Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Tue, 18 Aug 2015 21:46:08 -0400 (EDT)
Subject: Re: CVE Request: ATutor LMS Version 2.2 with stored XSS and file upload issue

Hash: SHA256

> There are a few Stored XSS ... vulnerabilities in the software.
> Issue:

Use CVE-2015-6521 for all of these XSS issues. We think they don't
overlap CVE-2010-0971.

> There are ... file upload vulnerabilities in the software.
> Issue:
> 2) File Upload in course
> There are illegal file extensions mentioned where all the executable
> files are checked. But a file without any extension is accepted. This
> could be a binary executable file.
> Against file upload: Use a white list of extensions that are allowed
> to be uploaded rather than extensions that are not allowed (black
> list).

We don't think this is a type of issue for which a CVE ID is typically
assigned. See also the second-to-last part of the post.

For web applications, file upload is often of interest because the
attacker can upload a file with an extension recognized by a web
server as an executable file, e.g., an extension listed on an
AddHandler line in an Apache HTTP Server configuration. We're not sure
whether there are any web servers that, in their default
configuration, have an AddHandler equivalent for all extensionless
files. Although a web application might want to block uploads of any
file that has a native executable-file format recognized by the
underlying operating system, we don't think this is a commonly
recommended feature, and we don't believe we should be assigning CVE
IDs to every web application that omits this feature. (We're not
disputing that the feature could sometimes be useful. Most web
applications aren't intended to receive native executables through an
upload mechanism, and there might be attack methodologies that rely on
these uploads, e.g., uploading something like Staog -- -- to a Linux machine with a
filename of Staog and no extension.)

If there is something about a web application that makes native
executables especially dangerous (e.g., local users are somehow
encouraged to open all non-PHP files uploaded by web visitors) or if a
vendor was actually trying to block all native executables but the
code was wrong, then a CVE ID could exist.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.