lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Wed, 11 Nov 2009 16:40:46 -0700
From: Bugs NotHugs <bugsnothugs@...il.com>
To: bugtraq <bugtraq@...urityfocus.com>, fd <full-disclosure@...ts.grok.org.uk>
Subject: HP curiosity and vulnerability

Before the vulnerability..

HP buys 3Com in mega $2.7 billion deal
http://www.scmagazineus.com/HP-buys-3Com-in-mega-27-billion-deal/article/157601/

HP plans to buy 3Com ($2.7b), which owns TippingPoint, which runs ZDI,
which has a 1128-day vuln in HP products: http://bit.ly/2HEonE
http://twitter.com/hdmoore/statuses/5629710613

http://www.zerodayinitiative.com/advisories/upcoming/
ZDI-CAN-582  	 Hewlett-Packard   	Low   	2009-10-21, 21 days ago
ZDI-CAN-581  	 Hewlett-Packard   	High  	2009-10-21, 21 days ago
ZDI-CAN-575  	 Hewlett-Packard   	High  	2009-10-21, 21 days ago
ZDI-CAN-574  	 Hewlett-Packard   	High  	2009-10-21, 21 days ago
ZDI-CAN-573  	 Hewlett-Packard   	High  	2009-10-21, 21 days ago
ZDI-CAN-566  	 Hewlett-Packard   	High  	2009-10-21, 21 days ago
ZDI-CAN-564  	 Hewlett-Packard   	High  	2009-10-21, 21 days ago
ZDI-CAN-563  	 Hewlett-Packard   	High  	2009-10-21, 21 days ago
ZDI-CAN-518  	 Hewlett-Packard   	High  	2009-07-16, 118 days ago
ZDI-CAN-523  	 Hewlett-Packard   	High  	2009-07-14, 120 days ago
ZDI-CAN-522  	 Hewlett-Packard   	High  	2009-07-14, 120 days ago
ZDI-CAN-503  	 Hewlett-Packard   	High  	2009-06-25, 139 days ago
ZDI-CAN-474  	 Hewlett-Packard   	High  	2009-04-15, 210 days ago
ZDI-CAN-453  	 Hewlett-Packard   	Medium  	2009-03-13, 243 days ago
ZDI-CAN-420  	 Hewlett-Packard   	High  	2009-01-26, 289 days ago
ZDI-CAN-419  	 Hewlett-Packard   	High  	2009-01-26, 289 days ago
ZDI-CAN-418  	 Hewlett-Packard   	High  	2009-01-26, 289 days ago
ZDI-CAN-417  	 Hewlett-Packard   	High  	2009-01-26, 289 days ago
ZDI-CAN-206  	 Hewlett-Packard   	High  	2007-07-17, 848 days ago
ZDI-CAN-177  	 Hewlett-Packard   	High  	2007-03-19, 968 days ago
ZDI-CAN-105  	 Hewlett-Packard   	High  	2006-10-10, 1128 days ago

Any bets on whether these vulnerabilities see the light of day?

=-=

       Title:  HP ProCurve Web Management Interface Multiple XSS
Release Date:  2009-11-11
 Application:  HP ProCurve Switch Management Interface

Description:
------------

HP ProCurve Networking Switches use a web based Management Interface to
control and configure the devices. Under the 'Security' -> 'SSL' portion
of the application, an attacker can inject HTML or JavaScript into the
'Organization Name' and 'Organization Unit' fields. The information supplied
by the attacker is stored by the switch and rendered in the browser of
subsequent visitors. Additionally, an attacker can inject script into
various fields related to the SSL certificate. Not only does this create
a cross-site scripting scenario, an administrator cannot change the
fields back using the 'Use Installed Cert' interface, rather she must
create a new certificate to remove the old entry.

Product Details:
----------------

 Vendor:  Hewlett-Packard Development Company, L.P.
Product:  ProCurve Networking Switches
Version:  5308xl ver E.08.42, ROM E.05.04
              2524 ver F.05.50, ROM F.02.01
              2824 ver I.07.31, ROM I.07.01

Solution:
---------

Don't use HP products.

Disclosure Timeline:
--------------------

2006-11-10: Vulnerability Discovered
2006-11-29: Disclosed to Vendor via e-mail to security-alert@...com
                  HP SSRT replied, SSRT061284 assigned to this issue
2006-11-30: M.M. validated issue
2007-03-28: Mail sent to M.M. and security-alert@...com asking for status
2008-02-15: Mail sent to M.M. asking for status
2008-02-15: M.M. replies, will confirm and reply following week
2009-11-11: No replies, no indication this is important. (1096 days)

References:
-----------

Vendor: http://www.procurve.com/
XSS Information: http://en.wikipedia.org/wiki/Cross_site_scripting

=-=

BugsNotHugs
Shared Vulnerability Disclosure Account

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ