possibility that this CVE was reserved for some other Vulnerability type for future release, that we are not sure either. There is no much information from MS too. > > They also say that CVE-2013-3871 will be addressed in future release , may in November 2013. > > http://technet.microsoft.com/en-us/security/bulletin/ms13-080 > > In this bulletin they say > " V1.3 (October 10, 2013): Bulletin revised to remove CVE-2013-3871 from the vulnerabilities addressed by this update. Including this CVE in the original security bulletin text was a documentation error. CVE-2013-3871 is scheduled to be addressed in a future security update. This is an informational change only. Customers who have already successfully updated their systems do not need to take any action." > > Currently, we retired the BID 62802 to avoid more confusion and we'll update based on Microsoft's confirmed information. Microsoft's not saying that the CVE might be allocated to some other vulnerability, only that they mistakenly claimed a fix for it had been released as part of MS13-080. Mitre has not rejected the CVE either, although that entry still references MS13-080. Perhaps someone from ZDI can shed some light since, according to an earlier copy of the advisory (http://web.archive.org/web/20131009121613/http:/technet.microsoft.com/en-us/security/bulletin/ms13-080), the CVE is for an issue reported by Simon Zukerbraun working through them. > > Thanks, > T.Dinesh > > -----Original Message----- > From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall > Sent: Friday, October 11, 2013 6:43 AM > To: Vulnerability Information Managers > Subject: [VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability > > Dinesh / Narayan / Venkat / Rob : would you help me understand the reasoning for SecurityFocus' retiring BID 62802? This is for the memory corruption vulnerability (CVE-2013-3871) that Microsoft noted was included by mistake in MS13-080 and intends to patch at a later date. There's still a memory corruption vulnerability regardless of whether it's been patched, right? > > > George > -- > theall at tenable.com > George -- theall at tenable.com From jericho at attrition.org Fri Oct 11 15:44:18 2013 From: jericho at attrition.org (security curmudgeon) Date: Fri, 11 Oct 2013 15:44:18 -0500 (CDT) Subject: [VIM] Microsoft Internet Explorer CVE-2013-3871 Memory Corruption Vulnerability In-Reply-To: <8C50DE30-991E-436B-9BA9-B79753406A26@tenable.com> References: <22F560F0-3FBE-4272-87A9-78A5C8136FAC@tenable.com> <86E9E90EE35E9041B100B9ED1D5C8B574529F9AC1D@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> <8C50DE30-991E-436B-9BA9-B79753406A26@tenable.com> Message-ID: : Mitre has not rejected the CVE either, although that entry still : references MS13-080. : : Perhaps someone from ZDI can shed some light since, according to an : earlier copy of the advisory : (http://web.archive.org/web/20131009121613/http:/technet.microsoft.com/en-us/security/bulletin/ms13-080), : the CVE is for an issue reported by Simon Zukerbraun working through : them. http://www.zerodayinitiative.com/advisories/ZDI-13-232/ This was public for a bit. OSVDB 98199 was mangled to reflect the information in that advisory. Given that ZDI yanked it and MS is saying "addressed in future", I imagine that this accidental disclosure is accurate, but not patched as previously thought. CVE is still reflecting the unspecified memory corruption issue. From jericho at attrition.org Wed Oct 23 20:54:18 2013 From: jericho at attrition.org (security curmudgeon) Date: Wed, 23 Oct 2013 20:54:18 -0500 (CDT) Subject: [VIM] BID 63301? Message-ID: re: Contexis Are you guys sure this is software? Looks like a consulting / web design service, not a product. http://www.exis-ti.com/es/index.html?locale=es From jericho at attrition.org Thu Oct 24 15:24:09 2013 From: jericho at attrition.org (security curmudgeon) Date: Thu, 24 Oct 2013 15:24:09 -0500 (CDT) Subject: [VIM] BID 63301? In-Reply-To: References: Message-ID: http://seclists.org/fulldisclosure/2013/Oct/221 Here is the disclosure for it. They are saying "1.0" is vuln, and the vendor page shows "2.0" on a box. However, all of the wording implies this is a hosted solution, not a real product. Thoughts? On Wed, 23 Oct 2013, security curmudgeon wrote: : : re: Contexis : : Are you guys sure this is software? Looks like a consulting / web design : service, not a product. : : http://www.exis-ti.com/es/index.html?locale=es : From kseifried at redhat.com Fri Oct 25 23:47:14 2013 From: kseifried at redhat.com (Kurt Seifried) Date: Fri, 25 Oct 2013 22:47:14 -0600 Subject: [VIM] BID Duplicate for CVE-2012-0874 Message-ID: <526B4952.9030508@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 http://www.securityfocus.com/bid/62854 is actually CVE-2012-0874 (covered by http://www.securityfocus.com/bid/57552) Apparently it's just a new avenue of attack (not sure how BID splits so this may be OK for BID but it shouldn't get another CVE). Arun can confirm/etc. - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.15 (GNU/Linux) iQIcBAEBAgAGBQJSa0lRAAoJEBYNRVNeJnmTaB4P+gMGoF+fC4AD/c2yGeU2RaOl rkufSNDcrmyunr4ifcDQkxlt57rgpHvLYI5SIokZ61K6NE0o5WaTagfrSx/gOuqU VouXhmZIoYe6fYB7Clsj1UgjbBd7YxGbsm6/GK7INAvmAxwQZjV2n9sdHXU6t1SH YGOZs/MwiTzpmtgBJWJmtRRMBL5zA1SbgI0VgwLzZ82mORvquTR+qwP+g8qCCKrE 52zlxMIk7AzdhLEKbmX+mJzuVSx6HwDNcyJLRfkV2iIq3RNFnN/1DUuBuXFYsb12 0l9f2azrpCLGrogdXi3Gck989bOTYtdkP7TFEYoMfh37Xq79F1fMQeNVjZbHHIhf VraamCeTr8xPEwVYAGNDmR2DukuwRbQC70QtRdRjxSSqCvpQZsnfZHLgRB7LjsAn ASwojpv4pO1D2iWh4csmt4mVidk82NFaR73vyL+h7C0KwhaEmUPkjcdQUzaP3gFG PkD6FFm1/KPQeZsiwdU3RNQkvlxZz4a5mcc7SKhAyth6T1eGy+FGl1rKCIthOeb6 aA97TEM1KcIxJcCJv7Dl2Ivc8FjzcPD2+CL9EQqlpvcmDEmofa5wCUhTOcCyX3fO wP1DgRVWqmqTIAz9cwX+BdtEdAHW/ao7wylsPRpQIdbGCBVw07/9ZBEf9yBr7GHd F8LinF5vSWuHLZofnmFf =5etq -----END PGP SIGNATURE----- From abn at redhat.com Sun Oct 27 19:28:12 2013 From: abn at redhat.com (Arun Babu Neelicattu) Date: Mon, 28 Oct 2013 10:28:12 +1000 Subject: [VIM] BID Duplicate for CVE-2012-0874 In-Reply-To: <526B4952.9030508@redhat.com> References: <526B4952.9030508@redhat.com> Message-ID: <1382920092.2281.5.camel@localhost.localdomain> That is correct, both BIDs describe CVE-2012-0874. The exploit included in BID 62854 is just a repackaging of the exploit and methods detailed in [1], which is covered by BID 57552. Hope that helps. [1] https://www.redteam-pentesting.de/publications/2009-11-30-Whitepaper_Whos-the-JBoss-now_RedTeam-Pentesting_EN.pdf [2] https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2012-0874 -- Arun Neelicattu / Red Hat Security Response Team PGP: 0xC244393B 5229 F596 474F 00A1 E416 CF8B 36F5 5054 C244 393B On Fri, 2013-10-25 at 22:47 -0600, Kurt Seifried wrote: > http://www.securityfocus.com/bid/62854 is actually CVE-2012-0874 > (covered by http://www.securityfocus.com/bid/57552) > > Apparently it's just a new avenue of attack (not sure how BID splits > so this may be OK for BID but it shouldn't get another CVE). Arun can > confirm/etc. > > -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 836 bytes Desc: This is a digitally signed message part URL: From gtheall at tenable.com Mon Oct 28 06:04:30 2013 From: gtheall at tenable.com (George Theall) Date: Mon, 28 Oct 2013 11:04:30 +0000 Subject: [VIM] BID Duplicate for CVE-2012-0874 In-Reply-To: <526B4952.9030508@redhat.com> References: <526B4952.9030508@redhat.com> Message-ID: <0EF80E66-32A4-4A25-92FC-26012981CE36@tenable.com> On Oct 26, 2013, at 12:47 AM, Kurt Seifried wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > http://www.securityfocus.com/bid/62854 is actually CVE-2012-0874 > (covered by http://www.securityfocus.com/bid/57552) > > Apparently it's just a new avenue of attack (not sure how BID splits > so this may be OK for BID but it shouldn't get another CVE). Arun can > confirm/etc. There seems to be some overlap with CVE-2013-4810 / OSVDB 97153 / ZDI-13-229 too. > > > - -- > Kurt Seifried Red Hat Security Response Team (SRT) > PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.15 (GNU/Linux) > > iQIcBAEBAgAGBQJSa0lRAAoJEBYNRVNeJnmTaB4P+gMGoF+fC4AD/c2yGeU2RaOl > rkufSNDcrmyunr4ifcDQkxlt57rgpHvLYI5SIokZ61K6NE0o5WaTagfrSx/gOuqU > VouXhmZIoYe6fYB7Clsj1UgjbBd7YxGbsm6/GK7INAvmAxwQZjV2n9sdHXU6t1SH > YGOZs/MwiTzpmtgBJWJmtRRMBL5zA1SbgI0VgwLzZ82mORvquTR+qwP+g8qCCKrE > 52zlxMIk7AzdhLEKbmX+mJzuVSx6HwDNcyJLRfkV2iIq3RNFnN/1DUuBuXFYsb12 > 0l9f2azrpCLGrogdXi3Gck989bOTYtdkP7TFEYoMfh37Xq79F1fMQeNVjZbHHIhf > VraamCeTr8xPEwVYAGNDmR2DukuwRbQC70QtRdRjxSSqCvpQZsnfZHLgRB7LjsAn > ASwojpv4pO1D2iWh4csmt4mVidk82NFaR73vyL+h7C0KwhaEmUPkjcdQUzaP3gFG > PkD6FFm1/KPQeZsiwdU3RNQkvlxZz4a5mcc7SKhAyth6T1eGy+FGl1rKCIthOeb6 > aA97TEM1KcIxJcCJv7Dl2Ivc8FjzcPD2+CL9EQqlpvcmDEmofa5wCUhTOcCyX3fO > wP1DgRVWqmqTIAz9cwX+BdtEdAHW/ao7wylsPRpQIdbGCBVw07/9ZBEf9yBr7GHd > F8LinF5vSWuHLZofnmFf > =5etq > -----END PGP SIGNATURE----- George -- theall at tenable.com From Dinesh_Theerthagiri at symantec.com Mon Oct 28 10:47:25 2013 From: Dinesh_Theerthagiri at symantec.com (Dinesh Theerthagiri) Date: Mon, 28 Oct 2013 08:47:25 -0700 Subject: [VIM] BID 63301? In-Reply-To: References: Message-ID: <86E9E90EE35E9041B100B9ED1D5C8B57452AEA3811@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Thanks right , they are saying "Contexis 1.0" is vulnerable and its fixed in "Contexis 2.0". But still we are not able to find the download product. Can you anybody please tell, no what basics CVE will be assigned. As of my understanding goes CVE are assigned only for downloadable application. Thanks, T.Dinesh -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of security curmudgeon Sent: Friday, October 25, 2013 1:54 AM To: Vulnerability Information Managers Subject: Re: [VIM] BID 63301? Importance: High http://seclists.org/fulldisclosure/2013/Oct/221 Here is the disclosure for it. They are saying "1.0" is vuln, and the vendor page shows "2.0" on a box. However, all of the wording implies this is a hosted solution, not a real product. Thoughts? On Wed, 23 Oct 2013, security curmudgeon wrote: : : re: Contexis : : Are you guys sure this is software? Looks like a consulting / web design : service, not a product. : : http://www.exis-ti.com/es/index.html?locale=es : From gtheall at tenable.com Mon Oct 28 15:00:33 2013 From: gtheall at tenable.com (George Theall) Date: Mon, 28 Oct 2013 20:00:33 +0000 Subject: [VIM] vBulletin 'upgrade.php' Remote Code Injection Vulnerability Message-ID: <3E0F15FE-0048-42BE-B7A8-B40870C69C4E@tenable.com> Dinesh / Narayan / Venkat / Rob : Can you clarify how BID 63380 differs from BID 62909? Both concern vBulletin?s install/upgrade.php script. The former was created today and contains as a link http://www.securityfocus.com/archive/1/529467; the latter is from October 10th and links to http://osvdb.org/ref/97/vbulletin-remote.txt. Comparing the PoCs in those two links suggests to me that they?re the same issue. George -- theall at tenable.com From jericho at attrition.org Mon Oct 28 15:02:11 2013 From: jericho at attrition.org (security curmudgeon) Date: Mon, 28 Oct 2013 15:02:11 -0500 (CDT) Subject: [VIM] vBulletin 'upgrade.php' Remote Code Injection Vulnerability In-Reply-To: <3E0F15FE-0048-42BE-B7A8-B40870C69C4E@tenable.com> References: <3E0F15FE-0048-42BE-B7A8-B40870C69C4E@tenable.com> Message-ID: On Mon, 28 Oct 2013, George Theall wrote: : Dinesh / Narayan / Venkat / Rob : Can you clarify how BID 63380 differs : from BID 62909? Both concern vBulletin?s install/upgrade.php script. The : former was created today and contains as a link : http://www.securityfocus.com/archive/1/529467; the latter is from : October 10th and links to http://osvdb.org/ref/97/vbulletin-remote.txt. : Comparing the PoCs in those two links suggests to me that they?re the : same issue. The vBulletin issue has been disclosed differently in many forums. Our evaluation of the Bugtraq post says it is the same issue and we have already merged it as well. From jericho at attrition.org Mon Oct 28 16:18:12 2013 From: jericho at attrition.org (security curmudgeon) Date: Mon, 28 Oct 2013 16:18:12 -0500 (CDT) Subject: [VIM] BID 63301? In-Reply-To: <86E9E90EE35E9041B100B9ED1D5C8B57452AEA3811@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> References: <86E9E90EE35E9041B100B9ED1D5C8B57452AEA3811@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Message-ID: On Mon, 28 Oct 2013, Dinesh Theerthagiri wrote: : Thanks right , they are saying "Contexis 1.0" is vulnerable and its : fixed in "Contexis 2.0". But still we are not able to find the download : product. : : Can you anybody please tell, no what basics CVE will be assigned. As of : my understanding goes CVE are assigned only for downloadable : application. Correct. If it is a site specific issue, no CVE will be assigned. We see this pretty frequently these days. A company will put a general 'version' on their product, which is custom one-off web sites. In some cases, a researcher will find a vulnerability in several web sites where they re-used the same code. We've tracked it down many times and figured out it was the same design company re-using code, not an actual product. From Dinesh_Theerthagiri at symantec.com Tue Oct 29 15:01:45 2013 From: Dinesh_Theerthagiri at symantec.com (Dinesh Theerthagiri) Date: Tue, 29 Oct 2013 13:01:45 -0700 Subject: [VIM] vBulletin 'upgrade.php' Remote Code Injection Vulnerability In-Reply-To: <3E0F15FE-0048-42BE-B7A8-B40870C69C4E@tenable.com> References: <3E0F15FE-0048-42BE-B7A8-B40870C69C4E@tenable.com> Message-ID: <86E9E90EE35E9041B100B9ED1D5C8B57452AEA3F81@APJ1XCHEVSPIN30.SYMC.SYMANTEC.COM> Thanks for correcting George. 63380 is retired. 62909 is updated accordingly with an exploit code . Thanks, T.Dinesh -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: Tuesday, October 29, 2013 1:31 AM To: Vulnerability Information Managers Subject: [VIM] vBulletin 'upgrade.php' Remote Code Injection Vulnerability Dinesh / Narayan / Venkat / Rob : Can you clarify how BID 63380 differs from BID 62909? Both concern vBulletin's install/upgrade.php script. The former was created today and contains as a link http://www.securityfocus.com/archive/1/529467; the latter is from October 10th and links to http://osvdb.org/ref/97/vbulletin-remote.txt. Comparing the PoCs in those two links suggests to me that they're the same issue. George -- theall at tenable.com From amanion at cert.org Wed Oct 30 15:39:20 2013 From: amanion at cert.org (Art Manion) Date: Wed, 30 Oct 2013 16:39:20 -0400 Subject: [VIM] "CVE-2013-6286" Message-ID: <52716E78.3050909@cert.org> I'm not sure if this has happened elsewhere, or that it matters much, but a colleague came across this mildly amusing collision with the CVE name space. Thought we'd share. - Art