[Debian-audit] Non-Debian vulnerabilities.

From: Steve Kemp <steve_at_shellcode.org>
Date: Fri, 14 Jan 2005 16:51:34 +0000

  It's been a fun week for reporting bugs in software, several tools
 I've come across I've had a quick look at.

Cool handling with mint
-----------------------

  One was handled perfectly, a small piece of setuid software for
 renewing DHCP settings from a toolbar, mint:

        http://www.cs.wisc.edu/~zandy/p/

  The code was pretty simple, open the configuration file ~/.mint,
 and read each line for options.

  If it matched something known like 'ADDRESS' then process it. If
 not print it out and give an error message.

  Unfortunately it didn't prevent against symlink attacks, so you
 could do this:

skx_at_undecided:~$ ln -s /etc/shadow .mint
skx_at_undecided:~$ mint
ERROR: root:sdfsdfsdfZsdfsd-notrealhashR/:12683:0:99999:7:::
skx_at_undecided:

  Fun stuff.

  I mailed the author and it was fixed in less than an hour.
 (Although to be fair he says he doesnt use it anymore and guesses
 nobody else does the last release was in 2000, so it's hardly
 critical).

"Credits"
---------

  An application I've been using for years is an online DVD database
 application written in PHP, called VideoDB.

  I noticed that it was vulnerable to a few SQL injection attacks
 as it used code like this:

   SELECT ... blah ... from blah WHERE id='$id'

  $id coming straight from the request URL with no filtering.

  So I reported it privately to the author, who then informed me that
 he didn't work on the code so much so he forwarded it to the public
 mailing list.

  Shortly afterwards it was fixed.

  And then somebody from Secunia mailed the list asking for the details
 behind the 'Security' terms in the CVS commit messages.

  The details were explained, and this advisory was released:

      http://secunia.com/advisories/13765/

  Credit? Moi? Nah .. "Software Vendor".

  I almost feel robbed.

  I'm curious what reaction others have gotten from reporting problems?
 I know some people will downplay even the most obviously critical holes,
 and others will bend over backwards to fix a completely obscure and
 unlikely hole - so it's probably only normal to expect a lot of
 variation ..

  That reminds me Advogato still needs patching, and I don't use it
 any more ... wonder if I should increase my certifications ;)

Steve 

--
Received on Fri Jan 14 2005 - 16:51:34 GMT

Mailing list overview.