From theall at tenable.com Wed Jun 8 20:14:56 2011 From: theall at tenable.com (George A. Theall) Date: Wed, 8 Jun 2011 21:14:56 -0400 Subject: [VIM] BID 48170 Confusion Message-ID: I'm confused by BID 48170. The discussion says there's an unspecified XSS vulnerability in Coppermine Photo Gallery and that versions before 1.4.27 and 1.5.12 are affected. The 1.4.27 release announcement referenced in the BID shows it was published in May 20th, 2010 and credits Ilja van Sprundel for discovering the vulnerability. The 1.5.12 release announcement referenced in the BID shows it was published in January 2nd, 2011 and credits Janek Vind. Are these really referring to the same issue? Rob? Also for what it's worth, BID 45600 concerns a set of XSS vulnerabilities reported by Janek Vind at the very end of 2010 in Coppermine 1.5.10. SecurityFocus doesn't have any info on a fix, but Secunia in SA42751 reports the issues were addressed in 1.5.12. George -- theall at tenablesecurity.com From rkeith at securityfocus.com Thu Jun 9 13:50:16 2011 From: rkeith at securityfocus.com (rkeith) Date: Thu, 09 Jun 2011 12:50:16 -0600 Subject: [VIM] BID 48170 Confusion In-Reply-To: References: Message-ID: <4DF115E8.9050703@securityfocus.com> BID 48170 was based off of the following: http://permalink.gmane.org/gmane.comp.security.oss.general/5223 We suspected it might have been related to 45600, but couldn't tie the two together. -Rob On 06/08/2011 07:14 PM, George A. Theall wrote: > I'm confused by BID 48170. The discussion says there's an unspecified XSS vulnerability in Coppermine Photo Gallery and that versions before 1.4.27 > and 1.5.12 are affected. > > The 1.4.27 release announcement referenced in the BID shows it was published in May 20th, 2010 and credits Ilja van Sprundel for discovering the > vulnerability. > > The 1.5.12 release announcement referenced in the BID shows it was published in January 2nd, 2011 and credits Janek Vind. > > Are these really referring to the same issue? Rob? > > Also for what it's worth, BID 45600 concerns a set of XSS vulnerabilities reported by Janek Vind at the very end of 2010 in Coppermine 1.5.10. > SecurityFocus doesn't have any info on a fix, but Secunia in SA42751 reports the issues were addressed in 1.5.12. > > George From theall at tenable.com Thu Jun 9 14:22:10 2011 From: theall at tenable.com (George A. Theall) Date: Thu, 9 Jun 2011 15:22:10 -0400 Subject: [VIM] BID 48170 Confusion In-Reply-To: <4DF115E8.9050703@securityfocus.com> References: <4DF115E8.9050703@securityfocus.com> Message-ID: <11F350E4-0BE1-4357-962A-87C6D2152100@tenable.com> On Jun 9, 2011, at 2:50 PM, rkeith wrote: > BID 48170 was based off of the following: > > http://permalink.gmane.org/gmane.comp.security.oss.general/5223 > > We suspected it might have been related to 45600, but couldn't tie > the two together. FYI, here's a forum posting that seems to provide more details about the issue(s) addressed in 1.4.27: http://forum.coppermine-gallery.net/index.php/topic,64734.0.html Note there are also some command injection issues mentioned in that thread that I haven't seen in Bugtraq / CVE / OSVDB yet. > -Rob > > On 06/08/2011 07:14 PM, George A. Theall wrote: >> I'm confused by BID 48170. The discussion says there's an >> unspecified XSS vulnerability in Coppermine Photo Gallery and that >> versions before 1.4.27 >> and 1.5.12 are affected. >> >> The 1.4.27 release announcement referenced in the BID shows it was >> published in May 20th, 2010 and credits Ilja van Sprundel for >> discovering the >> vulnerability. >> >> The 1.5.12 release announcement referenced in the BID shows it was >> published in January 2nd, 2011 and credits Janek Vind. >> >> Are these really referring to the same issue? Rob? >> >> Also for what it's worth, BID 45600 concerns a set of XSS >> vulnerabilities reported by Janek Vind at the very end of 2010 in >> Coppermine 1.5.10. >> SecurityFocus doesn't have any info on a fix, but Secunia in >> SA42751 reports the issues were addressed in 1.5.12. >> >> George > > George -- theall at tenablesecurity.com From osf-lists at opensecurityfoundation.org Wed Jun 15 03:48:38 2011 From: osf-lists at opensecurityfoundation.org (OSF LISTS) Date: Wed, 15 Jun 2011 02:48:38 -0600 Subject: [VIM] [Full-disclosure] ZDI-11-197: Microsoft Internet Explorer vgx.dll imagedata Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: Believe this should be CVE-2011-1256. Confirm? On Tue, Jun 14, 2011 at 1:25 PM, ZDI Disclosures < zdi-disclosures at tippingpoint.com> wrote: > ZDI-11-197: Microsoft Internet Explorer vgx.dll imagedata Remote Code > Execution Vulnerability > > http://www.zerodayinitiative.com/advisories/ZDI-11-197 > > June 14, 2011 > > -- CVE ID: > CVE-2011-1266 > > -- CVSS: > 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) > > -- Affected Vendors: > Microsoft > > -- Affected Products: > Microsoft Internet Explorer 8 > > -- TippingPoint(TM) IPS Customer Protection: > TippingPoint IPS customers have been protected against this > vulnerability by Digital Vaccine protection filter ID 11254. > For further product information on the TippingPoint IPS, visit: > > http://www.tippingpoint.com > > -- Vulnerability Details: > This vulnerability allows remote attackers to execute arbitrary code on > vulnerable installations of Internet Explorer. User interaction is > required to exploit this vulnerability in that the target must visit a > malicious page or open a malicious file. > > The specific flaw exists within vgx.dll while parsing VML objects from > the DOM. Specifically, the faulty code exists while handling imagedata > parameters during page deconstruction. By dynamically assigning an > attribute to an imagedata object the process can be made to access freed > memory. Successful exploitation can lead to code execution under the > context of the application. > > -- Vendor Response: > Microsoft has issued an update to correct this vulnerability. More > details can be found at: > > http://www.microsoft.com/technet/security/Bulletin/MS11-052.mspx > > -- Disclosure Timeline: > 2011-01-21 - Vulnerability reported to vendor > 2011-06-14 - Coordinated public release of advisory > > -- Credit: > This vulnerability was discovered by: > * Anonymous > > -- About the Zero Day Initiative (ZDI): > Established by TippingPoint, The Zero Day Initiative (ZDI) represents > a best-of-breed model for rewarding security researchers for responsibly > disclosing discovered vulnerabilities. > > Researchers interested in getting paid for their security research > through the ZDI can find more information and sign-up at: > > http://www.zerodayinitiative.com > > The ZDI is unique in how the acquired vulnerability information is > used. TippingPoint does not re-sell the vulnerability details or any > exploit code. Instead, upon notifying the affected product vendor, > TippingPoint provides its customers with zero day protection through > its intrusion prevention technology. Explicit details regarding the > specifics of the vulnerability are not exposed to any parties until > an official vendor patch is publicly available. Furthermore, with the > altruistic aim of helping to secure a broader user base, TippingPoint > provides this vulnerability information confidentially to security > vendors (including competitors) who have a vulnerability protection or > mitigation product. > > Our vulnerability disclosure policy is available online at: > > http://www.zerodayinitiative.com/advisories/disclosure_policy/ > > Follow the ZDI on Twitter: > > http://twitter.com/thezdi > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > -------------- next part -------------- An HTML attachment was scrubbed... URL: From jericho at attrition.org Wed Jun 15 04:02:34 2011 From: jericho at attrition.org (security curmudgeon) Date: Wed, 15 Jun 2011 04:02:34 -0500 (CDT) Subject: [VIM] [Full-disclosure] ZDI-11-197: Microsoft Internet Explorer vgx.dll imagedata Remote Code Execution Vulnerability In-Reply-To: References: Message-ID: On Wed, 15 Jun 2011, OSF LISTS wrote: : Believe this should be CVE-2011-1256. Confirm? And on second glance.. http://www.zerodayinitiative.com/advisories/ZDI-11-197 CVE-2011-1266 http://www.zerodayinitiative.com/advisories/ZDI-11-193 CVE-2011-1256 Yet there are 2 MS IE vulns related to DOM manipulation: 2011-1256 Microsoft IE vgx.dll imagedata VML Object DOM Modification Memory Corruption 2011-1251 Microsoft IE DOM Manipulation Memory Corruption Perhaps ZDI-11-197 is really CVE-2011-1251? Or did you issue two advisories for 2011-1256? : On Tue, Jun 14, 2011 at 1:25 PM, ZDI Disclosures < : zdi-disclosures at tippingpoint.com> wrote: : : > ZDI-11-197: Microsoft Internet Explorer vgx.dll imagedata Remote Code : > Execution Vulnerability : > : > http://www.zerodayinitiative.com/advisories/ZDI-11-197 : > : > June 14, 2011 : > : > -- CVE ID: : > CVE-2011-1266 : > : > -- CVSS: : > 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C) : > : > -- Affected Vendors: : > Microsoft : > : > -- Affected Products: : > Microsoft Internet Explorer 8 : > : > -- TippingPoint(TM) IPS Customer Protection: : > TippingPoint IPS customers have been protected against this : > vulnerability by Digital Vaccine protection filter ID 11254. : > For further product information on the TippingPoint IPS, visit: : > : > http://www.tippingpoint.com : > : > -- Vulnerability Details: : > This vulnerability allows remote attackers to execute arbitrary code on : > vulnerable installations of Internet Explorer. User interaction is : > required to exploit this vulnerability in that the target must visit a : > malicious page or open a malicious file. : > : > The specific flaw exists within vgx.dll while parsing VML objects from : > the DOM. Specifically, the faulty code exists while handling imagedata : > parameters during page deconstruction. By dynamically assigning an : > attribute to an imagedata object the process can be made to access freed : > memory. Successful exploitation can lead to code execution under the : > context of the application. : > : > -- Vendor Response: : > Microsoft has issued an update to correct this vulnerability. More : > details can be found at: : > : > http://www.microsoft.com/technet/security/Bulletin/MS11-052.mspx : > : > -- Disclosure Timeline: : > 2011-01-21 - Vulnerability reported to vendor : > 2011-06-14 - Coordinated public release of advisory : > : > -- Credit: : > This vulnerability was discovered by: : > * Anonymous : > : > -- About the Zero Day Initiative (ZDI): : > Established by TippingPoint, The Zero Day Initiative (ZDI) represents : > a best-of-breed model for rewarding security researchers for responsibly : > disclosing discovered vulnerabilities. : > : > Researchers interested in getting paid for their security research : > through the ZDI can find more information and sign-up at: : > : > http://www.zerodayinitiative.com : > : > The ZDI is unique in how the acquired vulnerability information is : > used. TippingPoint does not re-sell the vulnerability details or any : > exploit code. Instead, upon notifying the affected product vendor, : > TippingPoint provides its customers with zero day protection through : > its intrusion prevention technology. Explicit details regarding the : > specifics of the vulnerability are not exposed to any parties until : > an official vendor patch is publicly available. Furthermore, with the : > altruistic aim of helping to secure a broader user base, TippingPoint : > provides this vulnerability information confidentially to security : > vendors (including competitors) who have a vulnerability protection or : > mitigation product. : > : > Our vulnerability disclosure policy is available online at: : > : > http://www.zerodayinitiative.com/advisories/disclosure_policy/ : > : > Follow the ZDI on Twitter: : > : > http://twitter.com/thezdi : > : > _______________________________________________ : > Full-Disclosure - We believe in it. : > Charter: http://lists.grok.org.uk/full-disclosure-charter.html : > Hosted and sponsored by Secunia - http://secunia.com/ : > : From jericho at attrition.org Thu Jun 16 00:46:22 2011 From: jericho at attrition.org (security curmudgeon) Date: Thu, 16 Jun 2011 00:46:22 -0500 (CDT) Subject: [VIM] ZDI-11-203 / ZDI-11-204 CVE question Message-ID: http://www.zerodayinitiative.com/advisories/ZDI-11-203/ CVE-2011-2112 http://www.zerodayinitiative.com/advisories/ZDI-11-204/ CVE-2011-2112 These seem like distinct vulnerabilities; DIRAPI.dll vs TextXtra.x32 Module, have separate IPS signatures, etc. Can you verify the CVEs please? Thanks! Brian OSVDB.org From jericho at attrition.org Thu Jun 16 01:26:09 2011 From: jericho at attrition.org (security curmudgeon) Date: Thu, 16 Jun 2011 01:26:09 -0500 (CDT) Subject: [VIM] ZDI-11-205 / ZDI-11-209 CVE question Message-ID: http://www.zerodayinitiative.com/advisories/ZDI-11-205 http://www.zerodayinitiative.com/advisories/ZDI-11-209 Same thing, both refer to CVE-2011-0335. In this case, the vuln is in the same module (Dirapi.dll). I also note that ZDI-11-209 seems closer to ZDI-11-208, as it is the same module and rcsL chunk / subsctructure parsing that is affected. 208 has CVE-2011-2109 affiliated with it though. Thanks for any clarification, and I realize that some of this confusion may be due to the way Adobe issues CVE identifiers. Brian OSVDB.org