Today, I received a short mail from Secunia asking me for details of the fixes I did to Spine. I'm not sure what to answer.. It doesn't appear to be automated. How far would any vendor go by providing security companies with ways to exploit their own software? Wouldn't it be wise just to say "No comment" and let them sort it out for themselves? I'm not even sure I have the time to respond and work out some examples since I'm out of the country next week..
Hello,
we noticed the following entries in the changelog for SPINE 1.2 stable and are about to release an advisory for these issues.
* Added in Admin : Forced POST access (prevent XSS) * Fixed in Core : Placeholders in database handler : security fix * Fixed in Admin : Macro admin security bug fix
Before we publish our advisory we would appreciate to receive your comments on these issues.
What are the impacts of the fixed vulnerabilities? How can they be exploited and is any authentication required? Which other versions are also affected and are there any mitigating factors?
Please respond as soon as possible.
Thanks in advance and kind regards,
That's interesting. The "macro admin security fix" is something I don't understand, but the first two should be no brainers. Why the heck can't they figure that out for themselves? I do understand your reluctance to get specific about "here's how you attack unpatched versions of this software."
Re:Huh?
Beatnik on 2007-01-03T14:39:42
Actually, the items on that list are just copied from my Changelog. The first fix is basically to prevent people from creating a link likehttp://site.com/admin/delete?name=page.. but then again, they can still do a form with POST and have a javascript link to submit it.. *ARGH*
The second one is just applying some best practices. Adding an extra lock to the already locked door.
Third one is uhm.. mmm will have to look up what I meant by that tho:)
Recommended action would be to upgrade.. obviously but nothing that I categorize as critical.Not that far-fetched
Aristotle on 2007-01-03T15:00:24
I don’t see what’s so unusual about the request. Figuring out the issues requires study of the source code, and evaluating them to figure out what follows from them is often unclear to someone without a good understanding of the codebase. This has been a point of tension between the Linux kernelhackers and distributors, who often can’t tell how significant a bugfix really is without either being told or investing significant effort of their own.
Let’s take a look at the questions:
What are the impacts of the fixed vulnerabilities?
It’s not always clear what a particular hole can only be abused for, and in particular, whether or not it allows priviledge escalation. Of particular interest in webapps is whether there is a chance of priviledge escalation between environments, eg. whether a bug only allows you to delete documents in a CMS that you shouldn’t have access to, or whether it actually allows the attacker to puncture the app abstraction and gain direct access to the database or the filesystem on the machine.
How can they be exploited and is any authentication required?
Eg. in this case, would the GET-vs-POST attack required that the user be cookied or otherwise have priviledges? Again – can this result in priviledge escalation?
Which other versions are also affected and are there any mitigating factors?
In other words: a) How do I tell whether I run a vulnerable version? b) As a user of a vulnerable version, is there anything I can do to close the hole without patching any software? (Eg. in browser hole advisories this is where the inevitable “to avoid exploitation, disable Javascript support” comes in.)
It should be obvious that these aren’t questions a casual observer can judge merely by looking at a patch if an exploit has not been published.
It should also be obvious that giving answers doesn’t mean providing a HOWTO Exploit MySoftware v0.42.
Re:Not that far-fetched
Ovid on 2007-01-03T15:21:32
Fair enough. I stand correct
:) Re:Not that far-fetched
Ovid on 2007-01-03T15:21:50
Er, corrected!
Re:Not that far-fetched
Aristotle on 2007-01-03T17:28:51
Don’t worry, after all these times I wrote “privile d ge” in that comment, your transgression is quite minor. Ugh. *hides in shame*
