[Full-disclosure] Operation Bring Peace To Machines - Mission 1 (nmap2cpe)
Your sound card works perfectly. Enjoying yourself? It doesn't get any better than this! Ready to serve. Yes? My lord? What is it? http://seclists.org/nmap-dev/2010/q3/278 Good luck! /JA Ref: http://www.wowwiki.com/Quotes_of_Warcraft_II ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Fwd: 0-DAY XSS of cforms II is now fixed after a year and four months (was Re: cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Kousuke, First of all, let me clarify that the disclosure process has been entirely coordinated by me, and thus, Wagner, Conviso and Check Point have no responsibilities over any mistake I eventually made. Anyway, just to clarify your points: First, you must have reported to the developer, but in what way? I sent to the developer a complete advisory, including the exploit code. Confusing the XSS vulnerability with PHP code execution vulnerability is so funny. I can't help feeling that you told it sloppily. I never confused the vulnerabilities. And I never said the bug was patched... Maybe you should redirect this comment to Secunia instead? Second, why didn't you confirm the fix before publishing exploit? I don't have any obligation in confirming a fix. Actually, the developer reply was: No one else ever complained about this problem and we have millions of users, so we are not fixing it Thus, I didn't even knew there was a fix at any point in time. Probably you, for not having any information of what actually happened and because you totally mixed Secunia advisory with ours decided to send such email blaming us. And I'd like to ask ALL SECURITY RESEARCHERS (of course including Rodrigo and Wagner). For what do you research security? What is your security? To protect people from threat? Or throw people into crisis? Do you recognize effects of your halfway job like this case? We have a responsibility with the users. If the user is not aware that a vulnerability exists and is ignored by the vendor, he will never have the power to decide. Informing and sharing information is the responsibility of the researchers. I always coordinated vulnerabilities I disclose, but in case the developer decides that millions of users never reported and thus, the issue is not really a problem, I just go ahead and publish so the users can decide what to do. This is an open-source project, so any user that is security-aware could apply a patch themselves. If you have further questions, I'm glad to help. Best Regards, Rodrigo. On 2/17/12 3:37 AM, Wagner Elias wrote: FYI Wagner Elias, SANS GIAC, CobiTc, ITILc CTO (Chief Technical Officer) +55 41 3095-3986 +55 11 8141-3256 Blog: http://wagnerelias.com Twitter: http://www.twitter.com/welias Conviso Application Security - http://www.conviso.com.br -- Forwarded message -- From: *Kousuke Ebihara* kous...@co3k.org mailto:kous...@co3k.org Date: Fri, Feb 17, 2012 at 2:31 AM Subject: 0-DAY XSS of cforms II is now fixed after a year and four months (was Re: cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977) To: Rodrigo Branco rbra...@checkpoint.com mailto:rbra...@checkpoint.com Cc: full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk mailto:full-disclosure@lists.grok.org.uk, bugt...@securityfocus.com mailto:bugt...@securityfocus.com bugt...@securityfocus.com mailto:bugt...@securityfocus.com, Wagner Elias (wel...@conviso.com.br mailto:wel...@conviso.com.br) wel...@conviso.com.br mailto:wel...@conviso.com.br I've reported the following XSS vulnerability in cforms II. This vulnerability has been fixed on February 14, 2012 by its developer. WordPress cformsII Plugin rs Cross-Site Scripting Vulnerability - Secunia.com http://secunia.com/advisories/47984/ You might see this is a normal XSS vulnerability, but this isn't. Because EXPLOIT CODE IS PUBLISHED AS 0-DAY ON Oct 30, 2010 in this list! Are you puzzled? Actually, the above vulnerability is the same with CVE-2010-3977, is brought by Rodrigo Branco and Wagner Elias. Secunia has published the related advisory on Nov 1, 2010: http://secunia.com/advisories/42006. According to Secunia, this vulnerability is fixed in v11.6.1. v11.6.1 is released on Sep 22, 2010. So you might image the following story. 1. Rodrigo (or Wagner) reported this vulnerability to the developer 2. The developer released new version for fix the XSS 3. Rodrigo (and/or Wagner) confirmed that fix 4. Rodrigo reports this vulnerability to this list However, this is not truth. The developer of cforms didn't fix this XSS at this point. So what he has fixed? See the following diff:: --- cforms-v11.5/lib_ajax.php 2009-09-18 10:29:06.0 +0900 +++ cforms-v11.6.1/lib_ajax.php 2010-09-22 07:41:54.0 +0900 @@ -627,16 +627,16 @@ ### always modified header (Cache-Control: no-cache, must-revalidate); ### HTTP/1.1 header (Pragma: no-cache); ### HTTP/1.0 - $func_name = $_GET[rs]; + $func_name = sajax_sanitize( $_GET[rs] ); if (! empty($_GET[rsargs])) - $args = $_GET[rsargs]; + $args =
[Full-disclosure] IETF I-D: Security and Interoperability Implications of Oversized IPv6 Header Chains
Folks, FYI, we've published a new IETF I-D entitled Security and Interoperability Implications of Oversized IPv6 Header Chains. The I-D is available at: http://tools.ietf.org/id/draft-gont-6man-oversized-header-chain-00.txt Any feedback will be very welcome. Thanks, -- Fernando Gont SI6 Networks e-mail: fg...@si6networks.com PGP Fingerprint: 31C6 D484 63B2 8FB1 E3C4 AE25 0D55 1D4E 7492 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - SAP AG Netweaver 7.02 Remote Code Execution
===ADVISORY=== Systems Affected: SAP AG Netweaver 7.02 Severity: High Category: Remote Code Execution Author: Nico Leidecker, Context Information Security Ltd Reported to vendor: 29th September 2011 Advisory Issued: 17th February 2012 ===ADVISORY=== Buffer Overflow In SAPHostControl Description --- The SAPHostControl Service was found to be vulnerable to remote code execution via a stack based buffer overflow. By sending a certain string to the service, attackers could cause a condition whereby they are able to inject and execute malicious code. This code will execute with Administrator privileges. Analysis The SAPHostControl service expects commands to be sent wrapped into SOAP messages. One of those messages has parameters which are insecurely handled. These parameter values are copied into a static buffer on the stack via sprintf without bounds checking. This leaves the service vulnerable to a buffer overlow which can lead to remote code execution. Technologies Affected -- SAP NetWeaver 7.02 (SAPHostControl Service) Vendor Response -- SAP release a patch for the issue ref: 1638811. https://service.sap.com/sap/support/notes/1638811 Disclosure Timeline --- 29th September 2011 – Vendor Disclosure 12th December 2011 - Patch Released 17th February 2012 - Advisory Issued (SAP requested 3 months delay between patch release and advisory being issued) Credits Nico Leidecker of Context Information Security Ltd About Context Information Security Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. Context are ideally placed to work with clients worldwide with offices in the UK, Australia and Germany. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web: www.contextis.com Email: disclos...@contextis.com ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Pandora FMS v4.0.1 - Local File Include Vulnerability
Title: == Pandora FMS v4.0.1 - Local File Include Vulnerability Date: = 2012-02-17 References: === http://www.vulnerability-lab.com/get_content.php?id=435 VL-ID: = 435 Introduction: = Pandora FMS is a monitoring Open Source software. It watches your systems and applications, and allows you to know the status of any element of those systems. Pandora FMS could detect a network interface down, a defacement in your website, a memory leak in one of your server application, or the movement of any value of the NASDAQ new technology market. * Detect new systems in network. * Checks for availability or performance. * Raise alerts when something goes wrong. * Allow to get data inside systems with its own lite agents (for almost every Operating System). * Allow to get data from outside, using only network probes. Including SNMP. * Get SNMP Traps from generic network devices. * Generate real time reports and graphics. * SLA reporting. * User defined graphical views. * Store data for months, ready to be used on reporting. * Real time graphs for every module. * High availability for each component. * Scalable and modular architecture. * Supports up to 2500 modules per server. * User defined alerts. Also could be used to react on incidents. * Integrated incident manager. * Integrated DB management: purge and DB compaction. * Multiuser, multi profile, multi group. * Event system with user validation for operation in teams. * Granularity of accesses and user profiles for each group and each user. * Profiles could be personalized using up to eight security attributes without limitation on groups or profiles. Pandora FMS runs on any operating system, with specific agents for each platform, gathering data and sending it to a server, it has specific agents for GNU/Linux, AIX, Solaris, HP-UX, BSD/IPSO, and Windows 2000, XP and 2003. (Copy of the Vendor Homepage: http://pandorafms.org/index.php?sec=projectsec2=homelang=en) Abstract: = Vulnerability-Lab Team discovered a File Include Vulnerability on Pandoras FMS Monitoring Application v4.0.1 Report-Timeline: 2012-02-01: Vendor Notification 2012-02-17: Public or Non-Public Disclosure Status: Published Affected Products: == Pandora FMS Product: UTM Firewall Appliance Application v4.0.1 Exploitation-Technique: === Local Severity: = High Details: A local File Include vulnerability is detected on Pandoras FMS Monitoring Application Service v4.0.1. The vulnerability allows an attackers to request local system or application files (example:module). Successful exploitation can result in dbms or service/appliance/application compromise via file include vulnerability. Vulnerable Module(s): [+] ServicesSec2= Affected Version(s): [+] Pandora FMS Monitoring v4.0.1 Picture(s): ../1.png ../2.png Proof of Concept: = The vulnerability can be exploited by remote attacker with privileged user account. For demonstration or reproduce ... http://[SERVER].[COM]/[PANDORA PATH]/[INDEX].[PHP]?sec=servicessec2=[FILE INCLUDE VULNERABILITY!] Risk: = The security risk of the local path include vulnerability is estimated as high(-). Credits: Vulnerability Research Laboratory - Ucha Gobejishvili (longrifle0x) Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers. Copyright © 2012|Vulnerability-Lab --- + VIDEO ;) Title: == Pandora FMS Monitoring - File Include Vulnerability VD Date: = 2012-02-17 References: === Download: http://www.vulnerability-lab.com/resources/videos/438.wmv View:
[Full-disclosure] Facebook NYClubs - Multiple Web Vulnerabilities
Title: == Facebook NYClubs - Multiple Web Vulnerabilities Date: = 2012-02-17 References: === http://www.vulnerability-lab.com/get_content.php?id=440 VL-ID: = 440 Introduction: = The application is currently included and viewable by all facebook users. The service is an external 3rd party application sponsored by the Facebook NYClubs Development Team. (Copy from the Vendors Homepage: http://apps.facebook.com/nyclubs/) Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. As of July 2011, Facebook has more than 750 million active users. Users may create a personal profile, add other users as friends, and exchange messages, including automatic notifications when they update their profile. Facebook users must register before using the site. Additionally, users may join common-interest user groups, organized by workplace, school or college, or other characteristics. (Copy of the Vendor Website: http://en.wikipedia.org/wiki/Facebook) Abstract: = Vulnerability-Lab researcher discovered multiple web vulnerabilities on the 3rd party web application - Facebook NYClubs (apps.facebook.com). Report-Timeline: 2012-02-15: Vendor Notification 2012-02-16: Vendor Response/Feedback 2012-02-16: Developer Notification by Facebook Security 2012-02-17: Public or Non-Public Disclosure Status: Published Exploitation-Technique: === Remote Severity: = High Details: 1.1 A remote SQL Injection Vulnerability is detected on the Facebook NYClubs application (apps.facebook). The vulnerability allows an attacker (remote) to inject/execute own sql statements on the affected fb application dbms. Successful exploitation can result in a stable application, service or dbms compromise. Vulnerable Application(s): [+] NYClubs - Facebook 3rd Party Application Vulnerable Module(s): [+] Messagebox Affected Service(s): [+] apps.facebook.com/nyclubs/ --- Exception/Error Logs --- INSERT INTO reviews (club_id, ip, name, fbid, location, email, rating, content, active, approved) VALUES (652,`121.112.203.222 ` Sven R-m,11940496405,`x014...@gmail.com`,10,`` i-(Rated 9/10) Picture(s): ../1.png 1.2 A client side Cross Site Scripting Vulnerability is detected on the Facebook NYClubs application (apps.facebook). The vulnerability allows an attacker (remote) to hijack sessions manipulate client-side application requests with high required user inter action. Vulnerable Module(s): [+] ?r=sregiond= Picture(s): ../2.png Proof of Concept: = The vulnerabilities can be exploited with without high required user inter action. For demonstration or reproduce ... 1.1 Vulnerable: [MessageBox Input] --- Include a frame to the local app website extract the error log Tables: club_id, ip, name, fbid, location, email, rating, content, active, approved IP: 121.112.203.222 NAME: Sven R-m Mail: x014...@gmail.com Limit: 10-- Type: Order by Injection Reference(s): ../652.htm 1.2 http://apps.facebook.com/nyclubs/?r=sregiond=%3Ciframe%20src=http://vulnerability-lab.com %20width=750%20height=700%3E Reference(s): ../NYClubs on Facebook.htm Risk: = The security risk of the application sql injection vulnerability is estimated as high(+). Credits: Vulnerability Research Laboratory - N/A Anonymous Disclaimer: === The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability- Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab or its suppliers.
[Full-disclosure] 0-DAY XSS of cforms II is now fixed after a year and four months (was Re: cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977)
I've reported the following XSS vulnerability in cforms II. This vulnerability has been fixed on February 14, 2012 by its developer. WordPress cformsII Plugin rs Cross-Site Scripting Vulnerability - Secunia.com http://secunia.com/advisories/47984/ You might see this is a normal XSS vulnerability, but this isn't. Because EXPLOIT CODE IS PUBLISHED AS 0-DAY ON Oct 30, 2010 in this list! Are you puzzled? Actually, the above vulnerability is the same with CVE-2010-3977, is brought by Rodrigo Branco and Wagner Elias. Secunia has published the related advisory on Nov 1, 2010: http://secunia.com/advisories/42006. According to Secunia, this vulnerability is fixed in v11.6.1. v11.6.1 is released on Sep 22, 2010. So you might image the following story. 1. Rodrigo (or Wagner) reported this vulnerability to the developer 2. The developer released new version for fix the XSS 3. Rodrigo (and/or Wagner) confirmed that fix 4. Rodrigo reports this vulnerability to this list However, this is not truth. The developer of cforms didn't fix this XSS at this point. So what he has fixed? See the following diff:: --- cforms-v11.5/lib_ajax.php 2009-09-18 10:29:06.0 +0900 +++ cforms-v11.6.1/lib_ajax.php 2010-09-22 07:41:54.0 +0900 @@ -627,16 +627,16 @@ ### always modified header (Cache-Control: no-cache, must-revalidate); ### HTTP/1.1 header (Pragma: no-cache); ### HTTP/1.0 - $func_name = $_GET[rs]; + $func_name = sajax_sanitize( $_GET[rs] ); if (! empty($_GET[rsargs])) - $args = $_GET[rsargs]; + $args = sajax_sanitize( $_GET[rsargs] ); else $args = array(); } else { - $func_name = $_POST[rs]; + $func_name = sajax_sanitize( $_POST[rs] ); if (! empty($_POST[rsargs])) - $args = $_POST[rsargs]; + $args = sajax_sanitize( $_POST[rsargs] ); else $args = array(); } @@ -651,6 +651,14 @@ exit; } + ### sanitize + function sajax_sanitize($t) { + //$t = preg_replace('/\s/', '', $t); + $t = str_replace('php', '', $t); + $t = str_replace('?', '', $t); + return $t; + } + ### javascript escape a value function sajax_esc($val) { WTF!? This looks like fix for PHP code execution vulnerability, but there are no such vulnerabilities! Hey, Rodrigo and Wagner, do YOU see the above as fix for XSS? Really? So, the XSS was not fixed in v11.6.1. Of course the exploit code that was posted by Rodrigo, was available in many site until February 14, 2012. XSS vulnerability in WordPress and its plugin is too dangerous because if attacker gets full privileges of admin user by that vulnerability, he can write and execute any PHP code by using theme editing feature (if the target file is writable). As you can see, Rodrigo has done is throwing every cforms users into crisis and nothing more. Since exploit code is published before fix, there should be attacker who focuses this vulnerability. If so, many sites may be attacked by this vulnerability even if the admin never failed to apply security fix. Rodrigo and Wagner, I have some questions to you. First, you must have reported to the developer, but in what way? Confusing the XSS vulnerability with PHP code execution vulnerability is so funny. I can't help feeling that you told it sloppily. Second, why didn't you confirm the fix before publishing exploit? And I'd like to ask ALL SECURITY RESEARCHERS (of course including Rodrigo and Wagner). For what do you research security? What is your security? To protect people from threat? Or throw people into crisis? Do you recognize effects of your halfway job like this case? Please reconsider this. Thanks, Kousuke (10/10/31 0:13), Rodrigo Branco wrote: Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ cforms WordPress Plugin Cross Site Scripting Vulnerability CVE-2010-3977 INTRODUCTION According to Delicious Days, cforms is a powerful and feature rich form plugin for WordPress, offering convenient deployment of multiple Ajax driven contact forms throughout your blog or even on the same page. This problem was confirmed in the following versions of the cforms WordPress Plugin, other versions maybe also affected. cforms v11.5 CVSS Scoring System The CVSS score is: 5.5 Base Score: 6.7 Temporal Score: 5.5 We
[Full-disclosure] 0-DAY XSS of cforms II is now fixed after a year and four months (was Re: cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977)
I've reported the following XSS vulnerability in cforms II. This vulnerability has been fixed on February 14, 2012 by its developer. WordPress cformsII Plugin rs Cross-Site Scripting Vulnerability - Secunia.com http://secunia.com/advisories/47984/ You might see this is a normal XSS vulnerability, but this isn't. Because EXPLOIT CODE IS PUBLISHED AS 0-DAY ON Oct 30, 2010 in this list! Are you puzzled? Actually, the above vulnerability is the same with CVE-2010-3977, is brought by Rodrigo Branco and Wagner Elias. Secunia has published the related advisory on Nov 1, 2010: http://secunia.com/advisories/42006. According to Secunia, this vulnerability is fixed in v11.6.1. v11.6.1 is released on Sep 22, 2010. So you might image the following story. 1. Rodrigo (or Wagner) reported this vulnerability to the developer 2. The developer released new version for fix the XSS 3. Rodrigo (and/or Wagner) confirmed that fix 4. Rodrigo reports this vulnerability to this list However, this is not truth. The developer of cforms didn't fix this XSS at this point. So what he has fixed? See the following diff:: --- cforms-v11.5/lib_ajax.php 2009-09-18 10:29:06.0 +0900 +++ cforms-v11.6.1/lib_ajax.php 2010-09-22 07:41:54.0 +0900 @@ -627,16 +627,16 @@ ### always modified header (Cache-Control: no-cache, must-revalidate); ### HTTP/1.1 header (Pragma: no-cache); ### HTTP/1.0 - $func_name = $_GET[rs]; + $func_name = sajax_sanitize( $_GET[rs] ); if (! empty($_GET[rsargs])) - $args = $_GET[rsargs]; + $args = sajax_sanitize( $_GET[rsargs] ); else $args = array(); } else { - $func_name = $_POST[rs]; + $func_name = sajax_sanitize( $_POST[rs] ); if (! empty($_POST[rsargs])) - $args = $_POST[rsargs]; + $args = sajax_sanitize( $_POST[rsargs] ); else $args = array(); } @@ -651,6 +651,14 @@ exit; } + ### sanitize + function sajax_sanitize($t) { + //$t = preg_replace('/\s/', '', $t); + $t = str_replace('php', '', $t); + $t = str_replace('?', '', $t); + return $t; + } + ### javascript escape a value function sajax_esc($val) { WTF!? This looks like fix for PHP code execution vulnerability, but there are no such vulnerabilities! Hey, Rodrigo and Wagner, do YOU see the above as fix for XSS? Really? So, the XSS was not fixed in v11.6.1. Of course the exploit code that was posted by Rodrigo, was available in many site until February 14, 2012. XSS vulnerability in WordPress and its plugin is too dangerous because if attacker gets full privileges of admin user by that vulnerability, he can write and execute any PHP code by using theme editing feature (if the target file is writable). As you can see, Rodrigo has done is throwing every cforms users into crisis and nothing more. Since exploit code is published before fix, there should be attacker who focuses this vulnerability. If so, many sites may be attacked by this vulnerability even if the admin never failed to apply security fix. Rodrigo and Wagner, I have some questions to you. First, you must have reported to the developer, but in what way? Confusing the XSS vulnerability with PHP code execution vulnerability is so funny. I can't help feeling that you told it sloppily. Second, why didn't you confirm the fix before publishing exploit? And I'd like to ask ALL SECURITY RESEARCHERS (of course including Rodrigo and Wagner). For what do you research security? What is your security? To protect people from threat? Or throw people into crisis? Do you recognize effects of your halfway job like this case? Please reconsider this. Thanks, Kousuke (10/10/31 0:13), Rodrigo Branco wrote: Dear List, I'm writing on behalf of the Check Point Vulnerability Discovery Team to publish the following vulnerability. Check Point Software Technologies - Vulnerability Discovery Team (VDT) http://www.checkpoint.com/defense/ cforms WordPress Plugin Cross Site Scripting Vulnerability CVE-2010-3977 INTRODUCTION According to Delicious Days, cforms is a powerful and feature rich form plugin for WordPress, offering convenient deployment of multiple Ajax driven contact forms throughout your blog or even on the same page. This problem was confirmed in the following versions of the cforms WordPress Plugin, other versions maybe also affected. cforms v11.5 CVSS Scoring System The CVSS score is: 5.5 Base Score: 6.7 Temporal Score: 5.5 We
Re: [Full-disclosure] Fwd: 0-DAY XSS of cforms II is now fixed after a year and four months (was Re: cforms WordPress Plugin Cross Site Scripting Vulnerability - CVE-2010-3977)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Dear Rodrigo, Thanks for your response. And I had misunderstood about some points. At first, I apologize about that. I sent to the developer a complete advisory, including the exploit code. Is that advisory the same of http://seclists.org/bugtraq/2010/Nov/21 ? --(A) Actually, the developer reply was: No one else ever complained about this problem and we have millions of users, so we are not fixing it Oh, I think his the response is not good. However, wait, are there no bad points in your advisory? The above (A) question is for confirming that point. Indeed, his response to my first contact (and my vulnerability report) wasn't proper. (I think he read that roughly) But he finally admits the mistakes, by my response. After that, I see that his attitude has honesty. It shows that he is the developer of the software that is used by many users. So I'm guessing he didn't understand about the vulnerability well. Did you explain about XSS (e.g. its threats)? I did it. I don't have any obligation in confirming a fix. Is this not only mentioning of this case? Of course you don't have such a obligation. But I think you should confirm a fix as manners. At least some easy checks. I never said the bug was patched... Maybe you should redirect this comment to Secunia instead? Oh, sorry, I've mistaken in this point. Sometimes, I wonder by wrong version informations from some security organization including Secunia. I think it is good opportunity to complain about that so I will do that soon. Thanks for that advice. I never said the bug was patched... Well, you've not said the vulnerability is patched, but also you've not explained that is unpatched. I agree with your saying: If the user is not aware that *snip* he will never have the power to decide. *snip* I just go ahead and publish so the users can decide what to do. I think this is good thinking. For this reason, this case is very sorry. As you know, unpatched vulnerability is worse than patched one. For example, the user needs to apply additional patch for this XSS not only updating. So, you had to clear that vulnerability is unpatched. Without it, your action is not that different to black hat's action. (This might be out of line) Coordinating vulnerabilities is great job, so please don't spoil your work by yourself. This is an open-source project, so any user that is security-aware could apply a patch themselves. Exactly, I've noticed this by your advisory. However, on the other hand, your advisory made it difficult for the user to know the right situation. If you announced it carefully, the current situation was better than now. Of course actions of Secunia was more harmful, and the developer was of course bad. But your actions look like lack of some considerations, for example, you couldn't prevail on the developer to fix the XSS, and published the unclear advisory. My saying halfway job contains such actions. Thanks, Kousuke P.S. Just so there's no confusion, at this point, I appreciate you. Responded to me is one. A value of that response. And, an attitude like If you have further questions, I'm glad to help.. So, my response is for your (and other's) better workings. Please understand my wish. In addition, I want to inform this vulnerability of cforms as many users as possible. I could do it to Japanese user. But I think it is difficult for me to non-Japanese speaker ... can someone do it? (12/02/17 20:49), Rodrigo Rubira Branco (BSDaemon) wrote: Dear Kousuke, First of all, let me clarify that the disclosure process has been entirely coordinated by me, and thus, Wagner, Conviso and Check Point have no responsibilities over any mistake I eventually made. Anyway, just to clarify your points: First, you must have reported to the developer, but in what way? I sent to the developer a complete advisory, including the exploit code. Confusing the XSS vulnerability with PHP code execution vulnerability is so funny. I can't help feeling that you told it sloppily. I never confused the vulnerabilities. And I never said the bug was patched... Maybe you should redirect this comment to Secunia instead? Second, why didn't you confirm the fix before publishing exploit? I don't have any obligation in confirming a fix. Actually, the developer reply was: No one else ever complained about this problem and we have millions of users, so we are not fixing it Thus, I didn't even knew there was a fix at any point in time. Probably you, for not having any information of what actually happened and because you totally mixed Secunia advisory with ours decided to send such email blaming us. And I'd like to ask ALL SECURITY RESEARCHERS (of course including Rodrigo and Wagner). For what do you research security? What is your security? To protect people from threat? Or throw people into crisis? Do you recognize effects