From coley at mitre.org Fri Jun 1 00:38:01 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 31 May 2007 20:38:01 -0400 (EDT) Subject: [VIM] true: AdminBot-MX RFI Message-ID: <200706010038.l510c1t8004373@faron.mitre.org> Researcher: ThE TiGeR Ref: http://www.milw0rm.com/exploits/4005 first executable line of live_status.lib.php is: require ($ROOT."lib/counterstrike.class.php"); - Steve From theall at tenablesecurity.com Sat Jun 2 01:47:44 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 01 Jun 2007 21:47:44 -0400 Subject: [VIM] True: XOOPS Module icontent v.1.0 Remote File Inclusion Exploit (Milw0rm 4022) Message-ID: <4660CC40.4050407@tenablesecurity.com> The affected file starts basically with: include $spaw_root.'config/spaw_control.config.php'; so exploitation requires register_globals to be enabled. In case anyone's curious, the issue is similar to the issue reported last year by Kapda: http://www.kapda.ir/advisory-331.html That is, both phpwcms and Xoops' icontent module make use of a vulnerable instance of SPAW PHP WYSIWYG editor control. George -- theall at tenablesecurity.com From steve at vitriol.net Mon Jun 4 18:32:43 2007 From: steve at vitriol.net (Steve Tornio) Date: Mon, 04 Jun 2007 13:32:43 -0500 Subject: [VIM] [Fwd: Re: Buffer overflow in BusinessMail email server system 4.60.00] Message-ID: <46645ACB.3080109@vitriol.net> -------- Original Message -------- Subject: Re: Buffer overflow in BusinessMail email server system 4.60.00 Date: Mon, 4 Jun 2007 12:30:47 -0400 From: Ian Turner Reply-To: Ian Turner To: Steve Tornio In your message regarding Re: Buffer overflow in BusinessMail email server system 4.60.00 dated Mon, 04 Jun 2007 11:22:43 -0500, Steve Tornio said that ... > iant at netcplus.com wrote: > > This problem was corrected within 14 days, and a new SMTP server was provided on our web site. This was back in 2005, we are now almost TWO YEARS ON, and you still claim it is a problem. > > > > It is unclear who "you" is supposed to be here. I'm guessing this is > the vulnerability referred to by: > > OSVDB 18407 > CVE 2005-2472 > ISS 21636 > Secunia 16306 > Bugtraq 14434 There were several links to these, all headed as both SmartServer and BusinessMaiil. I didnt notice yor internal ID > None of these indicate a solution is available. Correct, and yet there is. And we emailed bugtraq with that information back at that (now long off) time. > The Mail List post reporting this vulnerability was > http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0002.html > > In the post, it says that a patch will soon be available. A quick > glance at the download page at http://www.netcplus.com/downloads.html > doesn't reveal a link to download the patch for 4.6. I also don't see > any advisory for users of 4.6 that a patch is available. That is because it is already wrapped into the FREE upgrade to the 4.7 release. > We will be happy to update our entry at osvdb.org, after verifying that > a patch exists for 4.6, and an upgrade to 4.7 also solves the problem. > Is that correct? Customers can visit the upgrades page of our site and download the 4.7 upgrade. That IS NOW the fix for the 4.6 vulenrability. As we no loonger ship 4.6 we felt it irrelevant to continue to have a link to a fix that is in the latest free upgrade anyway. You can download a full Buinessmail install to allow you to test this very simple fix out for yourself Thanks ! Ian Turner > > Thanks, > Steve Tornio > osvdb.org > > > You **were** notified of the release of the fix, and we have many other confirmations that it is indeed a good fix. > > > > We are now at 4.7 of BusinessMail, and that also still blocks this "vulenrability", and yet you continue to publich out of ate dand inaccurate information as being the truth. > > > > Kindly update your published information as relevant to reflect the true facts of this buglet. > > > > You can download an evaluation BusinessMail system from our web site to test this for yourself if you still do not beleive us. > > > > Thank You > > > > > > > -- ----------------------------------------------- Ian Turner NetcPlus Internet Solutions, Inc. http://www.netcplus.com ----------------------------------------------- Developers of the powerful and flexible BUSINESSMAIL EMAIL SERVER SYSTEM and NETCFAX NETWORKED FAX SYSTEM designed especially for small to medium sized business networks. This correspondence is for the named person's use only. It may contain confidential or legally privileged information or both. No confidentiality or privilege is waived or lost by any mistransmission. If you receive this correspondence in error, please immediately notify the sender, then delete it from your system. You must not disclose, copy or relay any part of this correspondence if you are not the intended recipient. Any opinions expressed in this message are those of the individual sender, except where the sender expressly, and with authority, states them to be the opinions of either the sender themselves or any other organisation that may be formally connected to it. From jericho at attrition.org Thu Jun 7 23:28:10 2007 From: jericho at attrition.org (security curmudgeon) Date: Thu, 7 Jun 2007 23:28:10 +0000 (UTC) Subject: [VIM] VIM / VDB Blackhat Gathering Message-ID: When: Wednesday, August 1 - 7:00pm Where: one of the Caesar's Lounge areas, possibly the Shadow Bar again. Who: Anyone on VIM, anyone involved in VDBs Why: Chat and rant From coley at linus.mitre.org Thu Jun 7 23:38:09 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 7 Jun 2007 19:38:09 -0400 (EDT) Subject: [VIM] VIM / VDB Blackhat Gathering In-Reply-To: References: Message-ID: All, Last year's chat-and-rant was a lot of fun, with people from OSVDB, CVE, and CERT. Definitely consider joining us! - Steve From str0ke at milw0rm.com Fri Jun 8 01:32:43 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 7 Jun 2007 20:32:43 -0500 Subject: [VIM] VIM / VDB Blackhat Gathering In-Reply-To: References: Message-ID: <814b9d50706071832t6aceeac8qf49c8a36f358dc5d@mail.gmail.com> To bad it won't be on the 2nd, I would of enjoyed stopping by. /str0ke On 6/7/07, Steven M. Christey wrote: > > All, > > Last year's chat-and-rant was a lot of fun, with people from OSVDB, CVE, > and CERT. Definitely consider joining us! > > - Steve > From theall at tenablesecurity.com Fri Jun 8 18:06:22 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 08 Jun 2007 14:06:22 -0400 Subject: [VIM] False: JEvents1.4.1 For Joomla Remote File Include Vulnerability Message-ID: <46699A9E.3020203@tenablesecurity.com> Milw0rm 4048 seems bogus to me. I grabbed the code from http://joomlacode.org/gf/download/frsrelease/502/11101/com_events_1.4.1.zip, which Blu3H47 claims is affected. The affected file starts: ---- snip, snip, snip ---- References: <46699A9E.3020203@tenablesecurity.com> Message-ID: <814b9d50706081109y216628f3h6f8a1efa41ad74ed@mail.gmail.com> Wow thats strange. Redownloaded the tar and thats not what I saw before. Rechecking. /str0ke On 6/8/07, George A. Theall wrote: > Milw0rm 4048 seems bogus to me. I grabbed the code from > http://joomlacode.org/gf/download/frsrelease/502/11101/com_events_1.4.1.zip, > which Blu3H47 claims is affected. The affected file starts: > > ---- snip, snip, snip ---- > /** > * Events Component for Joomla 1.0.x > * > * @version $Id: comutils.php 295 2006-12-06 09:20:53Z geraint $ > * @package Events > * @copyright Copyright (C) 2006 JEvents Project Group > * @licence http://www.gnu.org/copyleft/gpl.html > * @link http://forge.joomla.org/sf/projects/jevents > */ > > /* > loads all required classes and file to support Events Component (Frontend) > */ > > global $mainframe; > > // first load config class > require_once(mosMainFrame::getBasePath('admin') . > 'components/com_events/lib/config.php'); > > ---- snip, snip, snip ---- > > Notice the version info here is the same as what Blu3H47 reports but the > require_once() function can not be abused by an attacker. The date on > 'includes/comutils.php' in the ZIP file is 12-06-06 so it doesn't seem > like the case of a quick fix after the vuln was announced. So what gives? > > > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Fri Jun 8 18:12:03 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 8 Jun 2007 13:12:03 -0500 Subject: [VIM] False: JEvents1.4.1 For Joomla Remote File Include Vulnerability In-Reply-To: <814b9d50706081109y216628f3h6f8a1efa41ad74ed@mail.gmail.com> References: <46699A9E.3020203@tenablesecurity.com> <814b9d50706081109y216628f3h6f8a1efa41ad74ed@mail.gmail.com> Message-ID: <814b9d50706081112u52b3b309x54162aa60e555786@mail.gmail.com> Yep your right removing 4048. My mind must of been playing tricks on me. /str0ke On 6/8/07, str0ke wrote: > Wow thats strange. Redownloaded the tar and thats not what I saw > before. Rechecking. > > /str0ke > > On 6/8/07, George A. Theall wrote: > > Milw0rm 4048 seems bogus to me. I grabbed the code from > > http://joomlacode.org/gf/download/frsrelease/502/11101/com_events_1.4.1.zip, > > which Blu3H47 claims is affected. The affected file starts: > > > > ---- snip, snip, snip ---- > > > /** > > * Events Component for Joomla 1.0.x > > * > > * @version $Id: comutils.php 295 2006-12-06 09:20:53Z geraint $ > > * @package Events > > * @copyright Copyright (C) 2006 JEvents Project Group > > * @licence http://www.gnu.org/copyleft/gpl.html > > * @link http://forge.joomla.org/sf/projects/jevents > > */ > > > > /* > > loads all required classes and file to support Events Component (Frontend) > > */ > > > > global $mainframe; > > > > // first load config class > > require_once(mosMainFrame::getBasePath('admin') . > > 'components/com_events/lib/config.php'); > > > > ---- snip, snip, snip ---- > > > > Notice the version info here is the same as what Blu3H47 reports but the > > require_once() function can not be abused by an attacker. The date on > > 'includes/comutils.php' in the ZIP file is 12-06-06 so it doesn't seem > > like the case of a quick fix after the vuln was announced. So what gives? > > > > > > > > George > > -- > > theall at tenablesecurity.com > > > From theall at tenablesecurity.com Fri Jun 8 18:16:15 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 08 Jun 2007 14:16:15 -0400 Subject: [VIM] False: JEvents1.4.1 For Joomla Remote File Include Vulnerability In-Reply-To: <814b9d50706081112u52b3b309x54162aa60e555786@mail.gmail.com> References: <46699A9E.3020203@tenablesecurity.com> <814b9d50706081109y216628f3h6f8a1efa41ad74ed@mail.gmail.com> <814b9d50706081112u52b3b309x54162aa60e555786@mail.gmail.com> Message-ID: <46699CEF.4060108@tenablesecurity.com> On 06/08/07 14:12, str0ke wrote: > Yep your right removing 4048. My mind must of been playing tricks on me. Actually, I looked again after your message... The line: require_once($mosConfig_absolute_path . '/administrator/components/com_events/lib/version.php'); does occur as Blu3H47 claims, but it's further down. And at least with my install, execution craps out with a "Fatal error: Undefined class name 'mosmainframe'...." before it gets to that point. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Fri Jun 8 18:19:44 2007 From: str0ke at milw0rm.com (str0ke) Date: Fri, 8 Jun 2007 13:19:44 -0500 Subject: [VIM] False: JEvents1.4.1 For Joomla Remote File Include Vulnerability In-Reply-To: <46699CEF.4060108@tenablesecurity.com> References: <46699A9E.3020203@tenablesecurity.com> <814b9d50706081109y216628f3h6f8a1efa41ad74ed@mail.gmail.com> <814b9d50706081112u52b3b309x54162aa60e555786@mail.gmail.com> <46699CEF.4060108@tenablesecurity.com> Message-ID: <814b9d50706081119u1fca82dy25a4a990a6ce5e23@mail.gmail.com> Ya it won't work mosmainframe stops it. /str0ke On 6/8/07, George A. Theall wrote: > On 06/08/07 14:12, str0ke wrote: > > > Yep your right removing 4048. My mind must of been playing tricks on me. > > Actually, I looked again after your message... The line: > > require_once($mosConfig_absolute_path . > '/administrator/components/com_events/lib/version.php'); > > does occur as Blu3H47 claims, but it's further down. And at least with > my install, execution craps out with a "Fatal error: Undefined class > name 'mosmainframe'...." before it gets to that point. > > George > -- > theall at tenablesecurity.com > From jericho at attrition.org Fri Jun 8 22:55:45 2007 From: jericho at attrition.org (security curmudgeon) Date: Fri, 8 Jun 2007 22:55:45 +0000 (UTC) Subject: [VIM] from: lists@bughunter.ca Message-ID: From: J.M. Seitz To: vim at attrition.org Date: Fri, 8 Jun 2007 09:10:58 -0700 Subject: RE: CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow Hey Guys, I found this bug a few months ago, the vendor is working on a patch (albeit slowly). Use CVE-2007-1783 for this one :) JS > -----Original Message----- > From: Dennis Rand [mailto:rand at csis.dk] > Sent: Friday, June 08, 2007 12:00 AM > To: bugtraq at securityfocus.com > Subject: CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow > > CSIS Security Group has discovered a remote exploitable > arbitrary overwrite, in the Blue Coat > K9 Web Protection local Web configuration manager on > 127.0.0.1 and port 2372. > > This allows an attacker to perform at least a Denial of > Service condition, on the usage of internet. > > Since the overflow can result in an overwrite of both the > return address and SHE, remote code execution is possible. > > Another attack vector could also be privilege escalation on > the local machine. > > The Full advisory can be downloaded at: > http://www.csis.dk/dk/forside/Bluecoat-k9.pdf > > > Best regards > Dennis Rand > Malware/Security Researcher > CSIS Security Group > http://www.csis.dk From coley at linus.mitre.org Fri Jun 8 23:59:25 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Fri, 8 Jun 2007 19:59:25 -0400 (EDT) Subject: [VIM] from: lists@bughunter.ca In-Reply-To: References: Message-ID: Note all that I'm trying to deconflict this with CVE-2007-1685, which is included in the CSIS advisory and obtained from CERT. On Fri, 8 Jun 2007, security curmudgeon wrote: > > From: J.M. Seitz > To: vim at attrition.org > Date: Fri, 8 Jun 2007 09:10:58 -0700 > Subject: RE: CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow > > Hey Guys, > > I found this bug a few months ago, the vendor is working on a patch > (albeit slowly). Use CVE-2007-1783 for this one :) > > JS > > > -----Original Message----- > > From: Dennis Rand [mailto:rand at csis.dk] > > Sent: Friday, June 08, 2007 12:00 AM > > To: bugtraq at securityfocus.com > > Subject: CSIS Advisory: BlueCoat K9 Web Protection 3.2.36 Overflow > > > > CSIS Security Group has discovered a remote exploitable > > arbitrary overwrite, in the Blue Coat > > K9 Web Protection local Web configuration manager on > > 127.0.0.1 and port 2372. > > > > This allows an attacker to perform at least a Denial of > > Service condition, on the usage of internet. > > > > Since the overflow can result in an overwrite of both the > > return address and SHE, remote code execution is possible. > > > > Another attack vector could also be privilege escalation on > > the local machine. > > > > The Full advisory can be downloaded at: > > http://www.csis.dk/dk/forside/Bluecoat-k9.pdf > > > > > > Best regards > > Dennis Rand > > Malware/Security Researcher > > CSIS Security Group > > http://www.csis.dk > From noamr at beyondsecurity.com Mon Jun 11 06:44:55 2007 From: noamr at beyondsecurity.com (Noam Rathaus) Date: Mon, 11 Jun 2007 09:44:55 +0300 Subject: [VIM] [TRUE] Serious holes affecting JFFNMS Message-ID: <200706110944.56086.noamr@beyondsecurity.com> Hi, I am able to confirm the XSS, and at least the that the data isn't filtered so SQL is possible, though the sample doesn't appear to work on the demo web site as the site appears to escape ' characters. -- ? Noam Rathaus ? CTO ? 1616 Anderson Rd. ? McLean, VA 22102 ? Tel: 703.286.7725 extension 105 ? Fax: 888.667.7740 ? noamr at beyondsecurity.com ? http://www.beyondsecurity.com -------------- next part -------------- An embedded message was scrubbed... From: Tim Brown Subject: Serious holes affecting JFFNMS Date: Sun, 10 Jun 2007 20:53:41 +0100 Size: 9950 Url: http://www.attrition.org/pipermail/vim/attachments/20070611/27dff764/attachment-0001.mht From theall at tenablesecurity.com Wed Jun 13 17:43:12 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 13 Jun 2007 13:43:12 -0400 Subject: [VIM] True: XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability Message-ID: <46702CB0.2030502@tenablesecurity.com> Just an FYI... Milw0rm 4068 works but requires authentication. The code in modify.php starts out like this: include '../../mainfile.php'; $dir_module = XOOPS_ROOT_PATH.'/modules/'.$xoopsModule->dirname(); include_once "$dir_module/conf.php"; include_once "$dir_module/include/groupaccess.php";^M include_once "$dir_module/class/common.php";^M include_once "$dir_module/class/wfscategory.php";^M include_once "$dir_module/class/wfsarticle.php";^M include_once "$dir_module/class/wfsfiles.php";^M so initially it looked like the attack wouldn't work. Turns out, though, that it calls 'class/wfsarticle.php', which in turn calls 'include/wysiwygeditor.php', which contains this little nugget: foreach ($HTTP_POST_VARS as $k => $v) { ${$k} = $v; } foreach ($HTTP_GET_VARS as $k => $v) { ${$k} = $v; } At this point, the attacker's got control over dir_module, which then comes into play when trying to include wfsfiles.php. George -- theall at tenablesecurity.com From coley at linus.mitre.org Wed Jun 13 17:52:58 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 13 Jun 2007 13:52:58 -0400 (EDT) Subject: [VIM] True: XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability In-Reply-To: <46702CB0.2030502@tenablesecurity.com> References: <46702CB0.2030502@tenablesecurity.com> Message-ID: George, Is authentication controlled by a variable setting? If so, then maybe an exploit could be made to overwrite that variable and bypass authentication, too. - Steve From theall at tenablesecurity.com Wed Jun 13 17:55:00 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 13 Jun 2007 13:55:00 -0400 Subject: [VIM] True: XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability In-Reply-To: References: <46702CB0.2030502@tenablesecurity.com> Message-ID: <46702F74.5060202@tenablesecurity.com> On 06/13/07 13:52, Steven M. Christey wrote: > Is authentication controlled by a variable setting? If so, then maybe an > exploit could be made to overwrite that variable and bypass > authentication, too. The authentication check happens before GPC variables are extracted. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Wed Jun 13 18:00:07 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 13 Jun 2007 13:00:07 -0500 Subject: [VIM] True: XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability In-Reply-To: <46702CB0.2030502@tenablesecurity.com> References: <46702CB0.2030502@tenablesecurity.com> Message-ID: <814b9d50706131100m188c06begad542055b5a88373@mail.gmail.com> Hey George, On 6/13/07, George A. Theall wrote: > Just an FYI... Milw0rm 4068 works but requires authentication. Are you sure that authentication is needed for this to be exploitable? /str0ke From theall at tenablesecurity.com Wed Jun 13 18:30:24 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 13 Jun 2007 14:30:24 -0400 Subject: [VIM] True: XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability In-Reply-To: <814b9d50706131100m188c06begad542055b5a88373@mail.gmail.com> References: <46702CB0.2030502@tenablesecurity.com> <814b9d50706131100m188c06begad542055b5a88373@mail.gmail.com> Message-ID: <467037C0.2080307@tenablesecurity.com> On 06/13/07 14:00, str0ke wrote: > Are you sure that authentication is needed for this to be exploitable? No, it's not. The admin just needs to tweak permissions so that anonymous users have access to it. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Wed Jun 13 19:02:10 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 13 Jun 2007 14:02:10 -0500 Subject: [VIM] True: XOOPS Module XFsection (modify.php) Remote File Inclusion Vulnerability In-Reply-To: <467037C0.2080307@tenablesecurity.com> References: <46702CB0.2030502@tenablesecurity.com> <814b9d50706131100m188c06begad542055b5a88373@mail.gmail.com> <467037C0.2080307@tenablesecurity.com> Message-ID: <814b9d50706131202v381bbd0ewb4e4db376468ed4b@mail.gmail.com> Got ya brotha, You da man. /str0ke On 6/13/07, George A. Theall wrote: > On 06/13/07 14:00, str0ke wrote: > > > Are you sure that authentication is needed for this to be exploitable? > > No, it's not. The admin just needs to tweak permissions so that > anonymous users have access to it. > > George > -- > theall at tenablesecurity.com > From theall at tenablesecurity.com Thu Jun 14 14:50:58 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 14 Jun 2007 10:50:58 -0400 Subject: [VIM] Sitellite CMS <= 4.2.12 (559668.php) Remote File Inclusion Vulnerability Message-ID: <467155D2.1070502@tenablesecurity.com> FYI: milw0rm 4071 is sort of true -- the RFI flaw does exist, but by default there's a .htaccess file in saf/lib/PEAR/PhpDocumentor that prevents access to that directory tree. George -- theall at tenablesecurity.com From coley at linus.mitre.org Thu Jun 14 22:27:38 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 14 Jun 2007 18:27:38 -0400 (EDT) Subject: [VIM] Sitellite CMS <= 4.2.12 (559668.php) Remote File Inclusion Vulnerability In-Reply-To: <467155D2.1070502@tenablesecurity.com> References: <467155D2.1070502@tenablesecurity.com> Message-ID: > FYI: milw0rm 4071 is sort of true -- the RFI flaw does exist, but by > default there's a .htaccess file in saf/lib/PEAR/PhpDocumentor that > prevents access to that directory tree. Also note that at first glance, this might look like an issue in PhpDocumentor, a separate module, which DOES have the bug-559668.php file; however, it doesn't have the vulnerable FORUM[LIB] line, so this must have been added by the Sitellite developer. - Steve From coley at mitre.org Thu Jun 14 22:38:34 2007 From: coley at mitre.org (Steven M. Christey) Date: Thu, 14 Jun 2007 18:38:34 -0400 (EDT) Subject: [VIM] true: XOOPS Modules Horoscope RFI Message-ID: <200706142238.l5EMcY36022465@faron.mitre.org> Researcher: BeyazKurt Ref: http://www.milw0rm.com/exploits/4064 In the download specified in the post, the only line in footer.php is: include_once($xoopsConfig['root_path']."footer.php"); - Steve From theall at tenablesecurity.com Sat Jun 16 00:36:32 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Fri, 15 Jun 2007 20:36:32 -0400 Subject: [VIM] Cute: PhpListPro Persistent XSS Vulnerability Message-ID: <46733090.3090000@tenablesecurity.com> So to learn details about a persistent XSS issue in PhpListPro, CorryL wants us to call a number to get a private code? And the call takes 2 minutes at 1.7 Euros / minute??? I wonder how many takers there will be... George -- theall at tenablesecurity.com From theall at tenablesecurity.com Mon Jun 18 15:55:07 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 18 Jun 2007 11:55:07 -0400 Subject: [VIM] Dup: iG Shop 1.4 (page.php) Remote Code Execution Exploit Message-ID: <4676AADB.2000307@tenablesecurity.com> Milw0rm 4077 seems to have already been discovered by Michael Brooks last January and covered by milw0rm 3083: http://www.milw0rm.com/exploits/4077 http://archives.neohapsis.com/archives/bugtraq/2007-01/0144.html http://www.milw0rm.com/exploits/3083 George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Jun 18 15:59:53 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 18 Jun 2007 10:59:53 -0500 Subject: [VIM] Dup: iG Shop 1.4 (page.php) Remote Code Execution Exploit In-Reply-To: <4676AADB.2000307@tenablesecurity.com> References: <4676AADB.2000307@tenablesecurity.com> Message-ID: <814b9d50706180859p3c719ba0o3338de8f736cbaf3@mail.gmail.com> removed. /str0ke On 6/18/07, George A. Theall wrote: > Milw0rm 4077 seems to have already been discovered by Michael Brooks > last January and covered by milw0rm 3083: > > http://www.milw0rm.com/exploits/4077 > > http://archives.neohapsis.com/archives/bugtraq/2007-01/0144.html > http://www.milw0rm.com/exploits/3083 > > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Mon Jun 18 16:02:33 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 18 Jun 2007 11:02:33 -0500 Subject: [VIM] Dup: iG Shop 1.4 (page.php) Remote Code Execution Exploit In-Reply-To: <814b9d50706180859p3c719ba0o3338de8f736cbaf3@mail.gmail.com> References: <4676AADB.2000307@tenablesecurity.com> <814b9d50706180859p3c719ba0o3338de8f736cbaf3@mail.gmail.com> Message-ID: <814b9d50706180902i461d5b86ve60d3d541ea656c6@mail.gmail.com> Actually the guy is just using a different method to exploit the eval function, (exploit !vulnerability). Leaving it up. /str0ke On 6/18/07, str0ke wrote: > removed. > > /str0ke > > On 6/18/07, George A. Theall wrote: > > Milw0rm 4077 seems to have already been discovered by Michael Brooks > > last January and covered by milw0rm 3083: > > > > http://www.milw0rm.com/exploits/4077 > > > > http://archives.neohapsis.com/archives/bugtraq/2007-01/0144.html > > http://www.milw0rm.com/exploits/3083 > > > > > > George > > -- > > theall at tenablesecurity.com > > > From theall at tenablesecurity.com Mon Jun 18 16:09:49 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Mon, 18 Jun 2007 12:09:49 -0400 Subject: [VIM] Dup: iG Shop 1.4 (page.php) Remote Code Execution Exploit In-Reply-To: <814b9d50706180902i461d5b86ve60d3d541ea656c6@mail.gmail.com> References: <4676AADB.2000307@tenablesecurity.com> <814b9d50706180859p3c719ba0o3338de8f736cbaf3@mail.gmail.com> <814b9d50706180902i461d5b86ve60d3d541ea656c6@mail.gmail.com> Message-ID: <4676AE4D.3080203@tenablesecurity.com> On 06/18/07 12:02, str0ke wrote: > Actually the guy is just using a different method to exploit the eval > function, (exploit !vulnerability). Leaving it up. Oh, I didn't realize you were ok with multiple exploits for the same vuln. Sorry. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Mon Jun 18 17:27:11 2007 From: str0ke at milw0rm.com (str0ke) Date: Mon, 18 Jun 2007 12:27:11 -0500 Subject: [VIM] Dup: iG Shop 1.4 (page.php) Remote Code Execution Exploit In-Reply-To: <4676AE4D.3080203@tenablesecurity.com> References: <4676AADB.2000307@tenablesecurity.com> <814b9d50706180859p3c719ba0o3338de8f736cbaf3@mail.gmail.com> <814b9d50706180902i461d5b86ve60d3d541ea656c6@mail.gmail.com> <4676AE4D.3080203@tenablesecurity.com> Message-ID: <814b9d50706181027g587f617cqa9db95bede6f07c7@mail.gmail.com> George, After thinking about this one, there is no real need for it to be up (so it is being removed). On another note, I do treat exploits differently than the vulnerabilities. Be safe man, /str0ke On 6/18/07, George A. Theall wrote: > On 06/18/07 12:02, str0ke wrote: > > > Actually the guy is just using a different method to exploit the eval > > function, (exploit !vulnerability). Leaving it up. > > Oh, I didn't realize you were ok with multiple exploits for the same > vuln. Sorry. > > George > -- > theall at tenablesecurity.com > From jericho at attrition.org Tue Jun 19 08:17:58 2007 From: jericho at attrition.org (security curmudgeon) Date: Tue, 19 Jun 2007 08:17:58 +0000 (UTC) Subject: [VIM] Mostly True: phpChess Community Edition 2.0 RFI In-Reply-To: <814b9d50705070902x45fe6b46u9923e3e23693c2b0@mail.gmail.com> References: <224FBC6B814DBD4E9B9E293BE33A10DC01D1507B@IMCSRV5.MITRE.ORG> <814b9d50705070902x45fe6b46u9923e3e23693c2b0@mail.gmail.com> Message-ID: On Mon, 7 May 2007, str0ke wrote: : Removed the latter from 3837. Can you make some type of note when you do this? If not the original disclosure is lost and there is no indication of where vulnerability databases like CVE or OSVDB got the information, even though we label it as false. =) From coley at linus.mitre.org Tue Jun 19 16:13:00 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 19 Jun 2007 12:13:00 -0400 (EDT) Subject: [VIM] Cute: PhpListPro Persistent XSS Vulnerability In-Reply-To: <46733090.3090000@tenablesecurity.com> References: <46733090.3090000@tenablesecurity.com> Message-ID: On Fri, 15 Jun 2007, George A. Theall wrote: > So to learn details about a persistent XSS issue in PhpListPro, CorryL > wants us to call a number to get a private code? And the call takes 2 > minutes at 1.7 Euros / minute??? I wonder how many takers there will be... Especially given his 'spotty-at-best' record and evidence of incomplete research... http://attrition.org/pipermail/vim/2007-January/001244.html - Steve From jericho at attrition.org Wed Jun 20 07:15:08 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 20 Jun 2007 07:15:08 +0000 (UTC) Subject: [VIM] bit amusing (Contact Form 2.00.02) Message-ID: ---------- Forwarded message ---------- [009] - Contact Form 2.00.02 by deadsea (http://freshmeat.net/users/deadsea/) Tue, Jun 19th 2007 11:05 Internet Internet :: WWW/HTTP Internet :: WWW/HTTP :: Dynamic Content About: Contact Form is a Perl script that allows users to send you email through a Web interface. It is designed to thwart spammers by not allowing email to be sent to unknown addresses, or revealing the addresses that it knows. In addition to this, it does not contain cross site scripting vulnerabilities or allow arbitrary code to be run on the host. It provides adequate information in the headers it sends to trace spammers, can check the validity of all data before sending emails, and features a customizable interface that allows for arbitrary fields. Changes: This release fixes an HTML escaping issue that caused a cross site scripting (XSS) vulnerability. License: GNU General Public License (GPL) URL: http://freshmeat.net/projects/easycontactform/ From coley at linus.mitre.org Wed Jun 20 19:50:44 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 20 Jun 2007 15:50:44 -0400 (EDT) Subject: [VIM] CVE-2007-3242 (fwd) Message-ID: Remember the web-app.net vs. web-app.org debacle? Here's a little more. - Steve ---------- Forwarded message ---------- Date: Tue, 19 Jun 2007 15:00:27 -0700 (PDT) To: cve at mitre.org Subject: CVE-2007-3242 Hi Concerning: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3242 This is complete nonsense. WebAPP (the real one from http://www.web-app.net ) filters it out, it uses tainting/untainting. Why dont you guys check things before posting this sort of nonsense? Its not first time you give us at http://www.web-app.net "credits" for security findings in piratical imitations of our script. Please check our script version and correct this article. You will see this: if ($op eq "Edit") { untaint_form1($input{'url'}); untaint_form1($input{'title'}); And this: unless ($input_to_check =~ /^[\w \:\.\/?-]/ ){ error("You entered an invalid character. You may only enter letters, slashes, numbers, underscores, spaces, periodes, points, questions marks and hyphens. Kindly try again."); Thank you On Elpeleg Security Team, WebAPP www.web-app.net From coley at linus.mitre.org Wed Jun 20 19:59:55 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 20 Jun 2007 15:59:55 -0400 (EDT) Subject: [VIM] CVE-2007-3242 (fwd) In-Reply-To: References: Message-ID: Just after forwarding the email, I noticed this from the code the developer mentioned: > unless ($input_to_check =~ /^[\w \:\.\/?-]/ ){ > error("You entered an invalid character. You may only enter letters, > slashes, numbers, underscores, spaces, periodes, points, questions marks > and hyphens. Kindly try again."); This appears to be a poorly anchored regexp that only checks the first character, so theoretically, the following would count as valid: A I have an inquiry into the developer about this suspicious code, which I would imagine would be in heavy use in their application. - Steve From jericho at attrition.org Wed Jun 20 20:02:15 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 20 Jun 2007 20:02:15 +0000 (UTC) Subject: [VIM] CVE-2007-3242 (fwd) In-Reply-To: References: Message-ID: : Remember the web-app.net vs. web-app.org debacle? Here's a little more. As if tracking vulnerabilities wasn't bad enough.. : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3242 : : This is complete nonsense. : : WebAPP (the real one from http://www.web-app.net ) filters it out, it uses http://archives.neohapsis.com/archives/bugtraq/2007-06/0160.html "There is a system access vulnerability in the Menu Manager Mod for WebAPP." The original disclosure doesn't mention if it is the "real" WebAPP or the other one. "This mod is available at http://www.2xlnt.com/webapp/development/app.cgi?action=downloadinfo&cat=webappmods&id=3" According to that URL: Menu Manager Mod v1.5 Updated for use with Web-App 0.9.9.2 It doesn't say if this is for WebAPP (from .net or .org). : tainting/untainting. Why dont you guys check things before posting this : sort of nonsense? Its not first time you give us at : http://www.web-app.net "credits" for security findings in piratical : imitations of our script. : : Please check our script version and correct this article. Wait, the vulnerability was reported in a modular add-on to Web-App, why would the code be in your script, unless it was distributed with it? These guys certainly aren't helping with the confusion. From coley at linus.mitre.org Wed Jun 20 20:12:57 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 20 Jun 2007 16:12:57 -0400 (EDT) Subject: [VIM] CVE-2007-3242 (fwd) In-Reply-To: References: Message-ID: On Wed, 20 Jun 2007, security curmudgeon wrote: > http://archives.neohapsis.com/archives/bugtraq/2007-06/0160.html > > "There is a system access vulnerability in the Menu Manager Mod for > WebAPP." > > The original disclosure doesn't mention if it is the "real" WebAPP or the > other one. It does mention this, though: the vulnerability also exists in the "WebAPP NE" script that is being distributed from web-app.net > It doesn't say if this is for WebAPP (from .net or .org). Maybe this mod works on both, but then: > Wait, the vulnerability was reported in a modular add-on to Web-App, why > would the code be in your script, unless it was distributed with it? Which is now my question, too, besides the one about the weird input validation of only the first character. - Steve From str0ke at milw0rm.com Wed Jun 20 20:17:37 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 20 Jun 2007 15:17:37 -0500 Subject: [VIM] CVE-2007-3242 (fwd) In-Reply-To: References: Message-ID: <814b9d50706201317u58715u7c2fe7ebdfb84dd8@mail.gmail.com> Let me get this right. web-app.org is the real product? web-app.net is the copy product? Checking the first character only was pretty funny :) /str0ke On 6/20/07, Steven M. Christey wrote: > > On Wed, 20 Jun 2007, security curmudgeon wrote: > > > http://archives.neohapsis.com/archives/bugtraq/2007-06/0160.html > > > > "There is a system access vulnerability in the Menu Manager Mod for > > WebAPP." > > > > The original disclosure doesn't mention if it is the "real" WebAPP or the > > other one. > > It does mention this, though: > > the vulnerability also exists in the "WebAPP NE" script that is being > distributed from web-app.net > > > > It doesn't say if this is for WebAPP (from .net or .org). > > Maybe this mod works on both, but then: > > > Wait, the vulnerability was reported in a modular add-on to Web-App, why > > would the code be in your script, unless it was distributed with it? > > Which is now my question, too, besides the one about the weird input > validation of only the first character. > > - Steve > From jericho at attrition.org Wed Jun 20 20:20:18 2007 From: jericho at attrition.org (security curmudgeon) Date: Wed, 20 Jun 2007 20:20:18 +0000 (UTC) Subject: [VIM] CVE-2007-3242 (fwd) In-Reply-To: <814b9d50706201317u58715u7c2fe7ebdfb84dd8@mail.gmail.com> References: <814b9d50706201317u58715u7c2fe7ebdfb84dd8@mail.gmail.com> Message-ID: : Let me get this right. : : web-app.org is the real product? : web-app.net is the copy product? Other way around I think. The .net folks have mailed several times correcting various issues and stated that .org is a fork of the original. Apparently there is a long story/fued behind this. http://attrition.org/pipermail/vim/2007-March/001444.html That was the first we ran into this as an issue in tracking them. From coley at linus.mitre.org Wed Jun 20 20:28:10 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 20 Jun 2007 16:28:10 -0400 (EDT) Subject: [VIM] CVE-2007-3242 (fwd) In-Reply-To: <814b9d50706201317u58715u7c2fe7ebdfb84dd8@mail.gmail.com> References: <814b9d50706201317u58715u7c2fe7ebdfb84dd8@mail.gmail.com> Message-ID: On Wed, 20 Jun 2007, str0ke wrote: > Let me get this right. > > web-app.org is the real product? > web-app.net is the copy product? Switch those around and you have web-app.net's claim. The only certain thing is that there's some bad blood between the two. > Checking the first character only was pretty funny :) I'm sure we'll be seeing more of these as people attempt to perform input validation. - Steve From str0ke at milw0rm.com Wed Jun 20 20:49:02 2007 From: str0ke at milw0rm.com (str0ke) Date: Wed, 20 Jun 2007 15:49:02 -0500 Subject: [VIM] CVE-2007-3242 (fwd) In-Reply-To: References: <814b9d50706201317u58715u7c2fe7ebdfb84dd8@mail.gmail.com> Message-ID: <814b9d50706201349t1438d174q3a211aaf2c21cdc4@mail.gmail.com> Appreciate both of your replies. Thats pretty insane. /str0ke On 6/20/07, Steven M. Christey wrote: > > On Wed, 20 Jun 2007, str0ke wrote: > > > Let me get this right. > > > > web-app.org is the real product? > > web-app.net is the copy product? > > Switch those around and you have web-app.net's claim. The only certain > thing is that there's some bad blood between the two. > > > Checking the first character only was pretty funny :) > > I'm sure we'll be seeing more of these as people attempt to perform input > validation. > > - Steve > From theall at tenablesecurity.com Thu Jun 21 00:44:09 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Wed, 20 Jun 2007 20:44:09 -0400 Subject: [VIM] wrapper.php for osCommerce? Message-ID: <4679C9D9.3000708@tenablesecurity.com> Does anyone have information about the local file include flaw involving something SecurityFocus is calling "wrapper.php for osCommerce" (Bugtraq 24565)? The BID suggests the author's site is , but browsing around there I don't find anything. Interestingly, I did turn up a forum posting that suggests the vulnerability has been known for a while: http://www.mjturkiye.net/forum/index.php?showtopic=46190 although my Turkish isn't as good as it used to be. :-) George -- theall at tenablesecurity.com From str0ke at milw0rm.com Thu Jun 21 14:06:39 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 21 Jun 2007 09:06:39 -0500 Subject: [VIM] wrapper.php for osCommerce? In-Reply-To: <4679C9D9.3000708@tenablesecurity.com> References: <4679C9D9.3000708@tenablesecurity.com> Message-ID: <814b9d50706210706i51259c6w1487aed198b0ab86@mail.gmail.com> Hey George, <> oscommerce 2ms2 info http://forums.oscommerce.com/index.php?showtopic=31444&st=40 <> I received this vulnerability back in 08/25/06, never posted it because the author sent it in then stated not to post it around 15 minutes later. wrapper.php?file= /str0ke On 6/20/07, George A. Theall wrote: > Does anyone have information about the local file include flaw involving > something SecurityFocus is calling "wrapper.php for osCommerce" > (Bugtraq 24565)? The BID suggests the author's site is > , but browsing around there I don't find > anything. > > Interestingly, I did turn up a forum posting that suggests the > vulnerability has been known for a while: > > http://www.mjturkiye.net/forum/index.php?showtopic=46190 > > although my Turkish isn't as good as it used to be. :-) > > George > -- > theall at tenablesecurity.com > From str0ke at milw0rm.com Thu Jun 21 14:07:40 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 21 Jun 2007 09:07:40 -0500 Subject: [VIM] wrapper.php for osCommerce? In-Reply-To: <814b9d50706210706i51259c6w1487aed198b0ab86@mail.gmail.com> References: <4679C9D9.3000708@tenablesecurity.com> <814b9d50706210706i51259c6w1487aed198b0ab86@mail.gmail.com> Message-ID: <814b9d50706210707y18675f11nb611c50db33496d5@mail.gmail.com> Oh and the original author wasn't turkish. /str0ke On 6/21/07, str0ke wrote: > Hey George, > > <> > oscommerce 2ms2 info > http://forums.oscommerce.com/index.php?showtopic=31444&st=40 > <> > > I received this vulnerability back in 08/25/06, never posted it > because the author sent it in then stated not to post it around 15 > minutes later. > > wrapper.php?file= > > /str0ke > > On 6/20/07, George A. Theall wrote: > > Does anyone have information about the local file include flaw involving > > something SecurityFocus is calling "wrapper.php for osCommerce" > > (Bugtraq 24565)? The BID suggests the author's site is > > , but browsing around there I don't find > > anything. > > > > Interestingly, I did turn up a forum posting that suggests the > > vulnerability has been known for a while: > > > > http://www.mjturkiye.net/forum/index.php?showtopic=46190 > > > > although my Turkish isn't as good as it used to be. :-) > > > > George > > -- > > theall at tenablesecurity.com > > > From theall at tenablesecurity.com Thu Jun 21 14:28:40 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 21 Jun 2007 10:28:40 -0400 Subject: [VIM] wrapper.php for osCommerce? In-Reply-To: <814b9d50706210706i51259c6w1487aed198b0ab86@mail.gmail.com> References: <4679C9D9.3000708@tenablesecurity.com> <814b9d50706210706i51259c6w1487aed198b0ab86@mail.gmail.com> Message-ID: <467A8B18.5070207@tenablesecurity.com> On 06/21/07 10:06, str0ke wrote: > oscommerce 2ms2 info > http://forums.oscommerce.com/index.php?showtopic=31444&st=40 > <> > > I received this vulnerability back in 08/25/06, never posted it > because the author sent it in then stated not to post it around 15 > minutes later. Thanks. Looks like it's called "osWrapper" and used to be available at , but that link is no longer working. It also looks like the flaw was known back in 2003. Btw, I wasn't suggesting the Turkish forum posting was the original source of the vuln, only that it's been known for a while. George -- theall at tenablesecurity.com From str0ke at milw0rm.com Thu Jun 21 15:07:15 2007 From: str0ke at milw0rm.com (str0ke) Date: Thu, 21 Jun 2007 10:07:15 -0500 Subject: [VIM] wrapper.php for osCommerce? In-Reply-To: <467A8B18.5070207@tenablesecurity.com> References: <4679C9D9.3000708@tenablesecurity.com> <814b9d50706210706i51259c6w1487aed198b0ab86@mail.gmail.com> <467A8B18.5070207@tenablesecurity.com> Message-ID: <814b9d50706210807u45b688b5mdd7185db599f3647@mail.gmail.com> On 6/21/07, George A. Theall wrote: > Btw, I wasn't suggesting the Turkish forum posting was the original > source of the vuln, only that it's been known for a while. Understood. Keep up the good work man. /str0ke From coley at linus.mitre.org Mon Jun 25 21:10:38 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Mon, 25 Jun 2007 17:10:38 -0400 (EDT) Subject: [VIM] CVE-2007-3242 - PATCH IS UPDATED NOW. (fwd) Message-ID: from the web-app .NET people. Looks like they might have started a security page, too. - Steve ---------- Forwarded message ---------- Date: Fri, 22 Jun 2007 17:34:33 -0700 (PDT) To: coley at rcf-smtp.mitre.org Subject: CVE-2007-3242 - PATCH IS UPDATED NOW. Hi again, My sincere apology, you were right. This patch was useless. We have updated the patch for this issue and added for the downloads here: http://www.web-app.net/cgi-bin/index.cgi?action=downloadinfo&cat=security&id=3 Kind regards On Elpeleg WebAPP www.web-app.net From coley at mitre.org Tue Jun 26 22:53:14 2007 From: coley at mitre.org (Steven M. Christey) Date: Tue, 26 Jun 2007 18:53:14 -0400 (EDT) Subject: [VIM] vendor ACK for phpTrafficA issues Message-ID: <200706262253.l5QMrEkO017831@faron.mitre.org> Ref: MILW0RM:4100 Researcher: laurent gaffie from 1.4.3, released on June 25 2007: http://soft.zoneo.net/phpTrafficA/Files/get.php?phpTrafficA-1.4.3.tgz changes.html says: Input passed to the lang parameter in index.php was not properly verified before being used to include files and could be exploited to include arbitrary files from local resources. It is now fixed. Input passed to the pageid parameter in index.php was not properly sanitised before being used in SQL queries. This could be exploited to manipulate SQL queries by injecting arbitrary SQL code. It is now fixed. Input passed to the lang parameter in index.php was not properly sanitised before being returned to the user and could be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site. So, these issues are distinct from CVE-2007-1076, which itself is ACK'ed in the changelog entry for 1.4.2. - Steve From coley at linus.mitre.org Tue Jun 26 23:00:35 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Tue, 26 Jun 2007 19:00:35 -0400 (EDT) Subject: [VIM] vendor ACK for phpTrafficA issues In-Reply-To: <200706262253.l5QMrEkO017831@faron.mitre.org> References: <200706262253.l5QMrEkO017831@faron.mitre.org> Message-ID: or, you could just use the main security page, with a link to Secunia SA25773: http://soft.zoneo.net/phpTrafficA/news.php Bugfix release, 26 Jun 2007 Three vulnerabilities were released yesterday, involving the lang and pageid parameters. This new release, 1.4.3, fixes the issue. Some older security issues are also mentioned. - Steve From coley at linus.mitre.org Wed Jun 27 16:12:45 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Wed, 27 Jun 2007 12:12:45 -0400 (EDT) Subject: [VIM] Web-APP.org feedback on CVE-2007-3242 Message-ID: This was sent to VIM but didn't seem to make it through approval for some reason. Jericho, were you mass-deleting VIM spam again? :) - Steve Date: Wed, 27 Jun 2007 06:15:19 -0700 From: Web-APP To: Vulnerability Information Managers Subject: Re: [VIM] CVE-2007-3242 (fwd) Hello, I exchanged a couple emails with Brian of OSVDB where I mentioned that I had some details about this and some of the other recently posted CVE entries on WebAPP. He suggested that I post any relevant details here. Regarding this specific CVE entry - The Menu Manager System Access issue was patched by web-app.org's WebAPP v0.9.9.6 of February 2007. It was reported as being in June which is incorrect. Web-app.org's Menu Manager patch is a different approach than that released by .net last week and involves removal of the system command used for execution of the exploit along with adding filtering on the form submitted datas. There is further work completed on the menu system for the next version. I'm working on the other CVE items and will forward any details I come up with as I assemble the information. Sincerely, Jos Brown WebAPP (c) web-app.org From webapp at web-app.org Thu Jun 28 19:01:36 2007 From: webapp at web-app.org (Web-APP) Date: Thu, 28 Jun 2007 12:01:36 -0700 Subject: [VIM] Regarding Web-APP.org WebAPP CVE Entry Details References: Message-ID: <21f601c7b9b6$c97198c0$0400a8c0@hsd1.wa.comcast.net> Hello, As I mentioned earlier, here are the details for the CVE entries for WebAPP, with complete facts to the best of my ability, to to help clarify which vulnerabilities affect web-app.org vs web-app.net releases as suggested by Brian. Please be welcome to make whatever use of this information as is appropriate. Individual CVEs: CVE-2004-1742 - Directory traversal vulnerability - long resolved. Was in Topics feature. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1 . Patched for v0.9.9.2. CVE-2005-0927 - Unspecified File Content Disclosure - was null byte in query string issue - long resolved. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2 . Patched for v0.9.9.2.1. CVE-2005-1557 - Multiple cross-site scripting (XSS) vulnerabilities in WebApp Guestbook PRO - Is a mod, not part of WebAPP. Vulnerable: Only the Mod. Not WebAPP. CVE-2005-1628 - apage.cgi shell metacharacters - Is a mod, not part of WebAPP. Vulnerable: Only the Mod. Not WebAPP. CVE-2006-1427 - Multiple cross-site scripting (XSS) vulnerabilities - Calendar XSS was first reported to an exploits site, I believe by a disgruntled member of the web-app.org group. "CONFIRM:" has web-app.net listed which is incorrect. Web-app.net should not be listed on that old record as web-app.net did not exist before May 25 2006. The web-app.org patch for this entry was May 15. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2 . Patch released by web-app.org labeled "May 15 Security Patch" and located at http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=7 . CVE-2006-6687 - Web-App.Org and Web-App.Net Multiple Input Validation Vulnerabilities - Dec 2006. The patch released by WebAPP Network Group (www.web-app.net) addresses commonly used query string manipulation exploits. There has been more found in input validation weaknesses since that time. Shaka_Flex is sharp at finding these things but not always specific in reporting them. Probably he was aware of much of what we have since found - in form inputs even more so than in query strings. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, and 0.9.9.3.2; web-app.net WebAPP NE v0.9.9.3.3 and 0.9.9.3.4. CVE-2006-6688 - This is not the same as CVE-2006-6687? Has the same web-app.net patch and same Secunia page. CVE-2006-7186 - open list files in "profile and other functions," - here is an anchor link to the exact post where that was found: http://www.bantychick.com/live/?action=forum&board=shootbreeze&op=display&num=19&start=15#21 . The referenced thread is a copy of the change log for the WebAPP Network Group's contributions to web-app.net WebAPP NE. Listed as "cgi-lib/subs.pl in web-app.net WebAPP before 0.9.9.3.5", which is incorrect. There is no web-app.net 0.9.9.3.5, and although the patch was done through subs.pl, the vulnerability is in the "other functions". Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, and 0.9.9.3.2; web-app.net WebAPP NE v0.9.9.3.3. CVE-2006-7187 - Cross-site scripting (XSS) vulnerability in show_recent_searches - patched by web-app.org for 0.9.9.3.5 Sept 9 2006. Appears that web-app.net released a single file patch the same day. Not fixed in the web-app.net full release package. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624 without the single file patch applied. CVE-2006-7188 - reading internal forum posts via search - file affected should be "cgi-lib/search.pl". Probably web-app.net released a user-lib patch. This was patched in web-app.org WebAPP v0.9.9.3.5 Sept 9 2006. Not fixed in the web-app.net full release package. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624 without the single file patch applied. CVE-2006-7189 - XSS in logs - This is part of what is listed under CVE-2006-1427. Listed as "web-app.net WebAPP before 20060403" which is incorrect - There was no web-app.net before 20060525. Vulnerable: web-app.org WebAPP v0.9.9.3, 0.9.9.3.1. Patch released by web-app.org labeled "May 15 Security Patch" and located at http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=7 . CVE-2006-7190 - XSS in Article Comments - This is part of what is listed under CVE-2006-1427. Listed as "web-app.net WebAPP before 20060515" which is incorrect - There was no web-app.net before 20060525. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2. Patch released by web-app.org labeled "May 15 Security Patch" and located at http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=7 . CVE-2007-1174 - HTML (XSS?) in profiles - Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5; web-app.net WebAPP NE v0.9.9.3.3 and 0.9.9.3.4 of 20060901. Verified as probably fixed in web-app.net WebAPP NE 0.9.9.3.4 of 20070222. Patch released by web-app.org labeled "Security Patch for Profiles" at http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=27 . CVE-2007-1175 - Cross-site scripting (XSS) vulnerability in an admin feature - The log viewer when HTML is entered as a spoofed user agent. Discovered by Blackcode. http://newbc.blackcode.com/forum/index.php?t=msg&rid=0&th=1167&goto=10145#msg_10145 . Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. CVE-2007-1176 - Multiple cross-site scripting (XSS) vulnerabilities in in Gallery feedback, Gallery comments, Search results, Statistics log viewer - Gallery XSS was persistent. Search results is client side and found by Blackcode, posted at http://newbc.blackcode.com/forum/index.php?t=msg&rid=0&th=1167&goto=10033#msg_10094 . Statistics log viewer was same as entry CVE-2007-1175 . Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. CVE-2007-1177 - Input validation in query string, Profiles, Forum Post icon, Edit Profile, and Gallery - Query string: basic touching up of filters, no specific risk; Profiles: same as CVE-2007-1174; Gallery: same as CVE-2007-1176; Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. CVE-2007-1178 - Access checks in Calendar Administration, Instant Messages Administration, Image Uploader - Calendar Admin: missing line in access check (typo); IM admin: access checking was missing in new IMX advanced admin features; Image uploader hidden page was missing username access check. Vulnerable: Calendar: web-app.net WebAPP NE v0.9.9.3.4, web-app.org WebAPP v0.9.9.3.5. Patch labeled "Calendar Mod Admin Patch" released at http://www.web-app.org/cgi-bin/index.cgi?action=downloadinfo&cat=pastversions&id=23 . Instant Messages Admin: web-app.org WebAPP v0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.4, 0.9.9.3.5; web-app.net WebAPP NE 2007 through at least 20070624. Image Uploader: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. All patched in web-app.org WebAPP v0.9.9.5. CVE-2007-1179 - improper email address management in mail features - Main problem was spammers using Recommend feature, spoofing email headers to send to multiple addresses, when the site was set to allow this feature to be used by guests and to allow remote submission of forms. Was reported as a problem on one site with these settings. The fix for this implemented a module that was also put to use on all other emailer features. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Patched in web-app.org WebAPP v0.9.9.5. CVE-2007-1180 - checking of referrers in certain forms - This was due to removal of the site wide referrer check in favor of using a localized routine for each form. This is a relatively useless check as it will not stop determined hackers from spoofing the referrer field in their browsers. Notes on this as per this entry's references are pertaining to addition of the localized routine to most all of the subroutine that accept form input. Although web-app.org does not consider this a vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5. CVE-2007-1181 - passing Unused Informations and username through Edit Profile forms - a form cleanup, security related as cleaned up forms are easier to secure but no specific risk or known exploit. Although web-app.org does not consider this a vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5. CVE-2007-1182 - Guest editing Guest profile - like it says, unknown impact. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Prevented in web-app.org WebAPP v0.9.9.5. CVE-2007-1183 - Spoofing Real Name - a harmless prank but could lead people to believe someone was really someone else. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Fixed in web-app.org WebAPP v0.9.9.5. CVE-2007-1184 - CAPTCHA default was set to "no" - This is only a setting. Was set to "no" during time of use of module that was not there or not working on some servers. Changed default to "yes" after switching to a built-in module. Although web-app.org does not consider this a vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5. CVE-2007-1185 - Search, Edit Profile, Recommend, and User Approval forms using hidden inputs - Was unnecessary since it was possible for the script to set some of the values when the form was processed. Not a risk but is security-related. Although web-app.org does not consider this a vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5. CVE-2007-1186 - No censoring of Real Name - user could put porn or cuss words there, not a risk. Although web-app.org does not consider this a vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5. CVE-2007-1187 - Sensitive Information via Forum Archive or Recent Searches - Does this refer to the "Forum Archive feature made admin only" and "Made Recent Searches viewable by administrators only" in article referenced http://www.web-app.org/cgi-bin/index.cgi?action=viewnews&id=250 ? Forum archive was changed from "Administrator" to "Admin" because some administrators did not know how to use it and messed up forums. Recent searches was made admin only because of all the porn search phrase spammers lately. No risk with either. Although web-app.org does not consider this a vulnerability, it was addressed in web-app.org WebAPP v0.9.9.5. CVE-2007-1188 - Composition and length checking on Search - could overload server and possibly weaken server for other attempts. There were multi-megabyte datas being submitted to search, along with long strings of name value pairs. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Addressed by web-app.org WebAPP v0.9.9.5. CVE-2007-1259 - Multiple unspecified vulnerabilities - The main thing here was the menu manager - same as CVE-2007-3242. Other things were client side XSS (CVE-2007-1828) and typo in image uploader file check (CVE-2007-1832). Patch was web-app.org WebAPP v0.9.9.6. CVE-2007-1489 - Admin access by Cookie modification - was only in version 0.9.9.6. Listed as 0.9.9.4 to 0.9.9.6 which is incorrect. Vulnerable: web-app.org WebAPP v0.9.9.6. CVE-2007-1827 - same as CVE-2007-3242. CVE-2007-1828 - mentioned in CVE-2007-1259. CVE-2007-1830 - same as CVE-2007-1489. CVE-2007-1831 - Query string writing wrong data - Was in downloads and links. They could be deleted by entering the downloads categories file name as the single category name. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Patched for web-app.org WebAPP 0.9.9.6. CVE-2007-1832 - mentioned in CVE-2007-1259. CVE-2007-3242 - Menu Manager Sytem Commands. - Vulnerable: web-app.org WebAPP v0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, 0.9.9.5; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 prior to 20070624. Patched for web-app.org WebAPP 0.9.9.6 of 20070221. CVE-2007-3416 - Multiple cross-site request forgery - listed as "allow remote attackers to perform deletions as administrators"; probably from our notes: "Administration for poll, profiles, IP bans, forums - added referrer check to prevent accidental deletion due to XSS redirects or tricky links." This is to avoid deletion on features that do not have a delete confirmation page - an XSS on another page or a trick link could lead an unsuspecting admin to accidentally delete something. This would have to be specifically targetted against a well known person. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Patched for web-app.org WebAPP 0.9.9.7. of 20070329. CVE-2007-3417 - Multiple cross-site scripting (XSS) vulnerabilities in Search - Says "inject arbitrary web script or HTML via a search string, which is not sanitized when an HREF attribute is printed by the (1) process_search or (2) show_recent_searches function." Could this be from web-app.org's "Search pages links URL encoded" note? That is so search works with heavier filtering on the query string characters. Or maybe "In Search, HTML encoding and decoding for "search again" input" ? Process search does not pring anything, and show recent searches was made admin only, so I don't know about this one. Maybe not a vulnerability? CVE-2007-3418 - Display Forum Post not showing username under Real name - a follow up to CVE-2007-1183. To show username under Real name in the display of each forum post. Mostly a convenience item. Not a vulnerability. CVE-2007-3419 - Checking of dat files for Edit Profile - This is a complete check on all fields of edit profile input. Done mostly to catch attempted hackers. One field was found possible to be altered and effect the "status" setting of the user. Any other modifications simply corrupt the profile. Someone would need to be an expert at encoding and know the WebAPP code and data file format to do this. Relatively harmless. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Now is checked since web-app.org WebAPP v0.9.9.7. CVE-2007-3420 - Random cookie not clearing values - The user auth file was cleared, but not the cookie. Fixing this could make further cookie manipulation more difficult, but it is not a real risk. The cookie system before the Random Cookie came in also left uncleared cookies. Random cookie was implemented in web-app.org WebAPP v0.9.9.6. CVE-2007-3421 - verification of membership on edit functions - just an extra check. There is a new routine for checking membership, so it was easy to add it to all relevant spots. Did cause script errors on certain things such as the Gallery. Vulnerable: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Addressed by web-app.org WebAPP v0.9.9.7. CVE-2007-3422 - getcgi not filtering non-printing characters, certain printing characters that do not commonly occur in URLs, or invalid URL encoding sequences - The URL filters were modified to allow only valid URL characters, rather than only ruling out known exploitable characters as before. Affected: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 prior to 20070222. Filtering added to web-app.org WebAPP v0.9.9.7. web-app.net WebAPP NE 2007 should be checked for filter on null bytes in query string (CVE-2005-0927) subsequent to their filter modifications to getcgi. CVE-2007-3423 - "from" field used in Instant Message display - not necessary to use that field and it would cause Perl warnings or errors when reading IM from (a) an internal IM, or a message from a (b) guest or (c) removed member. Not good to use user input for file name. Affected: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Addressed by web-app.org WebAPP v0.9.9.7. CVE-2007-3424 - "tocat" in move Instant Messages parameter - Must be from referenced thread note "Instant messages move "to" folder set hard coded value instead of using query string value." Not good to use user input for destination folder name, albeit there is a filter on traversal. Was not necessary to use this field since there is only one folder to which messages can be moved at this time. Affected: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Addressed by web-app.org WebAPP v0.9.9.7. Sincerely, Jos Brown WebAPP (c) web-app.org From webapp at web-app.org Thu Jun 28 19:19:33 2007 From: webapp at web-app.org (Web-APP) Date: Thu, 28 Jun 2007 12:19:33 -0700 Subject: [VIM] Regarding Web-APP.org WebAPP CVE Entry Details Message-ID: <222a01c7b9b9$66723ec0$0400a8c0@hsd1.wa.comcast.net> Hi, That last record in my previous email got a little too much pasted in, for the versions affected. Should be: CVE-2007-3424 - "tocat" in move Instant Messages parameter - Must be from referenced thread note "Instant messages move "to" folder set hard coded value instead of using query string value." Not good to use user input for destination folder name, albeit there is a filter on traversal. Was not necessary to use this field since there is only one folder to which messages can be moved at this time. Affected: web-app.org WebAPP v0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4, and 0.9.9.5, and 0.9.9.6; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Addressed by web-app.org WebAPP v0.9.9.7. There was no Instant Message Move feature prior to WebAPP v0.9.9.3. Sorry about that. Jos Brown WebAPP (c) web-app.org -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20070628/0c6d539f/attachment.html From webapp at web-app.org Thu Jun 28 20:05:39 2007 From: webapp at web-app.org (Web-APP) Date: Thu, 28 Jun 2007 13:05:39 -0700 Subject: [VIM] Regarding Web-APP.org WebAPP CVE Entry Details References: <222a01c7b9b9$66723ec0$0400a8c0@hsd1.wa.comcast.net> Message-ID: <223701c7b9bf$b38553e0$0400a8c0@hsd1.wa.comcast.net> Hi once more, Two more corrections, and I think the rest is okay. Sorry for the mistakes but this was a long list. Took several hours to figure it all out. I was checking it but got distracted and sent it I guess before checked thoroughly enough. These 2 have the versions changed: No log viewer before 0.9.9.3: CVE-2007-1175 - Cross-site scripting (XSS) vulnerability in an admin feature - The log viewer when HTML is entered as a spoofed user agent. Discovered by Blackcode. http://newbc.blackcode.com/forum/index.php?t=msg&rid=0&th=1167&goto=10145#msg_10145 . Vulnerable: web-app.org WebAPP 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. No Gallery before 0.9.9.3: CVE-2007-1176 - Multiple cross-site scripting (XSS) vulnerabilities in in Gallery feedback, Gallery comments, Search results, Statistics log viewer - Gallery XSS was persistent. Search results is client side and found by Blackcode, posted at http://newbc.blackcode.com/forum/index.php?t=msg&rid=0&th=1167&goto=10033#msg_10094 . Statistics log viewer was same as entry CVE-2007-1175 . Vulnerable: Gallery: web-app.org WebAPP v0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Search Results: web-app.org WebAPP v0.8, 0.9, 0.9.3, 0.9.4, 0.9.5, 0.9.7, 0.9.8, 0.9.9, 0.9.9.1, 0.9.9.2, 0.9.9.3, 0.9.9.3.1, 0.9.9.3.2, 0.9.9.3.5, 0.9.9.4; web-app.net WebAPP NE v0.9.9.3.3, 0.9.9.3.4; web-app.net WebAPP NE 2007 through at least 20070624. Statistics Log Viewer: See CVE-2007-1175. -------------- next part -------------- An HTML attachment was scrubbed... URL: http://www.attrition.org/pipermail/vim/attachments/20070628/5fc4e582/attachment.html From coley at linus.mitre.org Thu Jun 28 22:51:06 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 28 Jun 2007 18:51:06 -0400 (EDT) Subject: [VIM] Regarding Web-APP.org WebAPP CVE Entry Details In-Reply-To: <223701c7b9bf$b38553e0$0400a8c0@hsd1.wa.comcast.net> References: <222a01c7b9b9$66723ec0$0400a8c0@hsd1.wa.comcast.net> <223701c7b9bf$b38553e0$0400a8c0@hsd1.wa.comcast.net> Message-ID: Jos, Thank you for the extensive notes. This helps all of us in the vulnerability information world. - Steve From coley at linus.mitre.org Thu Jun 28 23:27:34 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 28 Jun 2007 19:27:34 -0400 (EDT) Subject: [VIM] Vendor ACK for CVE-2007-3431 (Dagger web engine) Message-ID: ---------- Forwarded message ---------- Date: Fri, 29 Jun 2007 01:04:35 +0200 From: Valerio Capello To: cve at mitre.org Subject: CVE-2007-3431 (Dagger web engine) The vulnerability CVE-2007-3431 concerning Dagger web engine, listed in http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3431 has been fixed with the release of Dagger_r28jun2007, available from Dagger's official website http://labs.geody.com/dagger/ Sincerely, Valerio Capello From coley at linus.mitre.org Thu Jun 28 23:32:14 2007 From: coley at linus.mitre.org (Steven M. Christey) Date: Thu, 28 Jun 2007 19:32:14 -0400 (EDT) Subject: [VIM] Vendor ACK for CVE-2007-3431 (Dagger web engine) In-Reply-To: References: Message-ID: FYI, the SourceForge site doesn't say anything directly, but docs/changelog/changelog.txt in the download says: Fixed Remote File Include Vulnerability / Input Validation Error (see http://milw0rm.com/exploits/4097 (24jun2007), SecurityFocus Bugtraq 24605 http://www.securityfocus.com/bid/24605/ (24jun2007), Secunia Advisory SA25790 http://secunia.com/advisories/25790/ (25jun2007)). - Steve From webapp at web-app.org Fri Jun 29 01:38:50 2007 From: webapp at web-app.org (Web-APP) Date: Thu, 28 Jun 2007 18:38:50 -0700 Subject: [VIM] Regarding Web-APP.org WebAPP CVE Entry Details References: <222a01c7b9b9$66723ec0$0400a8c0@hsd1.wa.comcast.net><223701c7b9bf$b38553e0$0400a8c0@hsd1.wa.comcast.net> Message-ID: <000601c7b9ee$4a28eea0$0400a8c0@hsd1.wa.comcast.net> Sure Steve, you're welcome. If I would have known earlier that information from me was acceptable, you would have heard from me sooner. Somehow I thought those entries were set in stone. Now that I know, I will try to keep up on them better. Any question anybody has about anything there or anything else about WebAPP, just ask. I'm very familiar with the system. We've come a long ways security-wise, but I'm sure there will be more things that will be found in the future as we continue to work through everything. Jos ----- Original Message ----- From: "Steven M. Christey" To: "Web-APP" Cc: "Vulnerability Information Managers" Sent: Thursday, June 28, 2007 3:51 PM Subject: Re: [VIM] Regarding Web-APP.org WebAPP CVE Entry Details > > Jos, > > Thank you for the extensive notes. This helps all of us in the > vulnerability information world. > > - Steve > From theall at tenablesecurity.com Fri Jun 29 01:57:38 2007 From: theall at tenablesecurity.com (George A. Theall) Date: Thu, 28 Jun 2007 21:57:38 -0400 Subject: [VIM] Questions about CVE-2007-3161 Message-ID: <46846712.3020209@tenablesecurity.com> Does anyone know if there's been a fix for the buffer overflow in Ace-FTP (milw0rm 4058 / CVE-2007-3161 / BID 24403)? While the version number seems off in no0b's advisory, the vendor did release an update to the non-freeware FTP client shortly after: http://software.visicommedia.com/en/products/aceftp/support/3802.html Any bets the fix was classified as either: o "Random crashes while browsing." o "Numerous minor bugfixes and stability improvements." George -- theall at tenablesecurity.com