lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1658214.8zndv4WEi7@treebeard>
Date: Mon, 06 May 2013 12:32:14 -0400
From: Josh Thompson <jfthomps@...che.org>
To: dev@....apache.org, user@....apache.org,
  full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com,
  security@...che.org, announce@...che.org
Subject: Apache VCL improper input validation

CVE-2013-0267: Apache VCL improper input validation

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache VCL 2.1, 2.2, 2.2.1, 2.3, 2.3.1

Description:
Some parts of VCL did not properly validate input data. This problem was 
present both in the Privileges portion of the web GUI and in the XMLRPC API.

A malicious user having a minimal level of administrative rights could 
manipulate the data submitted by the web GUI or submit non-standard data to 
the API to gain additional administrative rights.

The API functions that are vulnerable were introduced in 2.3.1.  Some of those 
API functions can also be exploited to perform a DOS attack on the site to 
remove access from other users and to perform an XSS attack to gain elevated 
privileges.

The vulnerabilities were found by an Apache VCL developer doing a code review.  
No know exploits are in the wild at this point.

Fixed Versions:
Apache VCL 2.2.2, 2.3.2

Mitigation:
Apache VCL 2.3 and 2.3.1 users should upgrade to 2.3.2 as soon as possible.
Apache VCL 2.2 and 2.2.1 users should upgrade to 2.2.2 as soon as possible.
Apache VCL 2.1 users should upgrade to 2.2.2 or 2.3.2 as soon as possible.

Apache VCL 2.2.2 and 2.3.2 can be downloaded from 
http://vcl.apache.org/downloads/download.cgi

Workarounds:
There are no complete workarounds. However, users must have at least 
nodeAdmin, manageGroup, resourceGrant, or userGrant to exploit the 
vulnerabilities.  Removing that access from anyone that is not fully trusted 
will minimized chances of an exploit against your site.


Josh Thompson
Apache VCL release manager
Download attachment "signature.asc" of type "application/pgp-signature" (837 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ