Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Mon,  4 May 2015 02:14:30 -0400 (EDT)
Subject: Re: CVE requests / Advisory: phpMyBackupPro

Hash: SHA1


This post was, for the purpose of CVE mapping, somewhat complex, but
we currently feel that it needs at least 5 CVE IDs, and maybe 6.

> Issue #1: SQL injection in multi-user mode

Use CVE-2015-3637. Affected versions are "before 2.5."

Issue #2 and Issue #4 begin by describing essentially the same type of
problem. The user is supposed to be providing an integer value that
can be used within a .php file, but the unpatched product let the user
specify arbitrary PHP code instead of an integer. For this problem,
with affected versions of "before 2.5," use CVE-2015-3638.

The remaining errors in version 2.5 seem to have two distinct types,
at least from the perspective of the advisory (we did not
independently study the complete code).

For the Issue #2 section, apparently the 2.5 code was attempting to
safely include untrusted input inside of a string literal, but a wrong
approach was used. Use CVE-2015-3639 for this problem.

For the Issue #4 section, apparently the 2.5 code was attempting to
identify specific characters that may be special to PHP (or may be
special to a shell) but did not achieve a complete solution. (For
example, the ';' character was blocked in 2.5, but the '.' character
was not blocked.) Use CVE-2015-3640 for this problem.

The final concern is Issue #3. We believe it's valuable to search for
duplicate CVEs, but there was no comment about whether CVE-2009-4050
is the same issue. If that 2009 issue was fixed and then reintroduced
between versions 2.1 and 2.5, then there can be two new CVE IDs for
the 2015 report.

If that 2009 issue was never fixed, then there was a duplicate
discovery. We believe that CVE-2009-4050 applies to the larger
problem: an attacker could use any number of "../" sequences after the
"get_file.php?view=" part of the URI, including zero "../" sequences.
There would then be one additional CVE ID for the behavior in 2.5,
because that behavior represents an incomplete fix for CVE-2009-4050.

By default, we would use the second interpretation for Issue #3. In
other words, unless someone can establish that CVE-2009-4050 was fixed
in 2.2, 2.3, or 2.4, we'll conclude that Issue #3 is a duplicate
discovery, and we'll send the one ID for the "incomplete fix" CVE.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.