Date: Tue, 18 Aug 2015 21:46:08 -0400 (EDT) From: cve-assign@...re.org To: sreepriya1111@...il.com Cc: cve-assign@...re.org, oss-security@...ts.openwall.com Subject: Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 > There are a few Stored XSS ... vulnerabilities in the software. > Issue: https://github.com/atutor/ATutor/issues/103 Use CVE-2015-6521 for all of these XSS issues. We think they don't overlap CVE-2010-0971. > There are ... file upload vulnerabilities in the software. > Issue: https://github.com/atutor/ATutor/issues/103 > > 2) File Upload in course > There are illegal file extensions mentioned where all the executable > files are checked. But a file without any extension is accepted. This > could be a binary executable file. > > Against file upload: Use a white list of extensions that are allowed > to be uploaded rather than extensions that are not allowed (black > list). We don't think this is a type of issue for which a CVE ID is typically assigned. See also the second-to-last part of the http://www.openwall.com/lists/oss-security/2015/08/06/6 post. For web applications, file upload is often of interest because the attacker can upload a file with an extension recognized by a web server as an executable file, e.g., an extension listed on an AddHandler line in an Apache HTTP Server configuration. We're not sure whether there are any web servers that, in their default configuration, have an AddHandler equivalent for all extensionless files. Although a web application might want to block uploads of any file that has a native executable-file format recognized by the underlying operating system, we don't think this is a commonly recommended feature, and we don't believe we should be assigning CVE IDs to every web application that omits this feature. (We're not disputing that the feature could sometimes be useful. Most web applications aren't intended to receive native executables through an upload mechanism, and there might be attack methodologies that rely on these uploads, e.g., uploading something like Staog -- https://en.wikipedia.org/wiki/Staog -- to a Linux machine with a filename of Staog and no extension.) If there is something about a web application that makes native executables especially dangerous (e.g., local users are somehow encouraged to open all non-PHP files uploaded by web visitors) or if a vendor was actually trying to block all native executables but the code was wrong, then a CVE ID could exist. - -- CVE assignment team, MITRE CVE Numbering Authority M/S M300 202 Burlington Road, Bedford, MA 01730 USA [ PGP key available through http://cve.mitre.org/cve/request_id.html ] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBCAAGBQJV097NAAoJEKllVAevmvmsC5IH/2Pr//NPyWiWIpZghzARBhcf xtVlAg40ENtz1Bi89soNQeBnoDYiJww22ZNyAWs6C4Tx3mwCSH0QZaWEpOWWqZ8q ewxth6fUMmWC+c21DN5DrANxWa/kufXURRS7HHzrnMp8XozhBLUfDnh2cqGdGMSN 93vyoZi1bzkK+rtaCwII89Io31xMDWF3Bz8MUbFc5xKAWhHdFOSNnuAhEHbi5UGb R69HmoPY6bBO/i25oKnO/RSmYj46PcHALN37IESCfcxPXZiOOwWVpibEcdFOhE4R IKXtyThPD4TrlUsba4hwXDt8IhCJaNy4V7YjqvQab4ZS832ERqNt0taf1Hu5B7c= =/WDp -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Powered by Openwall GNU/*/Linux - Powered by OpenVZ