Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 01 May 2012 12:29:42 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>,
        Hanno Böck
 <hanno@...eck.de>
Subject: Re: CVE-request: SilverStripe before 2.4.4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 04/30/2012 01:56 PM, Kurt Seifried wrote:
> On 04/30/2012 12:47 AM, Henri Salo wrote:
>> Can I get 2011 CVE-identifiers for SilverStripe issues fixed in 
>> 2.4.4:
> 
>> http://www.silverstripe.org/security-releases/
> 
>> SQL information disclosure, SQL injection in Translatable 
>> extension, Cross Site Request Forgery in various CMS interfaces, 
>> XSS in controller action handling
> 
>> Requested originally in http://seclists.org/oss-sec/2011/q1/12
>> but never got assigned. I can collect information about other
>> versions too and request missing CVE-identifiers, but that will
>> take some time.
> 
>> - Henri Salo
> 
> Ok went through the list a bit, the latest one already exists, 
> assigned the 2011's:
> 
> ========================================
> 
> 31 January 2012 SilverStripe v2.4.7 - XSS in text transformations
> on templates and page title saving in CMS (details) SilverStripe
> v2.3.13 - See 2.4.7 (details) (already assigned) CVE-2012-0976
> Cross-site scripting (XSS) vulnerability in admin/EditForm in
> SilverStripe 2.4.6 allows remote authenticated users with Content
> Authors privileges to inject arbitrary web script or HTML via the
> Title parameter. NOTE: some of these details are obtained from
> third party information.
> 
> ========================================
> 
> 18 October 2011 SilverStripe v2.4.6 - XSS in anchor links, possible
> SQL injection with far eastern encodings, possible remote code
> execution through page comments (details) SilverStripe v2.3.12 -
> See 2.4.6 (details)
> 
> CVE-2011-4958 Security: Cross-site scripting on anchor links
> 
> CVE-2011-4959 Security: Possible SQL injection for MySQL when
> using far east character encodings
> 
> CVE-2011-4960 Security: SQL injection in Folder::findOrMake() 
> parameter (used mostly in author-only CMS through Upload::load())
> 
> CVE-2011-4961 Security: Privilege escalation from EDIT_PERMISSIONS
> to ADMIN for users access to the CMS (through
> Member->getCMSFields() and TreeMultiselectField)
> 
> CVE-2011-4962 Security: Potential remote code execution through 
> serialization of page comment user submissions
> 
> ========================================
> 
> I'll assign the 2010's when I get some more 2010 CVE's.
> 

And the 2010's

========================================
21 December 2010
SilverStripe v2.4.4 - SQL information disclosure, SQL injection in
Translatable extension, Cross Site Request Forgery in various CMS
interfaces, XSS in controller action handling (details)
CVE-2010-4822 Security: SQL information disclosure in MySQLDatabase
CVE-2010-4823 Security: XSS in controller handling for missing actions
CVE-2010-4824 Security: SQL injection with Translatable extension enabled
CVE-2010-5078 Security: Version number information disclosure
CVE-2010-5079 Security: Weak entropy in tokens for CSRF protection,
autologin, "forgot password" emails and password salts
CVE-2010-5080 Security: HTTP referer leakage on Security/changepassword
CVE-2010-5087 Security: CSRF protection bypassed when handling form
action requests through controller

SilverStripe v2.3.10 - SQL injection in Translatable extension, Cross
Site Request Forgery in various CMS interfaces, XSS in controller
action handling (details)
see above
========================================
11 November 2010
SilverStripe v2.4.3 - Cross Site Request Forgery in various CMS
interfaces and page comments, increased file extension upload security
through whitelisting (details)
CVE-2010-5088 Fixed a security issue where destructive controller
actions are not correctly secured against Cross-Site Request Forgery
(CSRF). This affects various CMS interfaces, as well as classes based
on TableListField or ComplexTableField.

SilverStripe v2.3.9 - Cross Site Request Forgery in various CMS
interfaces and page comments (details)
see above
========================================
22 September 2010
SilverStripe v2.4.2 - Viewing unpublished content, privilege
escalation of CMS editors with access to admin/security (details)
CVE-2010-5089 Fixed a security issue where pages in draft mode might
be visible to unauthenticated users
CVE-2010-5090 Fixed a security issue where users with access to
admin/security (but limited privileges) can take over a known
administrator account by changing its password
========================================
23 July 2010
SilverStripe v2.4.1 - File extension checks, installer security,
information disclosure through PHP file execution, passwords not
encrypted in certain UI actions (details)
CVE-2010-5091 Fixed a security issue where logged-in CMS authors were
allowed to rename files with harmful extensions in the "Files &
Images" section
CVE-2010-5092 Fixed password encryption when saving members through
the "Add Member" dialog in the "Security" admin. The saving process
was disregarding password encyrption and saving them as plaintext
(issue was introduced in 2.4.0)
SilverStripe v2.3.8 - File extension checks, information disclosure
through PHP file execution (details)
see above
========================================
18 March 2010
 SilverStripe v2.3.7 -
CVE-2010-5093 Privilege escalation exploit
CVE-2010-5094 unauthenticated remote removal of index.php under
certain conditions
========================================
8 February 2010
CVE-2010-5095 SilverStripe v2.3.6 - Escaping exploit
========================================
21 January 2010
SilverStripe v2.3.5 - Escaping exploit
Forum 0.2.5 - Addresses an escaping issue
(already assigned) CVE-2010-1593 	Multiple cross-site scripting (XSS)
vulnerabilities in SilverStripe before 2.3.5 allow remote attackers to
inject arbitrary web script or HTML via (1) the CommenterURL parameter
to PostCommentForm, and in the Forum module before 0.2.5 in
SilverStripe before 2.3.5 allow remote attackers to inject arbitrary
web script or HTML via (2) the Search parameter to forums/search (aka
the search script).
========================================

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJPoCuWAAoJEBYNRVNeJnmTTVsP/3UNQxDI2KtrKk9mWE82jbOB
t6PL0LTnROVb4qMRvBPUWnAOWaISHOKiiFg8BlMgdCO5cX1niWAkabb3QL2EA9nb
HhtUxj+NQ6ofycWVz99juMB99mU50PzhChJV7rzsyOG66DHr31WoMPAEKBhE8lp8
lg9KyjKGPK8PkmYWx+Ul4MNbyW1KEYnwhJZ4y0bOipZW+FyCO02OLtEVwAHkuiYX
zKJfmGQOp9p2wIGXf3/XhBp7qR/KT5exAFhBat7wtw/MXvKq2mso5V0nEg5SgBAK
alLTf8BxHO58W2kvDBPChoQdt9iOZuEstDrmi4F6+zAk4QgH6WcP/rvOJ4BqBxf/
iKEI+naCLN5xpts5tlVsfH1x7QUCobZtW37I3zIA31Vrot7lotATHmt9SNnatNrC
74ppHtCuC2eRQ9CtdB97nEWou8D0rf0BnKFI/rT31ZP2rY0EV3S+8meEvZIA+b3c
QWdQNrz0ZK/2viSuv1G8ZJ/GXaEajNd9GAEuRzJvHzOF5IfRnZDoOGgzwtanKy7L
yvqLzy6D9JAmI9IIQ3dnCPYCgTOcrPLmFDe69MTgDEW9bYxZvRsVge+nlgD5o7e6
AyztxYtXIMRltde5gxDg0/Wga87xzih2p/9BJW82+c6qvTj1CjBgzSZkHyv4VDsC
E6m4dv/Lq8i3LNuanGA6
=rnGv
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.