lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.64.0601301712440.29752@forced.attrition.org>
Date: Mon, 30 Jan 2006 17:15:07 -0500 (EST)
From: security curmudgeon <jericho@...rition.org>
To: bugtraq@...urityfocus.com
Subject: Etomite followup information




---------- Forwarded message ----------
From: Rick Elnor
To: moderators@...db.org
Date: Sun, 29 Jan 2006 10:11:08 -0800
Subject: [OSVDB Mods] [Change Request] 22693: Etomite todo.inc.php cij Variable
     Arbitrary Command Execution

Hello,

I am Rick Elnor, the Etomite CMS security expert and owner ow Nixbased Security 
Consulting. I have noticed you reported the Etomite cij Variable Arbitrary 
Command Execution Vulnerability on your website. This information is not 
accurate.

Heres the truth: "The eto site got hacked - they downloaded the etomite v0.6.0 
files, and implemented a security exploit into them on the 11th of January, and 
reuploaded to the eto server. They also did the same with the RC3 files.

The RTM files have been unaffected, as they are held on the secondary eto 
server.

If you downloaded Etomite v0.6.0 prior to the 10th of January, your etomite 
install is safe.
If you downloaded Etomite v0.6.0 or v0.6.1 RC3 after the 10th of January, your 
install may be compromised and you should upgrade to the RTM immediately.

The second issue (which we knew about from day 1) - which is now completely 
irrelevant anyway (they made the code look like the "phone home" feature of 
etomite which is why we thought the issues were related).
What the Phone Home feature does is phone home to the etomite server and tell 
us where you are running your etomite install ONLY if you untick the License 
Agreement box on the login page. THIS IS THE ONLY TIME v0.6.0 SENT US ANY DATA.

We no longer collect the data, as I have removed the datacollection script."

The above was posted as a forum message on the Etomite forums today at this 
location http://www.etomite.org/forums/index.php?showtopic=4291


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ