Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-Id: <20150310171216.1144E42E048@smtpvbsrv1.mitre.org>
Date: Tue, 10 Mar 2015 13:12:16 -0400 (EDT)
From: cve-assign@...re.org
To: steevee.aka@...il.com
Cc: cve-assign@...re.org, oss-security@...ts.openwall.com
Subject: Re: Instant v2.0 SQL Injection Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Are you able to identify this vulnerability within a specific download
of open-source software?

What we've been able to find is:

   http://web.archive.org/web/20081219100117/http://overcoffee.com/
   http://web.archive.org/web/20050405113015/http://aura.overcoffee.com/
   (previous version of web site)

   http://web.archive.org/web/20100105143144/http://overcoffee.com/
   (later version of web site)

The above archived aura.overcoffee.com page suggests that web sites
existed with "Powered By Instant v2.0 another OverCoffee production"
in the footer.

The archived overcoffee.com page suggests that the company's goal was
"packages of web development services and applications." Linked pages
refer to "we provide all our clients with a log-in username and
password to their own area of the SelfServe control panel" and "we
partner with our clients from initial consultation through design,
hosting, and management."

This might mean that "Instant v2.0" was a web-design offering that
typically resulted in a web site hosted and maintained by the vendor.

To obtain a CVE ID on the oss-security list, it's necessary to
establish that the vendor has (currently or in the past) packaged the
product in question as open source.

To obtain a CVE ID at all, it's necessary to establish that there is
or was a specific packaged product. A CVE ID is not assigned for "web
development services" that create customer-specific sites/code, even
if multiple customers happened to receive a specific file (such as
product_cat.php) and a vulnerability is found in that file. Also, it's
necessary to establish that customers are responsible for security
updates of the specific packaged product. This is very often the case
if different installations of a product are installed on servers
controlled by different customers. In this situation, this seems
perhaps unlikely because the six example sites do not all have unique
IP addresses. (Admittedly, it's possible for a vendor to initially
maintain its customers' web sites but then later announce that the
customers need to start maintaining them on their own.)

Also, note that this vendor (apparently from Iowa in the U.S.) is not
the same as the InstantCMS vendor (see CVE-2013-6839), apparently
located in Russia.

To summarize:

  - if you know that this is open source, you can send more
    information about that to oss-security@...ts.openwall.com

  - if you don't know whether it's open source but know that "Instant
    v2.0" was shipped as a software package installable by arbitrary
    customers, you can send more information about that to
    cve-assign@...re.org (That address can be used, optionally, even
    if it is open source. Please do not send to both addresses.)

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJU/yWAAAoJEKllVAevmvmsgGcH/jF05h+Dbiv/JA3V6fqh4LKQ
3H3Be/s47jEMTwUJDs4Y3/b6E88C0BRJcHWEgPsFbeLCI3jRFmquEJbOlBr/nuTk
qzYAtWz2EA+OaxkzpcLQJnhBknYrGFIZdEuBBtsYq32/1tvPbKOxu06tgRcktZr6
N5x+giSLH2ziOGd1N+9R0Wg4Us1HKzu8XjpiC8u/1EOR7yHreEPd85lVbHNKDZJj
pdjcULb33mTrEloTsjfH3gp7LzyoBdZn5QPE5DP6UKk5g5a+B22f2x9SZS+qr3mN
bl0+vGmxUACF9F0OP60jnU9sJ/SlT+JfMKyapB4JHwlXNMmSLNPo0iv+mmBh7T8=
=ixTb
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.