Re: Vulnerabilities in Sebo - webstore



Hello Salvatore!

In my letter to Bugtraq (http://www.securityfocus.com/archive/1/511023),
which was mentioned in my advisory (you can read that letter, if you didn't
read it yet), I wrote about importance of making separate advisories of
vulnerabilities in software which are using CaptchaSecurityImages.php. And
reading of it is very recommending before writing me anything about issues
related to CaptchaSecurityImages.

Still the same "bugs"?!

Yes, still the same. Same holes in different web application. As it clearly
stated in my advisory.

With this vulnerabilities in one script which is using (the script itself or
its code) in multiple webapps, which makes them vulnerable, I used the same
approach as with vulnerabilities in WP-Cumulus. And I already reported to
security mailing lists about vulnerabilities in WP-Cumulus and in other web
applications which are using tagcloud.swf in the end of 2009 and in 2010.

So why not you, nor other readers of the list are asking the question (aka
moaning) about the same vulnerabilities in these webapps - which all are
using vulnerable tagcloud.swf? Why you and others are only moaning about
webapps with CaptchaSecurityImages.php, but not webapps with tagcloud.swf?
And there are a lot of sites (so there are many webapps) with tagcloud.swf,
as it clear from my article XSS vulnerabilities in 34 millions flash files
(http://www.webappsec.org/lists/websecurity/archive/2010-01/msg00035.html).

The question is rhetorical and the answer is obvious - it's double
standards. And I wrote in details about double standards in my letter to
Full-disclosure
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-April/074124.html).
And I recommend for you (and for anyone who has similar position) to read
that letter first, before writing anything concerning the topic of vulnerabilities related to CaptchaSecurityImages.

I already wrote about it in my answer to Terry White last week, which I also
CC to Bugtraq. But it was not published to the list by moderator - maybe
because the letter was to long :-) (and it had additional argumentation
against different not serious statements regarding my advisories).

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua

----- Original Message ----- From: "Salvatore Fresta aka Drosophila" <drosophilaxxx@xxxxxxxxx>
To: "MustLive" <mustlive@xxxxxxxxxxxxxxxxxx>
Cc: "Bugtraq" <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Monday, May 10, 2010 10:13 PM
Subject: Re: Vulnerabilities in Sebo - webstore


2010/5/8 MustLive <mustlive@xxxxxxxxxxxxxxxxxx>:
Hello Bugtraq!

I want to warn you about security vulnerabilities in e-commerce system
Sebo - webstore.

In this advisory I'm continue to inform readers of mailing lists about
vulnerable web applications which are using CaptchaSecurityImages.php.


Still the same "bugs"?! A question: if you find (ad absurdum) a bug in
the printf C function, will you send an e-mail for each software that
uses it?

--
Salvatore Fresta aka Drosophila
http://www.salvatorefresta.net
CWNP444351



Relevant Pages

  • [NEWS] Vulnerability Issues in Implementations of the H.323 Protocol (Generic)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... discovered a number of implementation specific vulnerabilities in the ... The severity of these vulnerabilities varies by vendor. ...
    (Securiteam)
  • [NEWS] Openfire Multiple Vulnerabilities
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Openfire Multiple Vulnerabilities ...
    (Securiteam)
  • Re: SECUNIA warning:[SA16041] Kerberos V5 Multiple Vulnerabilities
    ... the Kerberos v5 specification, done by Microsoft. ... Kerberos V5 Multiple Vulnerabilities ... > Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT- ... > SECUNIA ADVISORY ID: ...
    (microsoft.public.security)
  • RE: php pack() security update
    ... I'm waiting for redhat to release updates for php on as3. ... SECUNIA ADVISORY ID: ... Multiple vulnerabilities have been reported in PHP, ... Successful exploitation requires that PHP runs on a multi-threaded ...
    (RedHat)
  • Simple PHP Blog Multiple Vulnerabilities
    ... Secure Network - Security Research Advisory ... Simple PHP Blog is a blogging application that was written with simplicity of installation and maintenance in mind. ... Multiple vulnerabilities have been reported in the latest version of this web application; probably all previous versions are affected to the same issues. ...
    (Bugtraq)