Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Wed, 11 Jul 2012 12:42:25 -0400
From: Greg Knaddison <greg.knaddison@...uia.com>
To: "Steven M. Christey" <coley@...-smtp.mitre.org>
Cc: Kurt Seifried <kseifried@...hat.com>, Henri Salo <henri@...v.fi>, oss-security@...ts.openwall.com
Subject: Re: CVE Request for Drupal contributed modules

On Wed, Jun 27, 2012 at 1:36 PM, Steven M. Christey
<coley@...-smtp.mitre.org> wrote:
> (Greg and Kurt, the number of duplicates and unassigned CVEs in this batch
> is understandable due to various factors such as amount and assignments from
> mutiple sources, but it's disconcerting.  Maybe we should talk off-list and
> figure out how to minimize these problems in the future.)

Responded off-list.

>> CVE-2012-2709 SA-CONTRIB-2012-081 - Aberdeen - Cross Site Scripting
>
> This is a duplicate that might look like a typo at first.
>
> Around May 21, MITRE originally published CVE-2012-2907 (NOTE THE DIFFERENT
> NUMBER STARTING WITH "29" INSTEAD OF "27").
>
> CVE-2012-2907 is in more active use, so keep CVE-2012-2907.
>
> We will REJECT CVE-2012-2709.
>
> (Kurt, CVE-2012-2709 belongs to you.  If you actually intended to list the
> already-published CVE-2012-2907 and made a typo to CVE-2012-2709, please
> make sure you've removed CVE-2012-2709 from your pool.)

Advisory updated to reference CVE-2012-2907.

>> CVE-2012-2713 SA-CONTRIB-2012-085 - BrowserID - Multiple
>>     Vulnerabilities - CSRF
>> CVE-2012-2714 SA-CONTRIB-2012-085 - BrowserID - Multiple
>>     Vulnerabilities - BrowserID login theft
>
>
> The description in SA-CONTRIB-2012-085 is not clear, but it seems that
> CVE-2012-2714 might be the natural consequence of exploiting the CSRF.
> The title "multiple vulnerabilities" does not help.  Any thoughts on
> this one?

We use "multiple vulnerabilities" in the title when the listing all
fixed vulnerabilities becomes cumbersome. I agree it's not ideal. I
believe that the lack of validation in the login theft is separate
from the CSRF. Ben Adida is familiar with it and could potentially
give advice.

>
>> CVE-2012-2727 SA-CONTRIB-2012-098 - Janrain Capture - Open Redirect
>
>
> SA-CONTRIB-2012-098 mentioned a second separate issue for "An
> additional security weakness occurs when the module creates a new
> local user account."
>
> CVE-2012-2727 - open redirect
>
> (new) CVE-2012-3798 - disclosure of portions of passwords

True disclosure in CVE-2012-3798 only happens if an attacker gains
access to the user's session object (e.g. due to loss of a database
backup or an insecure memcache configuration). We mention that as a
poor security practice that was improved, but aren't sure what class
of vulnerability that should be and whether it really deserves to be
called out separately. There have been several other instances where
credentials or credential-like information is stored unencrypted in a
location that seems like a bad idea because it's more likely to be
leaked (e.g. the sessions database table) but where it's not a direct
immediate threat. Any advice on whether you feel those truly deserve a
CVE assignment?

I have not updated the advisory to include CVE-2012-3798.

>> CVE-2012-2723 SA-CONTRIB-2012-094
>
>
> A close reading of SA-CONTRIB-2012-094 suggests that there should be
> two CVEs.  Part of the advisory does seem to imply that the XSS is
> resultant from the CSRF; but it also says "This vulnerability is
> mitigated by the fact that an attacker must have a role with the
> maestro admin permissions," which implies that users with maestro
> admin permissions should not be allowed to conduct XSS attacks
> themselves.  This could probably be argued either way.
>
>
> CVE-2012-2723 - XSS
>
> (new) CVE-2012-3799 - CSRF

Indeed there is a CSRF issue separate from the XSS. Advisory updated with both.

>> CVE-2012-2721 SA-CONTRIB-2012-092 - Organic Groups - Cross Site
>> Scripting (XSS) and Access Bypass
>
>
> This is 2 types of issues, thus needs 2 CVEs.
>
> CVE-2012-2721 - Access Bypass
>
> (new) CVE-2012-3800 - XSS
>
Updated.

>
>> CVE-2012-2706 SA-CONTRIB-2012-079 - Post Affiliate Pro - Cross Site
>> Scripting (XSS) and Access Bypass - Unsupported
>
>
> Two vuln types, two CVEs needed.
>
> CVE-2012-2706 - XSS
> (new) CVE-2012-3802 - unspecified read of commisions
>

Advisory updated with both CVEs.

Thanks for the review and additional CVEs, Steve.

Regards,
Greg




-- 
Director Security Services | +1-720-310-5623
Skype: greg.knaddison | http://twitter.com/greggles | http://acquia.com

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.