Date: Tue, 01 May 2012 12:29:42 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi>, Hanno Böck <hanno@...eck.de> Subject: Re: CVE-request: SilverStripe before 2.4.4 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 04/30/2012 01:56 PM, Kurt Seifried wrote: > On 04/30/2012 12:47 AM, Henri Salo wrote: >> Can I get 2011 CVE-identifiers for SilverStripe issues fixed in >> 2.4.4: > >> http://www.silverstripe.org/security-releases/ > >> SQL information disclosure, SQL injection in Translatable >> extension, Cross Site Request Forgery in various CMS interfaces, >> XSS in controller action handling > >> Requested originally in http://seclists.org/oss-sec/2011/q1/12 >> but never got assigned. I can collect information about other >> versions too and request missing CVE-identifiers, but that will >> take some time. > >> - Henri Salo > > Ok went through the list a bit, the latest one already exists, > assigned the 2011's: > > ======================================== > > 31 January 2012 SilverStripe v2.4.7 - XSS in text transformations > on templates and page title saving in CMS (details) SilverStripe > v2.3.13 - See 2.4.7 (details) (already assigned) CVE-2012-0976 > Cross-site scripting (XSS) vulnerability in admin/EditForm in > SilverStripe 2.4.6 allows remote authenticated users with Content > Authors privileges to inject arbitrary web script or HTML via the > Title parameter. NOTE: some of these details are obtained from > third party information. > > ======================================== > > 18 October 2011 SilverStripe v2.4.6 - XSS in anchor links, possible > SQL injection with far eastern encodings, possible remote code > execution through page comments (details) SilverStripe v2.3.12 - > See 2.4.6 (details) > > CVE-2011-4958 Security: Cross-site scripting on anchor links > > CVE-2011-4959 Security: Possible SQL injection for MySQL when > using far east character encodings > > CVE-2011-4960 Security: SQL injection in Folder::findOrMake() > parameter (used mostly in author-only CMS through Upload::load()) > > CVE-2011-4961 Security: Privilege escalation from EDIT_PERMISSIONS > to ADMIN for users access to the CMS (through > Member->getCMSFields() and TreeMultiselectField) > > CVE-2011-4962 Security: Potential remote code execution through > serialization of page comment user submissions > > ======================================== > > I'll assign the 2010's when I get some more 2010 CVE's. > And the 2010's ======================================== 21 December 2010 SilverStripe v2.4.4 - SQL information disclosure, SQL injection in Translatable extension, Cross Site Request Forgery in various CMS interfaces, XSS in controller action handling (details) CVE-2010-4822 Security: SQL information disclosure in MySQLDatabase CVE-2010-4823 Security: XSS in controller handling for missing actions CVE-2010-4824 Security: SQL injection with Translatable extension enabled CVE-2010-5078 Security: Version number information disclosure CVE-2010-5079 Security: Weak entropy in tokens for CSRF protection, autologin, "forgot password" emails and password salts CVE-2010-5080 Security: HTTP referer leakage on Security/changepassword CVE-2010-5087 Security: CSRF protection bypassed when handling form action requests through controller SilverStripe v2.3.10 - SQL injection in Translatable extension, Cross Site Request Forgery in various CMS interfaces, XSS in controller action handling (details) see above ======================================== 11 November 2010 SilverStripe v2.4.3 - Cross Site Request Forgery in various CMS interfaces and page comments, increased file extension upload security through whitelisting (details) CVE-2010-5088 Fixed a security issue where destructive controller actions are not correctly secured against Cross-Site Request Forgery (CSRF). This affects various CMS interfaces, as well as classes based on TableListField or ComplexTableField. SilverStripe v2.3.9 - Cross Site Request Forgery in various CMS interfaces and page comments (details) see above ======================================== 22 September 2010 SilverStripe v2.4.2 - Viewing unpublished content, privilege escalation of CMS editors with access to admin/security (details) CVE-2010-5089 Fixed a security issue where pages in draft mode might be visible to unauthenticated users CVE-2010-5090 Fixed a security issue where users with access to admin/security (but limited privileges) can take over a known administrator account by changing its password ======================================== 23 July 2010 SilverStripe v2.4.1 - File extension checks, installer security, information disclosure through PHP file execution, passwords not encrypted in certain UI actions (details) CVE-2010-5091 Fixed a security issue where logged-in CMS authors were allowed to rename files with harmful extensions in the "Files & Images" section CVE-2010-5092 Fixed password encryption when saving members through the "Add Member" dialog in the "Security" admin. The saving process was disregarding password encyrption and saving them as plaintext (issue was introduced in 2.4.0) SilverStripe v2.3.8 - File extension checks, information disclosure through PHP file execution (details) see above ======================================== 18 March 2010 SilverStripe v2.3.7 - CVE-2010-5093 Privilege escalation exploit CVE-2010-5094 unauthenticated remote removal of index.php under certain conditions ======================================== 8 February 2010 CVE-2010-5095 SilverStripe v2.3.6 - Escaping exploit ======================================== 21 January 2010 SilverStripe v2.3.5 - Escaping exploit Forum 0.2.5 - Addresses an escaping issue (already assigned) CVE-2010-1593 Multiple cross-site scripting (XSS) vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (1) the CommenterURL parameter to PostCommentForm, and in the Forum module before 0.2.5 in SilverStripe before 2.3.5 allow remote attackers to inject arbitrary web script or HTML via (2) the Search parameter to forums/search (aka the search script). ======================================== - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQIcBAEBAgAGBQJPoCuWAAoJEBYNRVNeJnmTTVsP/3UNQxDI2KtrKk9mWE82jbOB t6PL0LTnROVb4qMRvBPUWnAOWaISHOKiiFg8BlMgdCO5cX1niWAkabb3QL2EA9nb HhtUxj+NQ6ofycWVz99juMB99mU50PzhChJV7rzsyOG66DHr31WoMPAEKBhE8lp8 lg9KyjKGPK8PkmYWx+Ul4MNbyW1KEYnwhJZ4y0bOipZW+FyCO02OLtEVwAHkuiYX zKJfmGQOp9p2wIGXf3/XhBp7qR/KT5exAFhBat7wtw/MXvKq2mso5V0nEg5SgBAK alLTf8BxHO58W2kvDBPChoQdt9iOZuEstDrmi4F6+zAk4QgH6WcP/rvOJ4BqBxf/ iKEI+naCLN5xpts5tlVsfH1x7QUCobZtW37I3zIA31Vrot7lotATHmt9SNnatNrC 74ppHtCuC2eRQ9CtdB97nEWou8D0rf0BnKFI/rT31ZP2rY0EV3S+8meEvZIA+b3c QWdQNrz0ZK/2viSuv1G8ZJ/GXaEajNd9GAEuRzJvHzOF5IfRnZDoOGgzwtanKy7L yvqLzy6D9JAmI9IIQ3dnCPYCgTOcrPLmFDe69MTgDEW9bYxZvRsVge+nlgD5o7e6 AyztxYtXIMRltde5gxDg0/Wga87xzih2p/9BJW82+c6qvTj1CjBgzSZkHyv4VDsC E6m4dv/Lq8i3LNuanGA6 =rnGv -----END PGP SIGNATURE-----
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.