thr3ads.net - Secure testing commits - [Secure-testing-commits] r7192

If this information is useful, please help other people find it:
Share via:

nion at alioth.debian.org

2007-Nov-02 07:56 UTC

[Secure-testing-commits] r7192 - data/CVE

Author: nion
Date: 2007-11-02 07:56:52 +0000 (Fri, 02 Nov 2007)
New Revision: 7192

Modified:
   data/CVE/list
Log:
CVE-2007-5695 is unimportant


Modified: data/CVE/list
==================================================================---
data/CVE/list	2007-11-02 03:17:36 UTC (rev 7191)
+++ data/CVE/list	2007-11-02 07:56:52 UTC (rev 7192)
@@ -322,7 +322,8 @@
 CVE-2007-5696 (PHP remote file inclusion vulnerability in includes.php in
phpBasic ...)
 	NOT-FOR-US: phpBasic
 CVE-2007-5695 (command.php in SiteBar 3.3.8 allows remote attackers to redirect
users ...)
-	- sitebar <unfixed> (low; bug #448690)
+	- sitebar <unfixed> (unimportant; bug #448690)
+	NOTE: there is no real exploit scenario
 CVE-2007-5694 (Absolute path traversal vulnerability in the translation module
...)
 	- sitebar <unfixed> (low; bug #447135)
 CVE-2007-5693 (Eval injection vulnerability in the translation module ...)

Florian Weimer

2007-Nov-02 09:13 UTC

head link

[Secure-testing-team] [Secure-testing-commits] r7192 - data/CVE

>  CVE-2007-5695 (command.php in SiteBar 3.3.8 allows remote attackers to
redirect users ...)
> -	- sitebar <unfixed> (low; bug #448690)
> +	- sitebar <unfixed> (unimportant; bug #448690)
> +	NOTE: there is no real exploit scenario
I disagree with that assessment.  Open redirectors pose at least a very
real reputation risk.

Nico Golde

2007-Nov-02 10:25 UTC

head link

[Secure-testing-team] [Secure-testing-commits] r7192 - data/CVE

Hi Florian,
* Florian Weimer <fw at deneb.enyo.de> [2007-11-02
10:13]:> >  CVE-2007-5695 (command.php in SiteBar 3.3.8 allows remote attackers
to redirect users ...)
> > -	- sitebar <unfixed> (low; bug #448690)
> > +	- sitebar <unfixed> (unimportant; bug #448690)
> > +	NOTE: there is no real exploit scenario
> 
> I disagree with that assessment.  Open redirectors pose at least a very
> real reputation risk.
Yes for sites with some kind of trust-level. I agree if this 
would be the web application for online banking but what is 
your exploit szenario in this case?
Kind regards
Nico
-- 
Nico Golde - http://www.ngolde.de - nion at jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :
http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20071102/0f092e3a/attachment.pgp

Secure testing commits - Nov 2007 - r7192 - data/CVE

[Secure-testing-commits] r7192 - data/CVE

[Secure-testing-team] [Secure-testing-commits] r7192 - data/CVE

[Secure-testing-team] [Secure-testing-commits] r7192 - data/CVE