Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20161006151431.80DF36C58F9@smtpvmsrv1.mitre.org>
Date: Thu,  6 Oct 2016 11:14:31 -0400 (EDT)
From: cve-assign@...re.org
To: labs@...dream.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com, spip-team-owner@...o.net
Subject: Re: SPIP vulnerabilities: request for 5 CVE

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Can you provide further information about whether each of these issues
could have been fixed independently?

We are aware of:

  https://core.spip.net/projects/spip/repository/revisions/23200
  https://core.spip.net/projects/spip/repository/revisions/23201
  https://core.spip.net/projects/spip/repository/revisions/23202

and these seem to indicate separate findings related to three
items on your list. Thus, we can initially assign these IDs:

> * Cross-Site Request Forgery

Use CVE-2016-7980.


> * Reflected Cross-Site Scripting

Use CVE-2016-7981.


> * File Enumeration / Path Traversal

Use CVE-2016-7982.


Is your reported Server Side Request Forgery a completely separate
problem? Is it resultant from an authorization issue, e.g., possibly
the wrong users have access to XML validation:

  -   if (!autoriser('sauvegarder')) {
  +   if (!autoriser('webmestre')) {

and also XML validation could be performed through CSRF? In other
words, is valider_xml.php supposed to block everyone from performing
an XML validation of an off-site document, or is it only supposed to
have access control for this functionality?


> * Template Compiler/Composer PHP Code Execution

Is there public information about this already on an spip.net web site
(such as a Redmine revision) or the https://sysdream.com/news/lab/ web
site? Is this unrelated to the valider_xml.php script?

- -- 
CVE Assignment Team
M/S M300, 202 Burlington Road, Bedford, MA 01730 USA
[ A PGP key is available for encrypted communications at
  http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJX9mnXAAoJEHb/MwWLVhi2/qcQAKEeOApYMW4Czdtc9dQYq5c1
BvrVK73txuLW346VYOGYB2HNp9b1RPoH34buXakJGXrhgyhbK/1fl1WILdUROuMs
UeEievyso1zudb2seSC/mPdvoyMfiKYQdQEvquQsuNNbdohR2TxA7i7k/33gpEoN
jQwsDCdm4xQQDPG5hrK39LmhboqgZtrYhZXetHWGloMMYWVMgoVOopdNXdMajXJ5
ycSlJoqMsMVWiZ4JKWPbEaFY7fJwHs3f5ZRa7WRRzAy6IdLQN/9Wo/awZsVTfe/s
mTC7bz3iiUCCu+XYWhmZGFG9JBBz4FL68CsYXw3tkjS8h0Gi4IsIKUc3ZiTm/2ee
boZiAJlRJETfgKozM/E3fyLytPeUX+2r8UI2SkkyjXM0JZ/r5NJuiaSumLo3sxst
bXsd5ruDb7FQyaQqkyPutti0Iz3gdM8MPqhGkwIG/xfDs6U/M9RFdPB91ShmuqWd
fYARzhJLsm+s2lQgMVzxLEAm7GVpJdORSRTW8JnlzxdeYy/Z/f1Nh6hxvi1pjGVO
voAvlQNNnVJYeWYoDwXBK0qF31CRNq5/wePt6JY1h92fwzgMo4w84Yny91qsHlY4
f0uaSduqB8DgO+P78X7fTai6T0j9i+6Qsnqukr9U/79Nt/tlmIJ+gs9DFF8RwQRz
IlWWaW48n/lLS/vAtKMl
=7eq2
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.