Date: Thu, 27 Feb 2014 08:07:21 -0500 (EST) From: cve-assign@...re.org To: d.cauquil@...dream.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE request: PLOGGER 1.0RC1 multiple vulnerabilities -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > We found two vulnerabilities in PLOGGER version 1.0RC1, including: > 1. Authenticated Arbitrary file upload vulnerability affecting PLOGGER > version 1.0RC1 > > This vulnerability allows an authenticated user to upload an arbitrary > PHP file on the remote web server in an accessible path, by sending a > specifically crafted zip file. > session.post('http://' + HOST + "/plog-admin/plog-upload.php", > ## Add true image file to block the race condition (mandatory not > null) Use CVE-2014-2223. Can you explain the race condition? For example: without the true image file, would the product extract the .php file but then delete it very soon afterward? > 2. CAPTCHA bypass vulnerability > > A theme called "Lucid" provided in PLOGGER version 1.0RC1 implements a > weak CAPTCHA prone to a replay attack. By abusing this vulnerability, > an unauthenticated user may be able to post a huge number of comments. > The script generating the CAPTCHA image inserts a code in the current > user session, but this value is not unset while processing the form, > thus allowing an attacker to submit multiple times the form with > always the same captcha and associated code. > The vulnerable code is located in plog-comment.php, line 106. Use CVE-2014-2224. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTDzfpAAoJEKllVAevmvmsVc8H/j06CzXpU0k8lHndLB4b18Dm G52S617mi8nRVmx9ksLjSMuWNpFBUqTqoAAQLsnYZsoeOuQH+ijhByQ9AGkHmx3O kxfIoEAY8Dj2zulPAg62UiI8XkyWbAZwRR+pMzKEb0Ch8IHCm3P0wZBOWIxd1gWB wUhxkKp4KgZGGW9eX420vOQMMZuSMkr/KfiM+2y+RibMG3twQJn64rcFxtYTwx3V KrosI7vSdb0YLEvP/QpAtqB7Am+IHUTcNEa0dFqvV/iVZjyQ7Frb/8RPf1u8acKC XSZAYYWzZOqoqGypccKFCv36GF2y5OYctrqdY1OUz5x1zQ9pSHdGsdiSlkHbkDg= =VRHX -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ