Date: Mon, 4 May 2015 02:14:30 -0400 (EDT) From: cve-assign@...re.org To: mattd@...fuzz.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE requests / Advisory: phpMyBackupPro -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > http://openwall.com/lists/oss-security/2015/04/25/1 This post was, for the purpose of CVE mapping, somewhat complex, but we currently feel that it needs at least 5 CVE IDs, and maybe 6. > Issue #1: SQL injection in multi-user mode Use CVE-2015-3637. Affected versions are "before 2.5." Issue #2 and Issue #4 begin by describing essentially the same type of problem. The user is supposed to be providing an integer value that can be used within a .php file, but the unpatched product let the user specify arbitrary PHP code instead of an integer. For this problem, with affected versions of "before 2.5," use CVE-2015-3638. The remaining errors in version 2.5 seem to have two distinct types, at least from the perspective of the advisory (we did not independently study the complete code). For the Issue #2 section, apparently the 2.5 code was attempting to safely include untrusted input inside of a string literal, but a wrong approach was used. Use CVE-2015-3639 for this problem. For the Issue #4 section, apparently the 2.5 code was attempting to identify specific characters that may be special to PHP (or may be special to a shell) but did not achieve a complete solution. (For example, the ';' character was blocked in 2.5, but the '.' character was not blocked.) Use CVE-2015-3640 for this problem. The final concern is Issue #3. We believe it's valuable to search for duplicate CVEs, but there was no comment about whether CVE-2009-4050 is the same issue. If that 2009 issue was fixed and then reintroduced between versions 2.1 and 2.5, then there can be two new CVE IDs for the 2015 report. If that 2009 issue was never fixed, then there was a duplicate discovery. We believe that CVE-2009-4050 applies to the larger problem: an attacker could use any number of "../" sequences after the "get_file.php?view=" part of the URI, including zero "../" sequences. There would then be one additional CVE ID for the behavior in 2.5, because that behavior represents an incomplete fix for CVE-2009-4050. By default, we would use the second interpretation for Issue #3. In other words, unless someone can establish that CVE-2009-4050 was fixed in 2.2, 2.3, or 2.4, we'll conclude that Issue #3 is a duplicate discovery, and we'll send the one ID for the "incomplete fix" CVE. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (SunOS) iQEcBAEBAgAGBQJVRw1yAAoJEKllVAevmvmsncYIAL0S3sT+Yp3tSStdGriLLlgF qTAIhzrOS1zexRzTeqNBClmmEYPSRe1hZ05LsaELMGof2HgUFi9Yf9meHQpwcVJD fRkmJ3lrg8KkqGC5/4+idvb/XlAqyZZRo8HpcH52zf6GCad4aYEe2mrEbE2qQZ72 g2IvOvnoQHLAs/4fQaqXcClOgzrFGGGKN9caHuZklVDL6yLzwOK0xeXgbJfTppwl 3zNwD/bMcnrUglz5nPhnPZfkWG/erJiVT81mfh0WhpJHn4BvhM0ESRNVtuWI9j7E Ql0Nh0Ivm0FrBgACyaiQM0oGNuLSZWj13YUWoY1jhesaH49gM2b8RnRpyCEWsE8= =kMZ4 -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ