Re: CVE request (maybe): magento before 1.7.0.2

[Kurt Seifried <kseifried () redhat com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/31/2012 02:32 AM, Hanno Böck wrote:
> Hi,
>
>
> http://www.magentocommerce.com/download/release_notes 1.7.0.2
> changelog lists this: "Fixed: Security vulnerability in Zend_XmlRpc
> - http://framework.zend.com/security/advisory/ZF2012-01 "
>
> I don't know if we consider bundled libs issues as extra CVE. The 
> original one is CVE-2012-3363.
>
>
> Also, Magento 1.7.0.1 has this: "Fixed: Several potential security
> vulnerabilities"
>
> Yeah, I like it if vendors are so verbose about their 
> vulnerabilities... And here are some people defending the "security
> by obscurity standpoint of magento: 
> http://www.magentocommerce.com/boards/viewthread/284896/#t397006
>
> (I seriosly consider this is an issue that should be highlighted
> more - we recently had piwik devs arguing in a similar way for
> obsurity - free software doesn't protect you from dumb developers
> thinking that obscurity may be a good idea)

Honestly I'm not going to waste any time on tracking these down, it
would take hours to go through the above mentioned 1.8 meg diff file
that contains these security flaws. So with this in mind:

http://www.magentocommerce.com/download/release_notes
Release Notes - Magento 1.7.0.1 (Jun 20, 2012)
Fixed: Several potential security vulnerabilities

Please use CVE-2012-6091 for these issues.

But here's a hint: it would only take a few hours to hunt down the
flaws. And according to the argument "these sites handle large volumes
of money" it would be worth an attackers time to read the diff file,
so this obscurity argument only hurts the users/admins since they will
have to waste time figuring out if they need to apply this patch or
not or if there is a workaround, or what they should do to see if they
have already been attacked/etc.

Feel free to post a copy of this on their forums.

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iQIcBAEBAgAGBQJQ5eamAAoJEBYNRVNeJnmTeecQAJDK6zWT3prklzbLpAks6OwW
Pe3G1kZWO7ABgm9S5LWJYXQdi4LByD7aXK4N5sowTUAEtefnfQrF3GKDGeiIX+sm
5rVn1NFqwD6Q+SiK9mkBg0FWxUUBY0y0Q7AcahH4VTifsrCce+rQWG9p79cQQm1H
alBBF5fvQh1pT5kA9/rAIyO8ZeYJ08ziqDBZGlif4Eyonj1XPT5Q2hKcQ+UL27Lc
rLynXkrvzCqmBUYO5cjHf57VfX9ePowQcDTouNXUf6tMAhSvrh2t4Neb9NKheRI1
JDXF9z72qovUXXtX8eV8S00kHEGE14B25mS4mQjWBEqetGy72MpK8EcHsy26XOgr
1PwcSNpbI3Leu57H8DdrrB8eNPdccbBiHOS0IfLccOsVJIGhVXUJGTV7lfc2PW85
HcGFStMwWoUOvj00uaes+m7Jjk4yDB2g0SUPJ7AJvKJDQFGRJYiPiJhdqcnqx+lG
nbVvddnXh4uGNB9IPN8gK/cYjcYffs4/teI52vyhcFFQPwXcsWtnUgEqyUBrYQWL
Sp+PQsXkZPGulhUSuoQZhItaeziJd0F7ldvR9HbuChbaP/q9xC/6V4ug5CaiECjG
pNGS7ix8c9I4AuX8KA61PpZVBlAHN/h3TZ4UXA1njJPyiMYdYtwrCMk+7VryPil5
uDfS/UySiC/aA3hvUNL6
=tvfI
-----END PGP SIGNATURE-----