Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Fri, 20 Sep 2013 11:35:31 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Raphael Geissert <geissert@...ian.org>, jmd@...epnet.net,
        moyo@...epnet.net, info@...ridge.com,
        Assign a CVE Identifier <cve-assign@...re.org>
Subject: Re: CVE-2013-5696: split needed

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/20/2013 02:27 AM, Raphael Geissert wrote:
> Hi,
> 
> GLPI 0.84.2 fixes a few security issues [1], for which
> CVE-2013-5696 was assigned. However, from the bug tracker[2] it is
> clear that there are multiple issues:
> 
> * SQL Injection * PHP Code Execution * CSRF (seems that it is the
> vector for the SQL injection)
> 
> There there are references to the above CVE id and an id from HTB. 
> The latter's advisory [3] only refers to remote code execution.
> 
> So, it looks like the CVE id was originally assigned to the CSRF 
> vulnerability, then reused for the SQL injections, and the code 
> execution vulns. were just added to the same bug report but it is 
> completely independent and not covered by the existing CVE id.
> 
> CC'ing GLPI upstream so that they can, hopefully, shed some more 
> light. Is the 0.83 branch affected by the way?
> 
> CC'ing one of HTB's email addresses, in case they've already
> requested an id directly from MITRE.
> 
> (oh and it appears that there's now a warning requesting the 
> install.php script to be deleted after the installation. Does that 
> mean that there are bugs left to be exploited otherwise?)
> 
> [1]http://www.glpi-project.org/spip.php?page=annonce&id_breve=308 
> [2]https://forge.indepnet.net/issues/4480 
> [3]https://www.htbridge.com/advisory/HTB23173
> 
> Cheers,

I assume this was assigned by Mitre, probably best to have them do the
split.


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (GNU/Linux)

iQIcBAEBAgAGBQJSPIdjAAoJEBYNRVNeJnmTOo8QAJsImU6tt2fgeP2lhWonL0L6
WBtkTSRtcbieBM5dOPv9JrfrfMqOFu9G/pBLbdu51zYo9/hu/owU1Lw+FFFKrgbO
3zLwC/MHYYXaHtAxI9W8PyZtcx6F4q0sZT83DQjFPzmpPkNYegPuAYFtEYbszPJK
OCv+He9eEE1gLmOM+kbO8ixx51uLu7lTpQcD2Q1YpP3lE8GFkcoLmsPCChhaLnYk
17PdYtpIw/v97XIOVAnhlpu8HyMWxaVRAjrdkoLEdKNhnS2WiQMlgz6DEwKpgbE4
GnulZ4+0lm74LA3cY9RThCKJDandiH4HC+7FivP/633QJ23rs6w85+29wuWUE+gJ
XOS44OCmzbZSku9brbplHK/NgUGmxH8SsTSxDcgzKKFWCLt/2rwaKAb1M646O1yi
H5mAKazPKvKISarbHFNiUDUt/35OiTg5AxgVvDTDj7cnejAEfRSiScpSNWSBQ/n8
+JizR1ElyU4rAnyufxSn4yNAUHzcS2kpLmCPr1Biy3nW5+xCyXlcbpgo9Z1fmPJ2
VL08rHUtEC4vcpSjPvatRWaC+vgirky5xgN1/in1bY8tAURUkWLBRRvGuMQfaq7E
H+XLbpSJIUn3nEy8sOSNL/z3uwdnXnKYgCcw4Zwp7Cix5mYVxFgi6xBNE6E9m150
RbuLEH8U54XzNMpPOSZw
=Qv2g
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.