Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon,  4 May 2015 02:14:30 -0400 (EDT)
From: cve-assign@...re.org
To: mattd@...fuzz.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE requests / Advisory: phpMyBackupPro

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> http://openwall.com/lists/oss-security/2015/04/25/1

This post was, for the purpose of CVE mapping, somewhat complex, but
we currently feel that it needs at least 5 CVE IDs, and maybe 6.

> Issue #1: SQL injection in multi-user mode

Use CVE-2015-3637. Affected versions are "before 2.5."


Issue #2 and Issue #4 begin by describing essentially the same type of
problem. The user is supposed to be providing an integer value that
can be used within a .php file, but the unpatched product let the user
specify arbitrary PHP code instead of an integer. For this problem,
with affected versions of "before 2.5," use CVE-2015-3638.

The remaining errors in version 2.5 seem to have two distinct types,
at least from the perspective of the advisory (we did not
independently study the complete code).

For the Issue #2 section, apparently the 2.5 code was attempting to
safely include untrusted input inside of a string literal, but a wrong
approach was used. Use CVE-2015-3639 for this problem.

For the Issue #4 section, apparently the 2.5 code was attempting to
identify specific characters that may be special to PHP (or may be
special to a shell) but did not achieve a complete solution. (For
example, the ';' character was blocked in 2.5, but the '.' character
was not blocked.) Use CVE-2015-3640 for this problem.

The final concern is Issue #3. We believe it's valuable to search for
duplicate CVEs, but there was no comment about whether CVE-2009-4050
is the same issue. If that 2009 issue was fixed and then reintroduced
between versions 2.1 and 2.5, then there can be two new CVE IDs for
the 2015 report.

If that 2009 issue was never fixed, then there was a duplicate
discovery. We believe that CVE-2009-4050 applies to the larger
problem: an attacker could use any number of "../" sequences after the
"get_file.php?view=" part of the URI, including zero "../" sequences.
There would then be one additional CVE ID for the behavior in 2.5,
because that behavior represents an incomplete fix for CVE-2009-4050.

By default, we would use the second interpretation for Issue #3. In
other words, unless someone can establish that CVE-2009-4050 was fixed
in 2.2, 2.3, or 2.4, we'll conclude that Issue #3 is a duplicate
discovery, and we'll send the one ID for the "incomplete fix" CVE.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJVRw1yAAoJEKllVAevmvmsncYIAL0S3sT+Yp3tSStdGriLLlgF
qTAIhzrOS1zexRzTeqNBClmmEYPSRe1hZ05LsaELMGof2HgUFi9Yf9meHQpwcVJD
fRkmJ3lrg8KkqGC5/4+idvb/XlAqyZZRo8HpcH52zf6GCad4aYEe2mrEbE2qQZ72
g2IvOvnoQHLAs/4fQaqXcClOgzrFGGGKN9caHuZklVDL6yLzwOK0xeXgbJfTppwl
3zNwD/bMcnrUglz5nPhnPZfkWG/erJiVT81mfh0WhpJHn4BvhM0ESRNVtuWI9j7E
Ql0Nh0Ivm0FrBgACyaiQM0oGNuLSZWj13YUWoY1jhesaH49gM2b8RnRpyCEWsE8=
=kMZ4
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ