Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 20 Mar 2012 08:53:18 +0000
From: Luc ABRIC <luc.abric@...ida.fr>
To: "'Kurt Seifried'" <kseifried@...hat.com>,
        "oss-security@...ts.openwall.com"
	<oss-security@...ts.openwall.com>
CC: Yann MICHARD <yann.michard@...ida.fr>,
        Karim SLAMANI
	<karim.slamani@...ida.fr>,
        Valérian PERRET
	<valerian.perret@...ida.fr>,
        "'jkn@...no'" <jkn@...no>
Subject: RE: CVE request: eZ Publish: insecure direct object
 reference

Hi,

Now that a CVE ID has been attributed, what am I supposed to do with the details of the vulnerability?

Should I post them to vendor-sec? We don't want the details to leak to the public before the fix is fully rolled out, but we'd like to start working on the content of the CVE (make sur you have all needed information, etc.).

Also, should I continue posting to oss-sec, or mailing you (Kurt) is enough?

Regards,
Luc.

-----Message d'origine-----
De : Kurt Seifried [mailto:kseifried@...hat.com] 
Envoyé : lundi 19 mars 2012 20:12
À : oss-security@...ts.openwall.com
Cc : Luc ABRIC; Yann MICHARD; Karim SLAMANI; Valérian PERRET; 'jkn@...no'
Objet : Re: [oss-security] CVE request: eZ Publish: insecure direct object reference

On 03/19/2012 03:06 AM, Luc ABRIC wrote:
> Hi,
> 
> My initial CVE ID request was dropped because it was missing some details. Here comes a re-submission.
> 
> After posting to oss-security I was asked a few questions by Kurt Seifried from Redhat SRT while the vendor was contacted by Secunia asking for pretty much the same informations. Secunia then decided it wasn't their role to handle this vulnerability.
> I don't know if that's part of the process but I feel like you should know to avoid any duplicated work.
> 
> 1) Email address of requester
> yann.michard@...ida.fr, luc.abric@...ida.fr & jkn@...no.
> Yann MICHARD discovered the vulnerability, so all the credits goes to him.
> 
> 2) Software name and optionally vendor name
> Vendor: Ez
> Product name: Ez Publish
> Editions: both Enterprise & Community
> 
> 3) At least one of (to determine is this a security issue):
>   1. Type of vulnerability
> OWASP A4: Insecure direct object reference
> 
>   2. Exploitation vectors
> Access to the vulnerable website (no need for any credentials)
> 
>   3. Attack outcome
> A browser is enough to execute the attack.
> 
> 4) For Open Source at least one of:
>   1. Link to vulnerable source code or fix Not available yet.
> 
>   2. Link to source code change log
> Not available yet.
> 
>   3. Link to security advisory
> Not available yet.
> 
>   4. Link to bug entry
> http://issues.ez.no/19238
> The vendor does not want to release more details until a fix is pushed to the clients
> 
>   5. Request comes from project member (a.k.a. "trust me, it's a problem") Jostein Knudsen <jkn@...no> from Ez can confirm the vulnerability.
> 
> 5) Affected version(s) (3.2.4, 3.x, current version, all current releases, something) The whole 4.x serie it seems (4.1 to 4.6 from the bug entry).
> 
> 6) Whether or not this has been previously requested (i.e. on OSS-Sec or to cve-assign) Well yeah but it seems that the request didn't have enough information.
> 
> 7) Is this an Open Source or commercial software request Both, the affected software has 2 editions, one open-source, one commercial.
> 
> 8) Is this an embargoed issue (if yes and commercial: send to cve-assign, if yes and open source: send to vs-sec?) Not really sure what you mean by embargoed.
> The French government asked us not do disclose any details until a fix is available AND installed on their systems because it affects some high profile websites.
> We didn't plan on releasing any details before the fix anyway.
> 
> 9) IF multiple issues are listed please list affected versions for each issue and/or who reported them (so we can determine CVE split/merge).
> It's the first issue we're publishing regarding this application.

Perfect, this way if it comes up again there is enough info that
hopefully someone will match it up =).

Please use CVE-2012-1565 for this issue

> 
> Regards,
> Luc ABRIC
> IT Security Expert
> 
> 6 avenue du Vieil Etang - Bâtiment B
> 78180 Montigny-le-Bretonneux
> Phone: +33 (0)1 30 14 19 00
> Fax:       +33 (0)1 30 14 19 09
> Mobile: +33 (0)6 26 87 62 14
> luc.abric@...ida.fr
> 
> www.oppida.fr
> 
> 


-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.