-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Of course the bugs are serious, security is never a joking matter!
- -JP<classic comedian> On Thu, 18 Oct 2007 16:01:35 -0400 Tim Brown <[EMAIL PROTECTED] dimension.org.uk> wrote: >All, > >As a result of a short security audit of SiteBar, a number of >security holes >were found. The holes included code execution, a malicious >redirect and >multiple cases of Javascript injection. > >After liasing with the developers, the holes have been patched. >Attached are >the advisory and patch relating to these flaws. > >CVEs open already relating to this audit: > >* CVE-2006-3320 (Javascript injection) - previously reported by >other parties >but not resolved and so included for completeness > >* CVE-2007-5492 (code execution) - first reported in my attached >advisory to >the vendor, independently rediscovered by Robert Buchholz of >Gentoo whilst >auditing the differences between the patched and unpatched >versions (3.3.8 vs >3.3.9) > >* CVE-2007-5491 (file permissions issue) - apparently patched by >the vendor at >the same time as my issues were resolved and discovered by Robert >Buchholz of >Gentoo whilst auditing the differences between the patched and >unpatched >versions (3.3.8 vs 3.3.9) > >It is intended that CVE-2007-5492 will be updated to reference >both code >execution flaws I reported. All other issues in the advisory have >been >patched but no CVEs have yet been requested or assigned to the >best of my >knowledge. > >Tim >-- >Tim Brown ><mailto:[EMAIL PROTECTED]> ><http://www.nth-dimension.org.uk/> -----BEGIN PGP SIGNATURE----- Note: This signature can be verified at https://www.hushtools.com/verify Charset: UTF8 Version: Hush 2.5 wpwEAQECAAYFAkcYrpsACgkQqTTbVuUWvbK7bQP+IPvLoWZejlIbkRWrTujdw3L/c+bW aQSRaMwrU7/rB8mpnXV1e7w86DGaTEoqQWgrU7+DzH79h5u3v03kuYfsJBNQQVSGrWrn IJBOwuBkyuib0PLgSR/t79dhe7tjF9qrRAVm+Y1PhhxI1HnnAMylXoRq6BN3SmS6r8Tn UNaT5RI= =1sTp -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
