From coley at linus.mitre.org Wed Aug 1 15:47:03 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 1 Aug 2007 11:47:03 -0400 (EDT) Subject: [VIM] VIM / VDB Blackhat Gathering In-Reply-To: References: Message-ID: Reminder all, we're having a VIM / VDB gathering tonight, AUg 1, at 7:00 PM at the Shadow Bar. Note that the OWASP/WASC party is happening at 8. Str0ke, maybe we could have a separate gathering at Defcon? - Steve From str0ke at milw0rm.com Wed Aug 1 16:17:58 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 1 Aug 2007 11:17:58 -0500 Subject: [VIM] VIM / VDB Blackhat Gathering In-Reply-To: References: Message-ID: <814b9d50708010917p7fa26ae2sfc05dbf27690911f@mail.gmail.com> Sounds good, will have a few drinks on the 2nd - 5th :) On 8/1/07, Steven M. Christey wrote: > > Reminder all, we're having a VIM / VDB gathering tonight, AUg 1, at 7:00 > PM at the Shadow Bar. Note that the OWASP/WASC party is happening at 8. > Str0ke, maybe we could have a separate gathering at Defcon? > > - Steve > From theall at tenablesecurity.com Thu Aug 2 19:19:00 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 02 Aug 2007 15:19:00 -0400 Subject: [VIM] False: Pluck 4.3 themes.php Remote File Inclusion and disclosure Message-ID: <46B22E24.1030609@tenablesecurity.com> The issues involving Pluck that were reported today by Aria Security look bogus to me. Their posting is here: http://archives.neohapsis.com/archives/bugtraq/2007-08/0017.html First, we supposedly have a remote file include, but looking at the code in 'data/inc/theme.php' from version 4.3 we see: ---- snip, snip, snip ---- function read_dir($dir) { $path = opendir($dir); while (false !== ($file = readdir($path))) { if(($file !== ".") and ($file !== "..") and ($file !== "themepref.php") a nd ($file !== "predefined_variables.php")) { if(is_file($dir."/".$file)) $files[]=$file; else $dirs[]=$dir."/".$file; } } if($dirs) { foreach ($dirs as $dir) { include ("$dir/theme.php"); ... read_dir("data/inc/themes"); ---- snip, snip, snip ---- In other words, the code claimed to be vulnerable occurs in a function which is called with an argument that is not under the attacker's control. Second, there's supposedly a file disclosure issue involving the same script. The actual code looks like this: ---- snip, snip, snip ---- //Save the theme-data if(isset($_POST['Submit'])) { $data = "data/inc/themes/themepref.php"; $file = fopen($data, "w"); fputs($file, ""); fclose($file); echo "$lang_theme3 "; } ---- snip, snip, snip ---- Thus, the code is actually writing to a specific file -- no chance of reading and displaying its contents. Lastly... you have to be logged in to access the script as it starts with this: ---- snip, snip, snip ---- //Check if we're logged in if ($_SESSION["cmssystem_loggedin"] != "ok") { echo "access denied"; exit; } ---- snip, snip, snip ---- George -- theall at tenablesecurity.com From coley at mitre.org Wed Aug 8 23:47:44 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 8 Aug 2007 19:47:44 -0400 (EDT) Subject: [VIM] scraping the Sun web site for alerts Message-ID: <200708082347.l78Nlitj007669@faron.mitre.org> How are people automatically grabbing Sun alerts now that their page puts up a disclaimer? This URL: http://sunsolve.sun.com/search/advsearch.do?collection=SUNALERT&type=collections&sort=date&queryKey4=%22category:security%22%20%22availability,%20security%22%20category:security&max=100 which was obtained from this main page: http://sunsolve.sun.com/show.do?target=security/sec doesn't even list the most recent 6 or 7 alerts, even - once you get through the disclaimer, which I'd rather not spend the 15 minutes figuring out how to automate. On principle, I shouldn't have to set cookies or other strange stuff just to get vuln information from a vendor. I'm not sure I want to monitor their blog, but http://blogs.sun.com/security/category/Alerts seems like it might work for now. - Steve From smoore at securityglobal.net Thu Aug 9 03:41:07 2007 From: smoore at securityglobal.net (Stuart Moore) Date: Wed, 08 Aug 2007 23:41:07 -0400 Subject: [VIM] scraping the Sun web site for alerts In-Reply-To: <200708082347.l78Nlitj007669@faron.mitre.org> References: <200708082347.l78Nlitj007669@faron.mitre.org> Message-ID: <46BA8CD3.4070405@securityglobal.net> Steve, To solve the problem of not having the most recent alerts listed, try changing your queryKey4 to "security+availability" or "category:security+category:availability" instead of what you are using. I can't explain why this works better, but it does. Stuart Steven M. Christey wrote: > How are people automatically grabbing Sun alerts now that their page > puts up a disclaimer? This URL: > > http://sunsolve.sun.com/search/advsearch.do?collection=SUNALERT&type=collections&sort=date&queryKey4=%22category:security%22%20%22availability,%20security%22%20category:security&max=100 > > which was obtained from this main page: > > http://sunsolve.sun.com/show.do?target=security/sec > > doesn't even list the most recent 6 or 7 alerts, even - once you get > through the disclaimer, which I'd rather not spend the 15 minutes > figuring out how to automate. On principle, I shouldn't have to set > cookies or other strange stuff just to get vuln information from a > vendor. > > I'm not sure I want to monitor their blog, but > http://blogs.sun.com/security/category/Alerts seems like it might work > for now. > > - Steve > From bressers at redhat.com Thu Aug 9 11:14:34 2007 From: bressers at redhat.com (Josh Bressers) Date: Thu, 09 Aug 2007 07:14:34 -0400 Subject: [VIM] scraping the Sun web site for alerts In-Reply-To: <200708082347.l78Nlitj007669@faron.mitre.org> References: <200708082347.l78Nlitj007669@faron.mitre.org> Message-ID: <3334.1186658074@devserv.devel.redhat.com> > > How are people automatically grabbing Sun alerts now that their page > puts up a disclaimer? This URL: > > http://sunsolve.sun.com/search/advsearch.do?collection=SUNALERT&type=collections&sort=date&queryKey4=%22category:security%22%20%22availability,%20s > ecurity%22%20category:security&max=100 > > which was obtained from this main page: > > http://sunsolve.sun.com/show.do?target=security/sec > > doesn't even list the most recent 6 or 7 alerts, even - once you get > through the disclaimer, which I'd rather not spend the 15 minutes > figuring out how to automate. On principle, I shouldn't have to set > cookies or other strange stuff just to get vuln information from a > vendor. > > I'm not sure I want to monitor their blog, but > http://blogs.sun.com/security/category/Alerts seems like it might work > for now. > Here's the script we're using, it seems to work pretty well. -- JB -------------- next part -------------- #!/usr/bin/env python import urllib2 import sys import cookielib,urllib,urllib2 # mschoene at redhat.com # grab latest errors from sunsolve url = "http://sunsolve.sun.com/search/advsearch.do?queryKey1=&queryKey2=JDK+and+JRE+5.0+Update+12&queryKey3=&queryKey4=%22category%3Asecurity%22+%22availability%2C+security%22+category%3Asecurity&queryKey5=&type=collections&collection=all&collection=SUNALERT&repository=cds&language=en&max=100&updateDate=0&sort=date&Search=Search+%3E%3E" class my_redirect_handler(urllib2.HTTPRedirectHandler): cookie ="" def returncookie(self): return self.cookie def http_error_302(self, req, fp, code, msg, headers): # print "got response..." import re,sys self.cookie = re.search("Set-Cookie:\s+(.+?);\ Path", str(headers)).group(1).split("=") # print "got cookie...=%s" %self.cookie def parsesundoc(doc): """ Security Vulnerability With Java Web Start May Allow Application to Escalate Privileges

Document ID: 102957		Jun 28, 2007		PUBLIC		Sun Alert Notifications

""" import re z=re.compile("""\s+?(.+?)\s*?.+?>Document ID: (\d+)""",re.S|re.M) vulns = z.findall(doc) return vulns def testwithfile(): l = file("suntestdoc.html","r").read() vulns= parsesundoc(l) for (url,text,id) in vulns: print "%s=>%s" % (id,text) sys.exit(0) if __name__=='__main__': f=file(sys.argv[1],"r").read() myhandler302 = my_redirect_handler() try: urlOpener = urllib2.build_opener(myhandler302) request = urllib2.Request(f, None) request.add_header('User-Agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.7') url = urlOpener.open(request) except Exception, e: # print e pass (a,b)=myhandler302.returncookie() url=None try: urlOpener = urllib2.build_opener() # urlOpener = urllib2.build_opener(urllib2.HTTPHandler(debuglevel=0)) request = urllib2.Request(f, None) request.add_header('User-Agent', 'Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20070515 Firefox/2.0.0.7') request.add_header('Cookie',"ComparisonSurvey=true; s_sq=; s_cc=true; SunSolve_SLA=accept=Y; mySunSolveURL=http://sunsolve.sun.com; JSESSIONID=%s" % b) url = urlOpener.open(request) except Exception, e: print e pass #Cookie=s_sq=; s_cc=true; SunSolve_SLA=accept=Y; mySunSolveURL=http://sunsolve.sun.com; JSESSIONID=49b639551c663833b7378e75cabb z = url.read() # print url.headers # print z vulns = parsesundoc(z) for (url,text,id) in vulns: print "%s=>%s" % (id,text) -------------- next part -------------- http://sunsolve.sun.com/search/advsearch.do?queryKey1=&queryKey2=JDK+and+JRE+5.0+Update+12&queryKey3=&queryKey4=%22category%3Asecurity%22+%22availability%2C+security%22+category%3Asecurity&queryKey5=&type=collections&collection=all&collection=SUNALERT&repository=cds&language=en&max=100&updateDate=0&sort=date&Search=Search+%3E%3E From coley at linus.mitre.org Thu Aug 9 18:05:56 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 9 Aug 2007 14:05:56 -0400 (EDT) Subject: [VIM] vendor ACK - Advanced Searchbar - CVE-2007-4250 Message-ID: ---------- Forwarded message ---------- Date: Thu, 9 Aug 2007 06:53:25 -0400 From: [DELETED]@advancedsearchbar.com To: cve at mitre.org Subject: Advanced Searchbar - CVE-2007-4250 (under review) The isChecked vulnerability with the Advanced Searchbar has been patched/repaired in the newest version 3.33 http://www.advancedsearchbar.com/asbsetup.exe Advanced Search Technologies, Inc. From coley at mitre.org Thu Aug 9 20:09:11 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 9 Aug 2007 16:09:11 -0400 (EDT) Subject: [VIM] true with clarification: fishcart RFI Message-ID: <200708092009.l79K9BAM001443@faron.mitre.org> Ref: http://www.milw0rm.com/exploits/4271 Specified CVS snapshot "fishcart_snap_2007_08_03.tgz" no longer exists. milw0rm title says "<= 3.2RC2" For Version 3.1 in fishcart_v3/fc_functions/fc_example.php: so no go on that version anyway. HOWEVER, version 3.2RC2 has: as its first line. Older versions are available but I didn't check. - Steve From str0ke at milw0rm.com Thu Aug 9 20:59:11 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 9 Aug 2007 15:59:11 -0500 Subject: [VIM] true with clarification: fishcart RFI In-Reply-To: <200708092009.l79K9BAM001443@faron.mitre.org> References: <200708092009.l79K9BAM001443@faron.mitre.org> Message-ID: <814b9d50708091359v448ed197la01d21530e600ba5@mail.gmail.com> The version before it should be vulnerable as well. 3.2RC1? /str0ke On 8/9/07, Steven M. Christey wrote: > > Ref: http://www.milw0rm.com/exploits/4271 > > Specified CVS snapshot "fishcart_snap_2007_08_03.tgz" no longer > exists. > > milw0rm title says "<= 3.2RC2" > > For Version 3.1 in fishcart_v3/fc_functions/fc_example.php: > > > > so no go on that version anyway. > > HOWEVER, version 3.2RC2 has: > > > > as its first line. > > Older versions are available but I didn't check. > > - Steve > From theall at tenablesecurity.com Mon Aug 13 15:01:19 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 13 Aug 2007 11:01:19 -0400 Subject: [VIM] Bogus: OpenAds / phpAdsNew RFI Message-ID: <46C0723F.7030401@tenablesecurity.com> Sorry, I can't find the original advisory, but Bugtraq 25277 looks bogus to me. Looking at the affected file in either OpenAds 2.0.11-pr1 or phpAdsNew 2.0.4 For example, the "affected" code for OpenAds 2.0.11-pr1 appears to be this: ---- snip, snip, snip ---- function phpAds_geoLookup() { global $phpAds_config, $phpAds_geoPluginID; if (!$phpAds_config['geotracking_type']) return; // Load plugin $phpAds_geoPlugin = phpAds_path."/libraries/geotargeting/geo-".$phpAds_config['geotracking_type'].".inc.php"; if (@file_exists($phpAds_geoPlugin)) { include_once ($phpAds_geoPlugin); ---- snip, snip, snip ---- The affected variable is only used in this function call. While the function is indeed called within the script, I don't see how an attacker can control the value via the 'phpAds_geoPlugin' parameter. Or am I just missing something? George -- theall at tenablesecurity.com From theall at tenablesecurity.com Tue Aug 14 02:33:51 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 13 Aug 2007 22:33:51 -0400 Subject: [VIM] Pixlie 1.7 (pixlie.php root) Remote File Inclusion Vulnerability Message-ID: <46C1148F.1090603@tenablesecurity.com> Has anyone had a chance to look at Milw0rm 4278 yet? It's light on details, but it would seem to involve the 'root' parameter in the 'pixlie.php' script. From the 1.7 distribution, the relevant code seems to be: //$root = "/home/www/IhrBenutzer/html"; .. if(!isset($root)){$root = $_SERVER['DOCUMENT_ROOT'];} Following that, there are some defines that make use of $root, but I don't see any instances of include(), require(), include_once(), require_once() or even eval() anywhere in the supposedly-affected file. So what am I missing? George -- theall at tenablesecurity.com From str0ke at milw0rm.com Tue Aug 14 13:30:48 2007 From: str0ke at milw0rm.com (str0ke) Date: Tue, 14 Aug 2007 08:30:48 -0500 Subject: [VIM] Pixlie 1.7 (pixlie.php root) Remote File Inclusion Vulnerability In-Reply-To: <46C1148F.1090603@tenablesecurity.com> References: <46C1148F.1090603@tenablesecurity.com> Message-ID: <814b9d50708140630h16c99556oe03fe168cb875d86@mail.gmail.com> Your right this is a remote file disclosure vulnerability. fopen calls. Changing it on my end. /str0ke On 8/13/07, George A. Theall wrote: > Has anyone had a chance to look at Milw0rm 4278 yet? It's light on > details, but it would seem to involve the 'root' parameter in the > 'pixlie.php' script. From the 1.7 distribution, the relevant code seems > to be: > > //$root = "/home/www/IhrBenutzer/html"; > .. > if(!isset($root)){$root = $_SERVER['DOCUMENT_ROOT'];} > > Following that, there are some defines that make use of $root, but I > don't see any instances of include(), require(), include_once(), > require_once() or even eval() anywhere in the supposedly-affected file. > So what am I missing? > > George > -- > theall at tenablesecurity.com > From coley at mitre.org Tue Aug 14 23:30:19 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 14 Aug 2007 19:30:19 -0400 (EDT) Subject: [VIM] uncertain: FCMS (Family Connections) code execution Message-ID: <200708142330.l7ENUJbO023011@faron.mitre.org> Researcher: ilker kandemir Ref: CVE-2007-4338 BUGTRAQ FCMS (Family Connections) <= 0.1.1 Remote Command Execution Exploit // www.MefistoLabs.com http://www.securityfocus.com/archive/1/archive/1/476142/100/0/threaded There's a dispute here: http://www.securityfocus.com/archive/1/archive/1/476293/100/0/threaded that points to an "original exploit" for an entirely different product at http://www.milw0rm.com/exploits/4145, so maybe the dispute is about copying someone else's exploit without credit. Looking at the source code for index.php in version 0.6, we have: if (isset($_COOKIE['fcms_login_id'])) { $_SESSION['login_id'] = $_COOKIE['fcms_login_id']; } but, except for a mysql_query() that might have an SQL injection, the code only does a meta-refresh to home.php. There isn't any other code in index.php; the rest are function definitions. Now, I don't know how PHP saves and passes session information back to the user across requests, but maybe this meta-refresh is enough for deeper access? Any ideas? - Steve From theall at tenablesecurity.com Wed Aug 15 11:42:16 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 15 Aug 2007 07:42:16 -0400 Subject: [VIM] uncertain: FCMS (Family Connections) code execution In-Reply-To: <200708142330.l7ENUJbO023011@faron.mitre.org> References: <200708142330.l7ENUJbO023011@faron.mitre.org> Message-ID: <46C2E698.1030600@tenablesecurity.com> On 08/14/07 19:30, Steven M. Christey wrote: > There's a dispute here: > > http://www.securityfocus.com/archive/1/archive/1/476293/100/0/threaded > > that points to an "original exploit" for an entirely different product > at http://www.milw0rm.com/exploits/4145, so maybe the dispute is about > copying someone else's exploit without credit. I think so. Plus, as hawkgotyou noted, the PoC doesn't work. > Looking at the source code for index.php in version 0.6, we have: > > if (isset($_COOKIE['fcms_login_id'])) { > $_SESSION['login_id'] = $_COOKIE['fcms_login_id']; > } > > but, except for a mysql_query() that might have an SQL injection, the > code only does a meta-refresh to home.php. I agree - the SQL injection looks valid to me. Probably exists in other places too. > There isn't any other code in index.php; the rest are function > definitions. > > Now, I don't know how PHP saves and passes session information back to > the user across requests, but maybe this meta-refresh is enough for > deeper access? What's happening is that there's a session created at the start of index.php. If I'm understanding the code correctly, that will be empty, at least for normal users, unless you authenticate. You'll still get a cookie, though, that can be used to track your visits. If you do authenticate successfully, the login_id session variable will hold the value of your id, as obtained from the database, and it looks like you can get another cookie, fcms_login_id, if you select the "Remember me" checkbox when logging in. The problem is that you can bypass authentication as ilkerkandemir notes simply by setting the fcms_login_id cookie to an id of interest. The code in that case updates the login_id session variable and you will be logged in as long as you include the session identifying cookie in subsequent requests. That said, you shouldn't even need to worry about the session cookie in subsequent requests -- just pass in the fcms_login_id cookie as scripts like home.php treat it as equivalent to the login_id session variable. And finally, the PoC looks bogus to me since I don't see any use of 'content' as passed in remotely in index.php. George -- theall at tenablesecurity.com From theall at tenablesecurity.com Fri Aug 17 17:15:50 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 17 Aug 2007 13:15:50 -0400 Subject: [VIM] Recent DB2 Vulnerabilities Message-ID: <46C5D7C6.1020701@tenablesecurity.com> Has anyone had a look at the recent vulnerabilities in DB2 announced by iDefense? Does anyone know how they map to IBM's APARs? George -- theall at tenablesecurity.com From coley at linus.mitre.org Sat Aug 18 21:05:56 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Sat, 18 Aug 2007 17:05:56 -0400 (EDT) Subject: [VIM] Recent DB2 Vulnerabilities In-Reply-To: <46C5D7C6.1020701@tenablesecurity.com> References: <46C5D7C6.1020701@tenablesecurity.com> Message-ID: On Fri, 17 Aug 2007, George A. Theall wrote: > Has anyone had a look at the recent vulnerabilities in DB2 announced by > iDefense? Does anyone know how they map to IBM's APARs? This collectively gave us fits. I was the assigner of the original CVEs, and used best-available information to merge or split iDefense's various advisories, pre-disclosure. Post-disclosure, Bill Heinbockel emailed the iDefense people, and Josh Drake was able to give us enough information to map between CVE's and APAR's, using private iDefense information to correlate. Accordingly, we are treating iDefense as the authoritative source in this case. Below I've got CVE-to-APAR mappings, APAR-to-CVE mappings, and CVE descriptions with our analysis fields that will explain more of the rationale. We also have a couple "spare" CVEs for DB2 that don't seem to be associated with any iDefense advisories (CVE-2007-4423 CVE-2007-4418 CVE-2007-4417). Finally: CVE-wise, this is an extremely complex disclosure, so there's a small chance that we have an error in here somewhere. - Steve ===== CVE to APAR ===== CVE-2007-4270 AIXAPAR:IY98210 AIXAPAR:IY99261 CVE-2007-4271 AIXAPAR:IY98210 AIXAPAR:IY99261 CVE-2007-4272 AIXAPAR:IY98011 AIXAPAR:IY98101 AIXAPAR:IY98210 CVE-2007-4273 AIXAPAR:IY98011 AIXAPAR:IY98101 CVE-2007-4275 AIXAPAR:IY97922 AIXAPAR:IY97936 AIXAPAR:IY98176 AIXAPAR:IY98206 AIXAPAR:IZ01923 AIXAPAR:IZ02067 CVE-2007-4276 AIXAPAR:IY97346 AIXAPAR:IY99311 ===== APAR TO CVE ===== AIXAPAR:IY98210 CVE-2007-4270 CVE-2007-4271 CVE-2007-4272 AIXAPAR:IY99261 CVE-2007-4270 CVE-2007-4271 AIXAPAR:IY98011 CVE-2007-4272 CVE-2007-4273 AIXAPAR:IY98101 CVE-2007-4272 CVE-2007-4273 AIXAPAR:IY97922 CVE-2007-4275 AIXAPAR:IY97936 CVE-2007-4275 AIXAPAR:IY98176 CVE-2007-4275 AIXAPAR:IY98206 CVE-2007-4275 AIXAPAR:IZ01923 CVE-2007-4275 AIXAPAR:IZ02067 CVE-2007-4275 AIXAPAR:IY97346 CVE-2007-4276 AIXAPAR:IY99311 CVE-2007-4276 ===== CVE's not associated with iDefense advisories ===== CVE-2007-4423 CVE-2007-4418 CVE-2007-4417 ====================================================== Name: CVE-2007-4270 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4270 Acknowledged: yes advisory Announced: 20070816 Flaw: race Reference: IDEFENSE:20070816 IBM DB2 Universal Database Multiple Race Condition Vulnerabilities Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=578 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607 Reference: AIXAPAR:IY98210 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98210 Reference: AIXAPAR:IY99261 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY99261 Reference: SECUNIA:26471 Reference: URL:http://secunia.com/advisories/26471 Multiple race conditions in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allow local users to gain root privileges via a symlink attack on certain files. Analysis: MAPPING: The iDefense to IBM mapping was assisted through e-mail coordination with iDefense. ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents say "Symlink Security Vulnerability when DB2 opens files, running as root." An APAR search for IY99261 or IY98210 provides a truncated "Local exploitation of a design error in DB2 could allow an attacker to elevate privileges to root when DB2 opens files," description. The APAR documents are not readily available. ACCURACY: This is a resultant symlink issue, not primary, since the product does test for whether the file is a symlink. However, there is a race from the point when the product checks the file and when the file is actually used. ====================================================== Name: CVE-2007-4271 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4271 Acknowledged: yes advisory Announced: 20070816 Flaw: dot Reference: IDEFENSE:20070816 IBM DB2 Universal Database Directory Traversal Vulnerability Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=579 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607 Reference: AIXAPAR:IY98210 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98210 Reference: AIXAPAR:IY99261 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY99261 Reference: SECUNIA:26471 Reference: URL:http://secunia.com/advisories/26471 Directory traversal vulnerability in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allows local users to create arbitrary files via a .. (dot dot) in an unspecified environment variable, which is appended to "/tmp/" and used as a log file. NOTE: this issue might be related to symlink following. Analysis: ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents say "Symlink Security Vulnerability when DB2 opens files, running as root." An APAR search for IY99261 or IY98210 provides a truncated "Local exploitation of a design error in DB2 could allow an attacker to elevate privileges to root when DB2 opens files," description. The APAR documents are not readily available. ACCURACY: The attacker does not have control of the data contents, only the destination file. No specific environment variable was mentioned. ====================================================== Name: CVE-2007-4272 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4272 Acknowledged: yes advisory Announced: 20070816 Flaw: unk Reference: IDEFENSE:20070816 IBM DB2 Universal Database Multiple File Creation Vulnerabilities Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=580 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607 Reference: AIXAPAR:IY98011 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98011 Reference: AIXAPAR:IY98101 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98101 Reference: AIXAPAR:IY98210 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98210 Reference: SECUNIA:26471 Reference: URL:http://secunia.com/advisories/26471 Multiple vulnerabilities in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allow local users to create arbitrary files via (1) unspecified vectors where an attacker's umask is honored, (2) /etc/ld.so.preload, (3) certain "cron data file locations", and other unspecified vectors possibly involving the (4) OSSEMEMDBG or (5) TRC_LOG_FILE environment variable in db2licd (db2licm). Analysis: ABSTRACTION: This is SPLIT from the "Security vulnerability in db2licm and db2pd tool" issue because there is apparently different provenance (IDEFENSE versus unknown). ACCURACY: The swg21255352 and swg21255607 documents, and the AIXAPAR titles, say db2licd. The bodies of the AIXAPAR documents say db2licm. ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents say "SECURITY: Security vulnerability with db2licd, and the OSSEMEMDBG and TRC_LOG_FILE environment variables." The APAR documents state "Local exploitation of a design error in DB2 could allow an attacker to elevate privileges to root and/or create or change files which the instance user does not normally have access to when running the tool db2licm, or by using either the OSSEMEMDBG or TRC_LOG_FILE environment variables. This problem does not apply to Windows systems. ... This problem was reported to IBM by an anonymous researcher working with the iDefense Vulnerability Contributor Program (VCP) and Joshua J. Drake of iDefense." This seems somewhat similar to CVE-2007-1086, CVE-2007-1087, and CVE-2007-1088, all of which relate to IDEFENSE document 481. However, there are a number of discrepancies. First, these three candidates map to AIXAPAR:IY94833, which says UNIX, Linux, and Windows. Here, Windows is not affected. Second, IDEFENSE document 481 says that Joshua J. Drake was the discoverer. Here, the information is "an anonymous researcher working with the iDefense Vulnerability Contributor Program (VCP) and Joshua J. Drake of iDefense." Third, AIXAPAR:IY94833 indicates that 9.1 Fixpak 2 has a fix, and here the fix is in Fixpak 3. (Admittedly, the DB2 UDB version 8 aspect of the fix might conceivably be the same.) ====================================================== Name: CVE-2007-4273 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4273 Acknowledged: yes advisory Announced: 20070816 Flaw: other Reference: IDEFENSE:20070816 IBM DB2 Universal Database Directory Creation Vulnerability Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=581 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607 Reference: AIXAPAR:IY98011 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98011 Reference: AIXAPAR:IY98101 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98101 Reference: SECUNIA:26471 Reference: URL:http://secunia.com/advisories/26471 IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allows local users to create arbitrary directories and execute arbitrary code via a "crafted localized message file" that enables a format string attack, possibly involving the (1) OSSEMEMDBG or (2) TRC_LOG_FILE environment variable in db2licd (db2licm). Analysis: ACCURACY: the format string attack is probably enabled by modifying the environment variables to point to alternate internationalization/localization files that contain resource strings with attacker-controlled format string specifiers. ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents say "SECURITY: Security vulnerability with db2licd, and the OSSEMEMDBG and TRC_LOG_FILE environment variables." The APAR documents state "Local exploitation of a design error in DB2 could allow an attacker to elevate privileges to root and/or create or change files which the instance user does not normally have access to when running the tool db2licm, or by using either the OSSEMEMDBG or TRC_LOG_FILE environment variables. This problem does not apply to Windows systems. ... This problem was reported to IBM by an anonymous researcher working with the iDefense Vulnerability Contributor Program (VCP) and Joshua J. Drake of iDefense." ====================================================== Name: CVE-2007-4275 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4275 Acknowledged: yes advisory Announced: 20070816 Flaw: other Reference: IDEFENSE:20070816 IBM DB2 Universal Database Multiple Untrusted Search Path Vulnerabilities Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=582 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607 Reference: AIXAPAR:IY97922 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY97922 Reference: AIXAPAR:IY97936 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY97936 Reference: AIXAPAR:IY98176 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98176 Reference: AIXAPAR:IY98206 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY98206 Reference: AIXAPAR:IZ01923 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IZ01923 Reference: AIXAPAR:IZ02067 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IZ02067 Reference: SECUNIA:26471 Reference: URL:http://secunia.com/advisories/26471 Multiple untrusted search path vulnerabilities in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allow local users to gain privileges via certain vectors related to (1) DB2 instance or FMP startup on Linux and Solaris; (2) exec of executables while running as root on non-Windows systems, as demonstrated by AIX; and unspecified vectors involving (3) db2licm and (4) db2pd. Analysis: MAPPING/ABSTRACTION: This issues were MERGEd through post-advisory coordination with iDefense CNA. ABSTRACTION: These issues were MERGEd by the CNA based on best available information at the time of assignment. It is possible that there should have been a SPLIT because of different affected platforms (roughly equivalent to different affected versions). Specifically, IZ02067/IZ01923 state "applies only to Linux and Solaris." However, IY98206/IY98176 state "does not apply to Windows systems," with a later mention of "Reported component name DB2 UDB ESE AIX." This suggests that the AIX version has vector 2 but not vector 1. ACKNOWLEDGEMENT: IZ02067/IZ01923 state "SECURITY: SECURITY VULNERABILITY DURING INSTANCE AND FMP STARTUP ... an anonymous researcher working with the iDefense Vulnerability Contributor Program (VCP) and Joshua J. Drake of iDefense Labs. This APAR addresses the issues described by CVE-2007-4275." IY98206/IY98176 state 'SECURITY: Security vulnerability when DB2 "execs" executables while running as root ... an anonymous researcher working with the iDefense Vulnerability Contributor Program (VCP) and Joshua J. Drake of iDefense Labs. This APAR addresses the issues described by CVE-2007-4275. ====================================================== Name: CVE-2007-4276 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4276 Acknowledged: yes advisory Announced: 20070816 Flaw: buf Reference: IDEFENSE:20070816 IBM DB2 Universal Database buildDasPaths Buffer Overflow Vulnerability Reference: URL:http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=583 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607 Reference: AIXAPAR:IY97346 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY97346 Reference: AIXAPAR:IY99311 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY99311 Reference: SECUNIA:26471 Reference: URL:http://secunia.com/advisories/26471 Stack-based buffer overflow in IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 allows attackers to execute arbitrary code via a long DASPROF and possibly other environment variables, which are copied into the buildDasPaths buffer. Analysis: MAPPING: The iDefense to IBM mapping was assisted through e-mail coordination with iDefense. ACKNOWLEDGEMENT: The vendor's swg21255352 and swg21255607 documents say "DASPROF env variable - Buffer Overflow Vulnerability." An APAR search for IY99311 or IY97346 provides a truncated "There is a buffer overflow vulnerability in DASPROF environment variable. Overflowing the buffer may lead [to] arbitrary code" description. The APAR documents are not readily available. ABSTRACTION: This may seem similar to CVE-2007-1087 or CVE-2007-1088. However, CVE-2007-1087 and CVE-2007-1088 map to a different IBM identifier: AIXAPAR:IY94833. Also, AIXAPAR:IY94833 indicates that 9.1 Fixpak 2 has a fix, and here the fix is in Fixpak 3, so these are different affected versions and should be SPLIT per AB2. (Admittedly, the DB2 UDB version 8 aspect of the fix might conceivably be the same.) ACCURACY: Most, but not all, environment-variable issues are local. ====================================================== Name: CVE-2007-4417 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4417 Acknowledged: yes advisory Announced: 20070816 Flaw: other Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352 Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607 Reference: AIXAPAR:IY88158 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY88158 Reference: AIXAPAR:IY88226 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IY88226 Reference: SECUNIA:26471 Reference: URL:http://secunia.com/advisories/26471 IBM DB2 UDB 8 before Fixpak 15 and 9.1 before Fixpak 3 does not properly revoke privileges on methods, which allows remote authenticated users to execute a method after revocation until the routine auth cache is flushed. Analysis: ACKNOWLEDGEMENT: The vendor says "After revoking privileges on a method a user may still be able to execute the method until the routine auth cache is flushed (database deactivated)." ACCURACY: The vulnerability should probably not be expressed as "does not flush the routine auth cache." Although a flush will stop exploitation, it may be an expensive or disruptive action, and not an appropriate solution. ACCURACY: SECUNIA:26471 says that the "user may still be able to execute a method even if the privileges for the method has been revoked" issue was reported only in version 8 (i.e., not in version 9.1). This seems inconsistent with the listing of IY88158 in IBM's swg21255607 document. ====================================================== Name: CVE-2007-4418 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4418 Acknowledged: yes advisory Announced: 20070816 Flaw: other Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255352 Reference: AIXAPAR:JR25940 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1JR25940 Reference: SECUNIA:26471 Reference: URL:http://secunia.com/advisories/26471 IBM DB2 UDB 8 before Fixpak 15 does not properly check authorization, which allows remote authenticated users with a certain SELECT privilege to have an unknown impact via unspecified vectors. NOTE: this issue is probably related to CVE-2007-1089, but this is uncertain due to lack of details. Analysis: ACKNOWLEDGEMENT: The swg21255352 CONFIRM says "SECURITY VULNERABILITY RELATED TO INCORRECT AUTHORIZATION CHECKS." An APAR search for JR25940 provides a truncated "It is possible to bypass DB2 authorization checking. This vulnerability can enable a user who holds SELECT" description. The full description is not readily available. However, JR25941 (for IBM DB2 UDB 9.1) states "JR25941: SECURITY VULNERABILITY RELATED TO INCORRECT AUTHORIZATION CHECKS ... It is possible to bypass DB2 authorization checking. This vulnerability can enable a user who holds SELECT privilege on a table to update or delete the contents of the table, even if they do not hold the required update and/or delete privileges." JR25941 is a CVE-2007-1089 reference. Because of the identical APAR titles and the adjacent APAR numbers, it seems very likely that JR25940 and JR25941 are analogous issues: the first in version 8, and the second in version 9.1. However, they are SPLIT because the non-public status of the JR25940 document makes this conclusion uncertain. ====================================================== Name: CVE-2007-4423 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4423 Acknowledged: yes advisory Announced: 20070816 Flaw: unk Reference: CONFIRM:http://www-1.ibm.com/support/docview.wss?uid=swg21255607 Reference: AIXAPAR:IZ01828 Reference: URL:http://www-1.ibm.com/support/docview.wss?uid=swg1IZ01828 Reference: SECUNIA:26471 Reference: URL:http://secunia.com/advisories/26471 Unspecified vulnerability in the AUTH_LIST_GROUPS_FOR_AUTHID function in IBM DB2 UDB 9.1 before Fixpak 3 allows attackers to cause a denial of service. Analysis: ACKNOWLEDGEMENT: The vendor's swg21255607 document says "SECURITY VULNERABILITY IN AUTH_LIST_GROUPS_FOR_AUTHID." An APAR search for IZ01828 provides a truncated "Exploitation of an issue in the AUTH_LIST_GROUPS_FOR_AUTHID function could allow an attacker to cause a denial of service" description. The APAR document is not readily available. From theall at tenablesecurity.com Wed Aug 22 02:25:05 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Tue, 21 Aug 2007 22:25:05 -0400 Subject: [VIM] Dup: litecommerce 2004 (category_id) Remote SQL Injection Vulnerability Message-ID: <46CB9E81.4080701@tenablesecurity.com> milw0rm 4300 seems like a subset of the issues described by Diabolic Crab in his/her/its Bugtraq posting from April 2005: http://www.securityfocus.com/archive/1/395130/30/0/threaded Both involve the 'category_id' parameter to the 'cart.php' script when "target=category". George -- theall at tenablesecurity.com From coley at mitre.org Wed Aug 22 22:03:42 2007 From: coley at mitre.org (Steven M. Christey) Date: Wed, 22 Aug 2007 18:03:42 -0400 (EDT) Subject: [VIM] r0t's old blog posts found Message-ID: <200708222203.l7MM3gdY017553@faron.mitre.org> FYI - looks like a global search-and-replace of: pridels.blogspot.com with pridels0.blogspot.com will yield functioning URLs again. - Steve From coley at linus.mitre.org Thu Aug 23 16:42:58 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 23 Aug 2007 12:42:58 -0400 (EDT) Subject: [VIM] vendor ACK for CVE-2007-4338 (Familr Connections) Message-ID: CVE was notified by the vendor via e-mail of a fix. Provable ACK is in the bug report at: http://sourceforge.net/tracker/index.php?func=detail&aid=1778696&group_id=189733&atid=930513 which quotes the CVE and its description verbatim. - Steve ----------------------------- Date: Thu, 23 Aug 2007 11:21:09 -0400 From: Ryan Haudenschilt To: cve at mitre.org Subject: CVE-2007-4338 This vulnerability has been resolved in the latest release of Family Connections, 0.9. http://sourceforge.net/projects/fam-connections/ http://sourceforge.net/project/showfiles.php?group_id=189733 From theall at tenablesecurity.com Thu Aug 23 18:15:45 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 23 Aug 2007 14:15:45 -0400 Subject: [VIM] Looks Bogus: SPIP v1.7 Remote File Inclusion Bug Message-ID: <46CDCED1.6000300@tenablesecurity.com> The remote file include issue in SPIP reported by system-errrror here: http://www.securityfocus.com/archive/1/477423/30/0/threaded looks bogus to me. The code snippet claimed to show the vulnerability occurs in a function call shortly after the affected variable is set; ie: ---- snip, snip, snip ---- function executer_squelette($squelette, $contexte) { ... if (!$fonctions_squelettes[$squelette]) { $squelette_cache = 'CACHE/skel_'.rawurlencode($squelette).'.php3'; ... include($squelette_cache); ---- snip, snip, snip ---- This is from inc-calcul.php3 from version 1.7.2, http://www.spip.net/spip-dev/devel/archive/SPIP-v1-7-2.zip Now I admit, I didn't bother setting up the app or tracing the code between where it's set and used above, but it sure smells bogus. George -- theall at tenablesecurity.com From coley at mitre.org Thu Aug 23 18:52:08 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 23 Aug 2007 14:52:08 -0400 (EDT) Subject: [VIM] vim editor duplicates / clarifications Message-ID: <200708231852.l7NIq8oq022409@faron.mitre.org> After some extensive discussion on vendor-sec with final consultation with the original developer, it's been determined that 3 distinct reports are only for 2 unique issues (CVE-wise, anyway). In short, the vague announcement of Vim 7.1 that referred to "a security issue" (assigned CVE-2007-2653, aka "OMG VIM VULN" in a Jericho post to this list in May) turned out to be the official announcement of the fix for the feedkeys()/modelines issue (CVE-2007-2438). During the email cexhanges, the developer confirmed that the format string issue (CVE-2007-2953) is addressed by Patch 7.1.039 and confirmed that this only has "user-assisted" attack scenarios. We're keeping CVE-2007-2438 and rejecting CVE-2007-2653 due to active usage of CVE-2007-2438. - Steve ====================================================== Name: CVE-2007-2438 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2438 Acknowledged: yes Announced: 20070426 Flaw: sandbox Reference: MLIST:[vim-dev] 20070426 feedkeys() allowed in sandbox Reference: URL:http://marc.info/?l=vim-dev&m=117762581821298&w=2 Reference: MLIST:[vim-dev] 20070428 Re: feedkeys() allowed in sandbox Reference: URL:http://marc.info/?l=vim-dev&m=117778983714029&w=2 Reference: MLIST:[vimannounce] 20070512 Stable Vim version 7.1 has been released Reference: URL:http://tech.groups.yahoo.com/group/vimannounce/message/178 Reference: MISC:http://tech.groups.yahoo.com/group/vimdev/message/46627 Reference: MISC:http://tech.groups.yahoo.com/group/vimdev/message/46658 Reference: CONFIRM:http://tech.groups.yahoo.com/group/vimdev/message/46645 Reference: CONFIRM:http://www.vim.org/news/news.php Reference: CONFIRM:https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=238259 Reference: BUGTRAQ:20070430 FLEA-2007-0014-1: vim Reference: URL:http://www.securityfocus.com/archive/1/archive/1/467202/100/0/threaded Reference: MANDRIVA:MDKSA-2007:101 Reference: URL:http://frontal2.mandriva.com/security/advisories?name=MDKSA-2007:101 Reference: REDHAT:RHSA-2007:0346 Reference: URL:http://www.redhat.com/support/errata/RHSA-2007-0346.html Reference: SUSE:SUSE-SR:2007:012 Reference: URL:http://www.novell.com/linux/security/advisories/2007_12_sr.html Reference: TRUSTIX:2007-0017 Reference: URL:http://www.trustix.org/errata/2007/0017/ Reference: UBUNTU:USN-463-1 Reference: URL:http://www.ubuntu.com/usn/usn-463-1 Reference: VIM:20070513 OMG VIM VULN Reference: URL:http://attrition.org/pipermail/vim/2007-May/001614.html Reference: BID:23725 Reference: URL:http://www.securityfocus.com/bid/23725 Reference: FRSIRT:ADV-2007-1599 Reference: URL:http://www.frsirt.com/english/advisories/2007/1599 Reference: SECTRACK:1018035 Reference: URL:http://www.securitytracker.com/id?1018035 Reference: SECUNIA:25024 Reference: URL:http://secunia.com/advisories/25024 Reference: SECUNIA:25159 Reference: URL:http://secunia.com/advisories/25159 Reference: SECUNIA:25182 Reference: URL:http://secunia.com/advisories/25182 Reference: SECUNIA:25255 Reference: URL:http://secunia.com/advisories/25255 Reference: SECUNIA:25367 Reference: URL:http://secunia.com/advisories/25367 Reference: SECUNIA:25432 Reference: URL:http://secunia.com/advisories/25432 The sandbox for vim allows dangerous functions such as (1) writefile, (2) feedkeys, and (3) system, which might allow user-assisted attackers to execute shell commands and write files via modelines. Analysis: ACKNOWLEDGEMENT: In a news item announcing VIM 7.1 on 20070512: "Vim 7.1 ... [2007-05-12] ... a few crashing bugs and a security issue were fixed. For the details see the announcement. Or jump directly to the download page. (Bram Moolenaar)." Later feedback from the upstream developer (and vendor-sec) proved that this vague announcement was related to this particular issue. ====================================================== Name: CVE-2007-2653 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2653 Acknowledged: Announced: Flaw: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2007-2438. Reason: This candidate is a duplicate of CVE-2007-2438. Notes: All CVE users should reference CVE-2007-2438 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. ====================================================== Name: CVE-2007-2953 Status: Candidate URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2953 Acknowledged: yes changelog Announced: 20070727 Flaw: format-string Reference: BUGTRAQ:20070730 FLEA-2007-0036-1 vim vim-minimal gvim Reference: URL:http://www.securityfocus.com/archive/1/archive/1/475076/100/100/threaded Reference: MISC:http://secunia.com/secunia_research/2007-66/advisory/ Reference: CONFIRM:ftp://ftp.vim.org/pub/vim/patches/7.1/7.1.039 Reference: CONFIRM:https://issues.rpath.com/browse/RPL-1595 Reference: BID:25095 Reference: URL:http://www.securityfocus.com/bid/25095 Reference: FRSIRT:ADV-2007-2687 Reference: URL:http://www.frsirt.com/english/advisories/2007/2687 Reference: SECUNIA:25941 Reference: URL:http://secunia.com/advisories/25941 Reference: SECUNIA:26285 Reference: URL:http://secunia.com/advisories/26285 Reference: XF:vim-helptagsone-code-execution(35655) Reference: URL:http://xforce.iss.net/xforce/xfdb/35655 Format string vulnerability in the helptags_one function in src/ex_cmds.c in Vim 6.4 and earlier, and 7.x up to 7.1, allows user-assisted remote attackers to execute arbitrary code via format string specifiers in a help-tags tag in a help file, related to the helptags command. Analysis: ACKNOWLEDGEMENT: Patch 7.1.039 states: "A tag in a help file that starts with 'help-tags' and contains a percent sign may make Vim crash." From coley at linus.mitre.org Thu Aug 23 19:49:47 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 23 Aug 2007 15:49:47 -0400 (EDT) Subject: [VIM] ACK for CVE-2007-3056 (WebSVN) Message-ID: got this via e-mail. ACK also on: http://www.nabble.com/CVE-2007-3056-tf4246678.html Notice the mention of "other security issues" in this email and at the URL above - I'll follow up with Sebastian. - Steve ---------- Forwarded message ---------- Date: Thu, 23 Aug 2007 14:28:56 +0200 From: Sebastian Petters / 4wd media To: cve at mitre.org Subject: CVE-2007-3056 Dear ladies and gentleman, the issue CVE-2007-3056 (http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3056) has been fixed with the release of WebSVN 2.0 on August 13 2007. This release also includes a few other security relevant issues, so updating to this version is strongly advised for all users. Please update the information on your webpage. Is this the right way to inform you about fixed issues? Is there a standard procedure how i can update all references? Best regards and thanks in advance, Sebastian Petters -- Sebastian Petters Dipl. Inform. From mjc at redhat.com Thu Aug 23 21:54:50 2007 From: mjc at redhat.com (Mark J Cox) Date: Thu, 23 Aug 2007 22:54:50 +0100 (BST) Subject: [VIM] CVE-2007-3375 is dupe CVE-2004-0234 Message-ID: <0708232252310.30682@awe.com> Mailed this to Steven, but he suggested sharing for public reference: I was looking last month at CVE-2007-3375 describing an issue in lhaca. The web page describing the flaw had code disassembly which looked familiar to to the code in header.c as distributed in older Red Hat lha packages. Some more investigation showed that this was in fact the issue from 2004: http://marc.info/?l=bugtraq&m=108422737918885&w=2 CVE-2004-0234 So LHACA appeared to be vulnerable to CVE-2004-0234 due to it being a shared codebase. Thanks, Mark -- Mark J Cox / Red Hat Security Response Team From jericho at attrition.org Fri Aug 24 19:44:25 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 24 Aug 2007 19:44:25 +0000 (UTC) Subject: [VIM] CCWAPSS : a Comprehensive security scoring method for web applications (fwd) Message-ID: ---------- Forwarded message ---------- From: Frederic Charpentier Resent-From: pen-test-return-1078484963 at securityfocus.com To: pen-test at securityfocus.com Date: Fri, 24 Aug 2007 15:47:53 +0200 Subject: CCWAPSS : a Comprehensive security scoring method for web applications Hi, We are pleased to release our first public release of the Common Criteria Web Application Security Scoring (CCWAPSS). This scale does not aim at replacing other evaluation standards but suggests a simple way of evaluating the security level of a web application. Key benefits of CCWAPSS : - Fighting against the ? gaussienne ? inclination using a restricted granularity that forces the auditor to clear-cut score (there is no medium choice). - Offering a solution to interpretation problems between different auditors by providing clear and 11 well documented criteria. - The maximum score (10/10) means ?compliant with Best Practices?. This score could be exceeded in case of excellence (like a medical vision evaluation such as 12/10). - Each criteria is relative to section of the OWASP Guide 3.0. The CCWAPSS whitepaper is available in PDF format at http://ccwapss.blogspot.com/. Contributions are welcome ! Regards, Fred. ------------------------------------------------------------------------ This list is sponsored by: Cenzic Need to secure your web apps NOW? Cenzic finds more, "real" vulnerabilities fast. Click to try it, buy it or download a solution FREE today! http://www.cenzic.com/downloads ------------------------------------------------------------------------ From coley at mitre.org Fri Aug 24 23:44:54 2007 From: coley at mitre.org (Steven M. Christey) Date: Fri, 24 Aug 2007 19:44:54 -0400 (EDT) Subject: [VIM] uh-oh: local file inclusion from insecure permissions Message-ID: <200708242344.l7ONis01011498@faron.mitre.org> Ref: CONFIRM:http://www.torrenttrader.org/index.php?showtopic=5843 (CVE pending) The ACK says "We have been made aware of a hole in the script that can be exploited. Please CHMOD your .txt files in the root back to 644 to disable write access (you can edit them via FTP still) ... disclaimer.txt ... sponsors.txt ... banners.txt ... we are working to address this issue ...." Source inspection of 1.07, as downloaded on 20070824, shows that these files have 640 permissions, at least as extracted from the tarball. So, we were asking ourselves... why is modifying these files a security issue, and what's the attack vector? Maybe local symlink following, but then I'd think they'd say change the directory permissions too. Ah, grep, you wondrous workhorse of post-disclosure analysis: > grep banners.txt *.php admin.php: include("banners.txt"); .... check.php:$banners = chmod($_SERVER['DOCUMENT_ROOT'] . "/banners.txt", 0666); check.php: if(!$banners){ echo "banners.txt - Error setting permissions
"; } else { echo "banners.txt - Success! CHMOD CHANGED
"; } check.php:If you see "Unwriteable" you need to change the permissions on the file or directory to 777 or 666 so that TorrentTrader to write to it. So... a text file is given world-writable permissions, but it's used in an include statement. So, at least, we have a locally exploitable "file inclusion" issue thanks to insecure permissions. We see similar things for sponsors.txt and disclaimer.txt, but grep also yields this tidbit: index.php:echo file_get_contents("disclaimer.txt") ; So, this is a way to do local "file inclusion" for any visitor to the site. I didn't investigate whether there were remote attack vectors. I bet there's a TON of these kinds of "writable-LFI" issues out there... - Steve