Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <201312301616.rBUGGPZ0009399@linus.mitre.org>
Date: Mon, 30 Dec 2013 11:16:25 -0500 (EST)
From: cve-assign@...re.org
To: henri@...v.fi
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: CVE-request: Dewplayer issues

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> PoC: /wp-content/plugins/advanced-dewplayer/admin-panel/download-file.php?dew_file=../../../../wp-config.php

Use CVE-2013-7240 for this dew_file directory traversal issue.

> Assigning one CVE for vulnerability in different software components e.g.
> libraries used in WordPress plugins makes it very difficult to coordinate
> updates with end-users. Examples:
>     http://osvdb.org/83413
>     http://osvdb.org/90374

When a vulnerability originally came into existence through a single
action of a single developer, we currently don't like to assign
multiple CVE IDs on the basis of the vulnerable code later being
shipped in many separately maintained products. We can enter an
internal issue report about the effect on CVE usability because of this
"difficult to coordinate" observation.

> PoC: http://example.com/wp-content/plugins/flash-player-widget/dewplayer.swf?mp3=http://example.mp3
> PoC: http://example.com/wp-content/plugins/advanced-dewplayer/dewplayer.swf?mp3=http://example.mp3

Just to clarify: the dewplayer.swf file is thought to be essentially
the same in these two cases, and you're asking for two different CVE
IDs to be assigned? It seems very unlikely at this point that we can
provide more than one CVE ID for those, but we just wanted to confirm
that we're answering the right question.

> Q: Does content spoofing issues normally get CVE as the risk is probably
> minimal?

If we think the vendor's security policy is that dewplayer.swf should
not be able to reference off-site media files in this way, then the
issue is currently eligible for a CVE assignment. We're not sure that
a spoofing impact would be the primary motivation for changing this.
Perhaps a stronger motivation is that the vendor doesn't want
dewplayer.swf to trigger arbitrary outbound TCP traffic from the web
host, possibly including traffic to intranet servers in some
environments.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSwZu2AAoJEKllVAevmvmsuWoIAI3mI5Yc4YxnJH2Fds04k9LJ
bwSMONh+1rxxnjImg864NJAPTCEWKoCdczV+5kMK8TL5puu8vM352hBixtJ/Tq9q
vsxGWxwV1v/yIPkSAorxYJ1yhCmLj3KXunwujmc4qQUcMr0OCPb4ITdKps58mt9d
aR+rNy31nrtwc1uJIa5OXg//Fp6jE877hWBFBKTzcLwMdVNqSzDzhW6KdqKWJEG8
JMxQ1o6qHz4h6mm34m+vQn45Qbt6KroiVgkNgXfP5FaJNWRONsvj2WYbrRyhE0/i
u3JKfuquPCKtjDocBdeihdHjwiNE93M1x6swaZ1jpcrF0pjT7NAFKDQk8S/emVA=
=ykRj
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.