Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 18 Aug 2015 21:46:08 -0400 (EDT)
From: cve-assign@...re.org
To: sreepriya1111@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

> There are a few Stored XSS ... vulnerabilities in the software.
> Issue: https://github.com/atutor/ATutor/issues/103

Use CVE-2015-6521 for all of these XSS issues. We think they don't
overlap CVE-2010-0971.


> There are ... file upload vulnerabilities in the software.
> Issue: https://github.com/atutor/ATutor/issues/103
> 
> 2) File Upload in course
> There are illegal file extensions mentioned where all the executable
> files are checked. But a file without any extension is accepted. This
> could be a binary executable file.
> 
> Against file upload: Use a white list of extensions that are allowed
> to be uploaded rather than extensions that are not allowed (black
> list).

We don't think this is a type of issue for which a CVE ID is typically
assigned. See also the second-to-last part of the
http://www.openwall.com/lists/oss-security/2015/08/06/6 post.

For web applications, file upload is often of interest because the
attacker can upload a file with an extension recognized by a web
server as an executable file, e.g., an extension listed on an
AddHandler line in an Apache HTTP Server configuration. We're not sure
whether there are any web servers that, in their default
configuration, have an AddHandler equivalent for all extensionless
files. Although a web application might want to block uploads of any
file that has a native executable-file format recognized by the
underlying operating system, we don't think this is a commonly
recommended feature, and we don't believe we should be assigning CVE
IDs to every web application that omits this feature. (We're not
disputing that the feature could sometimes be useful. Most web
applications aren't intended to receive native executables through an
upload mechanism, and there might be attack methodologies that rely on
these uploads, e.g., uploading something like Staog --
https://en.wikipedia.org/wiki/Staog -- to a Linux machine with a
filename of Staog and no extension.)

If there is something about a web application that makes native
executables especially dangerous (e.g., local users are somehow
encouraged to open all non-PHP files uploaded by web visitors) or if a
vendor was actually trying to block all native executables but the
code was wrong, then a CVE ID could exist.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQEcBAEBCAAGBQJV097NAAoJEKllVAevmvmsC5IH/2Pr//NPyWiWIpZghzARBhcf
xtVlAg40ENtz1Bi89soNQeBnoDYiJww22ZNyAWs6C4Tx3mwCSH0QZaWEpOWWqZ8q
ewxth6fUMmWC+c21DN5DrANxWa/kufXURRS7HHzrnMp8XozhBLUfDnh2cqGdGMSN
93vyoZi1bzkK+rtaCwII89Io31xMDWF3Bz8MUbFc5xKAWhHdFOSNnuAhEHbi5UGb
R69HmoPY6bBO/i25oKnO/RSmYj46PcHALN37IESCfcxPXZiOOwWVpibEcdFOhE4R
IKXtyThPD4TrlUsba4hwXDt8IhCJaNy4V7YjqvQab4ZS832ERqNt0taf1Hu5B7c=
=/WDp
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ