Date: Thu, 13 Mar 2014 15:40:02 -0400 (EDT) From: cve-assign@...re.org To: steve@...ve.org.uk Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE-Request - pen issues -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > webfile = "/tmp/webfile.html"; > 2> /tmp/penctl.cgi Use CVE-2014-2387 for both issues involving files in the /tmp directory. > 3. When a control-socket is configured (via "-C ip:port" added > to the pen command line) a user who can connect to that port > can > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741370 > > there is no documentation implying that using a control-socket is > dangerous. > pen.1 > > -C \fIport\fR > Specifies a control port where the load balancer listens for commands. This seems to be an opportunity for security improvement, not a vulnerability. It appears that the design goal was to listen for commands in a way that could be acceptable on a server with sufficiently restricted access, and not acceptable in arbitrary environments. "port where the load balancer listens for commands" seems sufficiently descriptive for a reasonable person to immediately wonder who can send commands. Furthermore, the example in question: sudo pen 4444 localhost:9000 -C 127.0.0.1:5043 suggests that the person is aware that "a control port" means a TCP port, not some other type of port with obvious permission-based restrictions. A CVE assignment could be made if there were an implementation error (e.g., the user specifies listening on 127.0.0.1 but the code actually listens on all interfaces). A CVE assignment might also be possible for some types of design problems, but they'd need to be considerably more surprising and the documentation would need to be considerably more misleading. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJTIgjhAAoJEKllVAevmvmsvz4H/1zljdDh/JUE42uOb29uw1Mx /gCsx2tnLs5g/U8OHBC0YYHM4CdUHLmyWiKbG1aN7Hn1FpXb4js3VlncbyQEdkpt MSl13vQeDVdLdAUvXhg37sn+yhniT7x0/sSvy5dMB00fBNNUYDPFj4VZF16S/cv+ v06593VmtYw3EGwBJFtlgXv/cvqGZcSlu/f/Iv+m3tWQtcr8g/XjC5pwhUXMBtSa R2FSJRxpTMQHzRK/5TOZ6mEg/Nr2JCPgRhWHeg69BIaUFjX+/6J2WUTm/Jgmxolb auxQSiskVVuGifmUzkV2ZhD5y+4M1aZ0IO5HdjG8FdRT/cBnXbtYEImOuadA3ec= =nmY2 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ