Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Mon, 19 Mar 2012 09:06:21 +0000
From: Luc ABRIC <luc.abric@...ida.fr>
To: "'oss-security@...ts.openwall.com'" <oss-security@...ts.openwall.com>
CC: Yann MICHARD <yann.michard@...ida.fr>,
        Karim SLAMANI
	<karim.slamani@...ida.fr>,
        Valérian PERRET
	<valerian.perret@...ida.fr>,
        "'jkn@...no'" <jkn@...no>
Subject: CVE request: eZ Publish: insecure direct object reference

Hi,

My initial CVE ID request was dropped because it was missing some details. Here comes a re-submission.

After posting to oss-security I was asked a few questions by Kurt Seifried from Redhat SRT while the vendor was contacted by Secunia asking for pretty much the same informations. Secunia then decided it wasn't their role to handle this vulnerability.
I don't know if that's part of the process but I feel like you should know to avoid any duplicated work.

1) Email address of requester
yann.michard@...ida.fr, luc.abric@...ida.fr & jkn@...no.
Yann MICHARD discovered the vulnerability, so all the credits goes to him.

2) Software name and optionally vendor name
Vendor: Ez
Product name: Ez Publish
Editions: both Enterprise & Community

3) At least one of (to determine is this a security issue):
  1. Type of vulnerability
OWASP A4: Insecure direct object reference

  2. Exploitation vectors
Access to the vulnerable website (no need for any credentials)

  3. Attack outcome
A browser is enough to execute the attack.

4) For Open Source at least one of:
  1. Link to vulnerable source code or fix Not available yet.

  2. Link to source code change log
Not available yet.

  3. Link to security advisory
Not available yet.

  4. Link to bug entry
http://issues.ez.no/19238
The vendor does not want to release more details until a fix is pushed to the clients

  5. Request comes from project member (a.k.a. "trust me, it's a problem") Jostein Knudsen <jkn@...no> from Ez can confirm the vulnerability.

5) Affected version(s) (3.2.4, 3.x, current version, all current releases, something) The whole 4.x serie it seems (4.1 to 4.6 from the bug entry).

6) Whether or not this has been previously requested (i.e. on OSS-Sec or to cve-assign) Well yeah but it seems that the request didn't have enough information.

7) Is this an Open Source or commercial software request Both, the affected software has 2 editions, one open-source, one commercial.

8) Is this an embargoed issue (if yes and commercial: send to cve-assign, if yes and open source: send to vs-sec?) Not really sure what you mean by embargoed.
The French government asked us not do disclose any details until a fix is available AND installed on their systems because it affects some high profile websites.
We didn't plan on releasing any details before the fix anyway.

9) IF multiple issues are listed please list affected versions for each issue and/or who reported them (so we can determine CVE split/merge).
It's the first issue we're publishing regarding this application.


Regards,
Luc ABRIC
IT Security Expert

6 avenue du Vieil Etang - Bâtiment B
78180 Montigny-le-Bretonneux
Phone: +33 (0)1 30 14 19 00
Fax:       +33 (0)1 30 14 19 09
Mobile: +33 (0)6 26 87 62 14
luc.abric@...ida.fr

www.oppida.fr


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.