From henri at nerv.fi Fri Aug 1 01:22:30 2014 From: henri at nerv.fi (Henri Salo) Date: Fri, 1 Aug 2014 09:22:30 +0300 Subject: [VIM] WordPress A Page Flip Book Plugin 'pageflipbook.php' Local File Include Vulnerability In-Reply-To: References: Message-ID: <20140801062230.GB4743@kludge.henri.nerv.fi> On Fri, Aug 01, 2014 at 12:48:15AM +0000, George Theall wrote: > Himanshu / Dinesh / Narayan / Venkat / Rob : I noticed that SecurityFocus > recently created BID 68959 for a local file inclusion vulnerability in the > WordPress A Page Flip Book plugin, presumably based on Henri Salo?s post at > http://www.openwall.com/lists/oss-security/2014/07/30/2. Henri?s post in turn > references a post from Charlie Eriksen over two years ago ? > http://ceriksen.com/2012/07/10/wordpress-a-page-flip-book-plugin-local-file-inclusion-vulnerability/ I'd like to verify that the mailing list post was only to receive CVE identifier for vulnerability in question. --- Henri Salo -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 198 bytes Desc: Digital signature URL: From Himanshu_Mehta at symantec.com Fri Aug 1 13:47:12 2014 From: Himanshu_Mehta at symantec.com (Himanshu Mehta) Date: Fri, 1 Aug 2014 11:47:12 -0700 Subject: [VIM] WordPress A Page Flip Book Plugin 'pageflipbook.php' Local File Include Vulnerability In-Reply-To: References: Message-ID: <1587858E792C6C48ADD97BCB156E8ED031F9C7BFF2@APJ1XCHEVSPIN31.SYMC.SYMANTEC.COM> Hi, Updated CVE-2012-6652 for BID: 54368. BID: 68959 retired as a duplicate of BID 54368. Regards, Himanshu -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of George Theall Sent: Friday, August 01, 2014 6:18 AM To: Vulnerability Information Managers Subject: [VIM] WordPress A Page Flip Book Plugin 'pageflipbook.php' Local File Include Vulnerability Himanshu / Dinesh / Narayan / Venkat / Rob : I noticed that SecurityFocus recently created BID 68959 for a local file inclusion vulnerability in the WordPress A Page Flip Book plugin, presumably based on Henri Salo's post at http://www.openwall.com/lists/oss-security/2014/07/30/2. Henri's post in turn references a post from Charlie Eriksen over two years ago - http://ceriksen.com/2012/07/10/wordpress-a-page-flip-book-plugin-local-file-inclusion-vulnerability/ I'm at a loss to understand how this new BID differs from BID 54368, which was created shortly after Charlie's blog post came out originally. There's a slight difference in the name of the plugin in the BIDs, but otherwise we're looking at the same affected script, same affected parameter, same timeframe of discovery, even the same discoverer if you do a tiny bit of digging. This seems like a pretty obvious dup, doesn't it? George -- theall at tenable.com From Ken.Williams at ca.com Fri Aug 22 11:29:32 2014 From: Ken.Williams at ca.com (Williams, James K) Date: Fri, 22 Aug 2014 16:29:32 +0000 Subject: [VIM] Secunia has now put ALL vulnerability info behind login? In-Reply-To: References: Message-ID: FYI, Secunia has clarified what they mean by ?commercial use? in a revised EULA. In short, only ?students, the press (if the use is for media coverage), private persons and hobby researchers? can use/view/access Secunia vulnerability data. Non-profit organizations, private companies, and public authorities and entities are NOT allowed to access or use any Secunia data, for any reason. The revised EULA can be found here: http://secunia.com/community/profile/ under the ?Create Profile? tab. Regards, Ken From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of Scott Moore Sent: Monday, April 28, 2014 11:18 AM To: Vulnerability Information Managers Cc: vim-bounces at attrition.org Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login? I wonder what constitutes commercial purposes? We reference them with a link to their website, and do not sell our vulnerability data. Thanks. ----- Scott Moore Vulnerability Database - Team Lead X-Force Research and Development IBM Security Systems Office: 404-348-9288 Cell: 404-643-1260 [Inactive hide details for "Williams, James K" ---04/28/2014 12:15:01 PM---FYI, it appears that Secunia just put all vulnerabili]"Williams, James K" ---04/28/2014 12:15:01 PM---FYI, it appears that Secunia just put all vulnerability content behind a login. Additionally, the w From: "Williams, James K" > To: "vim at attrition.org" >, Date: 04/28/2014 12:15 PM Subject: [VIM] Secunia has now put ALL vulnerability info behind login? Sent by: vim-bounces at attrition.org ________________________________ FYI, it appears that Secunia just put all vulnerability content behind a login. Additionally, the website states that the vuln info cannot be used for commercial purposes. Regards, Ken Williams Director, Product Vulnerability Response Team -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: image001.gif Type: image/gif Size: 105 bytes Desc: image001.gif URL: From kseifried at redhat.com Fri Aug 22 11:35:17 2014 From: kseifried at redhat.com (Kurt Seifried) Date: Fri, 22 Aug 2014 10:35:17 -0600 Subject: [VIM] Secunia has now put ALL vulnerability info behind login? In-Reply-To: References: Message-ID: <53F77145.5040705@redhat.com> Can you post information this to oss-security, this definitely impacts the open source community. Thanks. On 22/08/14 10:29 AM, Williams, James K wrote: > FYI, Secunia has clarified what they mean by ?commercial use? in a revised EULA. In short, only ?students, the press (if the use is for media coverage), private persons and hobby researchers? can use/view/access Secunia vulnerability data. > Non-profit organizations, private companies, and public authorities and entities are NOT allowed to access or use any Secunia data, for any reason. > > The revised EULA can be found here: http://secunia.com/community/profile/ under the ?Create Profile? tab. > > Regards, > Ken > > From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of Scott Moore > Sent: Monday, April 28, 2014 11:18 AM > To: Vulnerability Information Managers > Cc: vim-bounces at attrition.org > Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login? > > > I wonder what constitutes commercial purposes? > > We reference them with a link to their website, and do not sell our vulnerability data. > > Thanks. > > ----- > Scott Moore > Vulnerability Database - Team Lead > X-Force Research and Development > IBM Security Systems > Office: 404-348-9288 > Cell: 404-643-1260 > > [Inactive hide details for "Williams, James K" ---04/28/2014 12:15:01 PM---FYI, it appears that Secunia just put all vulnerabili]"Williams, James K" ---04/28/2014 12:15:01 PM---FYI, it appears that Secunia just put all vulnerability content behind a login. Additionally, the w > > From: "Williams, James K" > > To: "vim at attrition.org" >, > Date: 04/28/2014 12:15 PM > Subject: [VIM] Secunia has now put ALL vulnerability info behind login? > Sent by: vim-bounces at attrition.org > > ________________________________ > > > > FYI, it appears that Secunia just put all vulnerability content behind a login. Additionally, the website states that the vuln info cannot be used for commercial purposes. > > Regards, > Ken Williams > Director, Product Vulnerability Response Team > -- Kurt Seifried -- Red Hat -- Product Security -- Cloud PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From Ken.Williams at ca.com Fri Aug 22 12:01:41 2014 From: Ken.Williams at ca.com (Williams, James K) Date: Fri, 22 Aug 2014 17:01:41 +0000 Subject: [VIM] Secunia has now put ALL vulnerability info behind login? In-Reply-To: References: Message-ID: Hey Steve, We do not sell any vulnerability-related products or services, or maintain any vulnerability database, or scrape any VDBs. My use is limited to manually researching vulnerabilities that directly affect CA products/networks. We have no plans to hide security notices for our products behind a login, but I can understand why software vendors might wish to do so (and add an EULA), to prevent commercial VDBs and vulnerability intelligence products/services from using their product security notices and fix information for commercial purposes. We may need to reconsider our policy of directly sharing product security notices with commercial VDBs and vulnerability intelligence products/services especially if they won't even allow us to see their entries for our products. Regards, Ken -----Original Message----- From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On Behalf Of Christey, Steven M. Sent: Wednesday, April 30, 2014 6:35 PM To: Vulnerability Information Managers Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login? Late Tuesday night, I made a direct inquiry to Secunia, since I also have questions about the EULA. If CVE discovers a cross-reference through Secunia or integrates some description details, it seems it could be a violation. I haven't heard back yet. SecurityFocus, OSVDB, and now Secunia have all restricted access in one form or another. While I recognize there are numerous reasons for doing so, hopefully this trend won't continue, and hopefully we VDB specialists can figure out the best model(s). Scott and Ken - not to put you *too* much on the spot, but since your VDBs are closely attached to your products, I'm wondering if you have a different business model and less of an existential threat than the "vuln intelligence" VDBs do? - Steve >-----Original Message----- >From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On >Behalf Of Williams, James K >Sent: Monday, April 28, 2014 12:30 PM >To: Vulnerability Information Managers >Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login? > >See sections 6.1 and 6.2 in the EULA on the Community Login signup page. >https://secunia.com/community/profile >Figuring out if your use constitutes commercial purposes is only half of >your problem. > >All reference links to secunia.com are effectively dead now unless your >site visitors have a Secunia account. > >Regards, >Ken > >-----Original Message----- >From: vim-bounces at attrition.org [mailto:vim-bounces at attrition.org] On >Behalf Of security curmudgeon >Sent: Monday, April 28, 2014 11:27 AM >To: Vulnerability Information Managers >Subject: Re: [VIM] Secunia has now put ALL vulnerability info behind login? >Importance: High > > > >On Mon, 28 Apr 2014, Scott Moore wrote: > >: I wonder what constitutes commercial purposes? >: >: We reference them with a link to their website, and do not sell our >: vulnerability data. > >Using a link to them as a cross-reference isn't "commercial". > >Pretty sure they are combatting the same thing OSVDB has for years, people >using our entire entries, text and all, in products and services. From ken at kenwilliams.us Sat Aug 23 21:47:14 2014 From: ken at kenwilliams.us (ken) Date: Sat, 23 Aug 2014 21:47:14 -0500 Subject: [VIM] Secunia has now put ALL vulnerability info behind login? Message-ID: <53F95232.5040904@kenwilliams.us> I feel a need to clarify my previous email ... Secunia obviously has an extremely useful and comprehensive vulnerability database. All of their vulnerability mgmt, patch mgmt, and scanning products are excellent too. The IT industry needs high quality vuln and patch mgmt solutions like this, and Secunia needs revenue so they can maintain and improve their products/solutions, conduct research, build new products, make a profit, etc. There are some potentially adverse consequences to their decision to close their vulnerability database: 1) All direct links to Secunia vuln db entries are effectively dead ends now ... unless the link clicker is a student, press, private person, hobby/non-commercial security researcher and gets "community" (free) access, OR is a non-profit organization, private company, or public authority/entity who has paid the annual fee[1] for the VIM product. I imagine most people reading this email fall into the latter group, do not have access, and will need to pay for access. 2) Vendors can apparently no longer review the Secunia vuln db so they can submit updates and corrections (unless the vendor has purchased the VIM product?). Will this result in Secunia vuln db info becoming less accurate and up-to-date? 3) If you maintain a public or private vulnerability database, or vulnerability website, you will no longer be able to effectively reference or cross-reference the Secunia vuln db, unless you pay for access. How will this impact OSVDB, NVD, CVE, IAVM, PacketStorm, etc? Depending on your interests in vulnerabilities and role(s) in the security industry, you may see other consequences. Bottom line for me is that I had been using the public, freely available Secunia vuln info every day for over 10 years, and I had been regularly submitting vuln info/updates/corrections. I'm currently not using it at all (in compliance with their EULA). If the VIM cost fits into my budget, then I'll definitely purchase it. Maybe this is a necessary and/or business-savvy decision for Secunia. I don't know, and it's not my place to guess or judge. I simply consider it unfortunate that a once publicly accessible and invaluable vuln db is now closed to many/most of us. Regards, Ken The opinions and statements in this email are my own and do not necessarily reflect the opinions or policies of my employer. [1] $28,400/year as of Feb 2013. May not fit into budget for some non-profits, govt agencies, smaller businesses. Reference: http://goo.gl/N2DikW From kseifried at redhat.com Sat Aug 23 22:40:04 2014 From: kseifried at redhat.com (Kurt Seifried) Date: Sat, 23 Aug 2014 21:40:04 -0600 Subject: [VIM] Secunia has now put ALL vulnerability info behind login? In-Reply-To: <53F95232.5040904@kenwilliams.us> References: <53F95232.5040904@kenwilliams.us> Message-ID: <53F95E94.301@redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 23/08/14 08:47 PM, ken wrote: > > I feel a need to clarify my previous email ... > > 1) All direct links to Secunia vuln db entries are effectively > dead ends now ... unless the link clicker is a student, press, > private person, hobby/non-commercial security researcher and gets > "community" (free) access, OR is a non-profit organization, private > company, or public authority/entity who has paid the annual fee[1] > for the VIM product. I imagine most people reading this email fall > into the latter group, do not have access, and will need to pay for > access. Correct, this is a significant concern. Will Mitre remove the links? Seems like the safest thing to do. Otherwise Mitre is implicitly endorsing the Secunia EULA. > 2) Vendors can apparently no longer review the Secunia vuln db so > they can submit updates and corrections (unless the vendor has > purchased the VIM product?). Will this result in Secunia vuln db > info becoming less accurate and up-to-date? This is a concern to me. I suspect I can't (and won't) agree to the EULA, it's to dangerous legally. Story time: when I contracted for iDefense and iSIGHT partners almost nobody would reply to my emails asking for more information. As soon as I moved to Red Hat, bam, 100% reply rate, usually in <24 hours. If you don't play nice with the community, chances are the community won't play nice with you. > 3) If you maintain a public or private vulnerability database, or > vulnerability website, you will no longer be able to effectively > reference or cross-reference the Secunia vuln db, unless you pay > for access. How will this impact OSVDB, NVD, CVE, IAVM, > PacketStorm, etc? That is a huge concern, luckily for Red Hat we try hard to play very nice with the community, and we make our information very public (the BZ's get unlocked, the RHSA's have the packages listed, basically everything except reproducer code from us is public, and even then we've had exceptions like heartbleed). > Regards, Ken - -- Kurt Seifried - Red Hat - Product Security Team (PST) PGP A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJT+V6QAAoJEBYNRVNeJnmT95AQAMlslkJgUfqL5pIU/E8qlgX7 7NA3A9pig21Q6UVESUG85m5A6pO45ad+sVqAqlJE5irVIxH/SrnEqh6aw1xTAo57 g2qJ/+WSXREwQ/x/as5jUaIU0VVN9H5qsyfbDNYgNvATbrtuHjoBjKInJ2bRSFUU aPGOg1vvOPZa1ZCX6i0yTYvOzlayKgDobKnSZ11hc/ZRinZPGP36lbwWOBHUsN2B pUsKxs08jrcQoXpwmkZQ82C5ah9Eokr1Sq7DzEk5Jdgk2kbLKtQWqD2zQUIP9dXr bk1ND3lIT4piGu7rC2pOm325E25GoyF3uzqyK8eDviaDsemvNzRtXT13LmrOn71J vAfTlzy/zPKCxZ0EiXk6NkxUT9JT0jF74Lb74ZslotTSEqKOBiXU1xCN2lzSn+5R Ksn7n3cAl8fUKKW7CqkpdeFsleSnDXQE+dDxCqfHXM3Ado/OIyK8Zcve1F3QvDxl ndpdo378Zh+rTi1AF8X61B7m0rKUgfFLQAv5B0GO8uNtVhNIXVuVkz+VxohZJ+zR PQbneSKjIjVShDI+6NSo5D+hcKeOrgPw26j+eLai8xIMrJO4hGp6YvWfkSzOCEer 1J+FW9ibt1WdbV6nQ9iUhr38R8+hgdsxKjSZI4tI5sFelAhlL0USn/2d5EYrAxbV 2/whPPiZ26cF43a9odXY =4Q6I -----END PGP SIGNATURE-----