Vulnerabilities
Here you’ll find a list of the vulnerabilities I’ve discovered that have been publicly disclosed.
Where possible, the initial disclosure sent to the vendor (possibly privately) or my own final public disclosure is linked. For more information, including the disclosures made by the vendors themselves, please refer to the linked CVE listings.
If you want further information on any of these issues, feel free to contact me.
NOTE: Out of date! I'm too busy/lazy to update :)
-
requests: Incorrect redirection and cookie handling leading to session fixation / leaking of cookies
Initial disclosure date: 2015-03-14
Initial disclosure to vendor: CVE-2015-2296_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2015/03/14/4 -
Privoxy: Denial-of-service (release-mode assertion failure) handling crafted chunked-encoded HTTP request
Initial disclosure date: 2015-01-10
Initial disclosure to vendor: CVE-2015-1380_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2015/01/26/4 -
Appweb Web Server: Denial-of-service (null pointer dereference) handling crafted Range HTTP header
Initial disclosure date: 2014-11-26
Initial disclosure to vendor: CVE-2014-9708_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2015/03/28/2 -
GoAhead Web Server: Heap overflow or directory traversal handling crafted HTTP request URIs
Initial disclosure date: 2014-11-23
Initial disclosure to vendor: CVE-2014-9707_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2015/03/28/1 -
Apache Traffic Server: Denial-of-service (release-mode assertion failure) handling crafted HTTP TRACE request
Initial disclosure date: 2014-11-23
Initial disclosure to vendor: CVE-2014-10022_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2015/01/06/4 -
Dokuwiki: LDAP authentication bypass with null-byte usernames
Initial disclosure date: 2014-09-09
Initial disclosure to vendor: CVE-2014-8764_privatediscl.txt
Public disclosure: http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication -
Dokuwiki: LDAP authentication bypass with null-byte passwords
Initial disclosure date: 2014-09-09
Initial disclosure to vendor: CVE-2014-8763_privatediscl.txt
Public disclosure: http://www.freelists.org/post/dokuwiki/Fwd-Dokuwiki-maybe-security-issue-Null-byte-poisoning-in-LDAP-authentication -
Zend: LDAP authentication bypass with null-byte passwords
Initial disclosure date: 2014-09-09
Initial disclosure to vendor: CVE-2014-8088_privatediscl.txt
Public disclosure: http://framework.zend.com/security/advisory/ZF2014-05POC / exploit: zendtest.php.txt
-
Joomla: LDAP authentication bypass with null-byte passwords
Initial disclosure date: 2014-09-09
Public disclosure: http://developer.joomla.org/security/594-20140902-core-unauthorised-logins.html
-
Mantis: LDAP authentication bypass with null-byte passwords
Initial disclosure date: 2014-09-09
Initial disclosure to vendor: http://www.mantisbt.org/bugs/view.php?id=17640
Public disclosure: http://www.openwall.com/lists/oss-security/2014/09/12/11 -
Squid: Denial-of-service (assertion failure) handling crafted (Request-)Range HTTP header
Initial disclosure date: 2014-08-26
Initial disclosure to vendor: CVE-2014-3609_privatediscl.txt
Public disclosure: http://www.squid-cache.org/Advisories/SQUID-2014_2.txt -
Monkey Webserver: Denial-of-service via file handle leak
Initial disclosure date: 2014-08-16
Initial disclosure to vendor: CVE-2014-5336_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/08/18/5POC / exploit: custom-error-fd-leak-poc.sh
-
Cherokee: LDAP authentication bypass with empty/null-byte passwords
Initial disclosure date: 2014-02-12
Initial disclosure to vendor: CVE-2014-4668_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/06/28/3 -
Horde: LDAP authentication bypass with empty passwords (LDAP server agnostic)
Initial disclosure date: 2014-04-25
Initial disclosure to vendor: CVE-2014-3999_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/06/04/22 -
TeamPass: Multiple XSS vectors in items.php
Initial disclosure date: 2014-05-18
Initial disclosure to vendor: CVE-2014-3771-3774_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/05/18/2 -
TeamPass: Multiple SQL injection vectors in sources/main.queries.php, sources/datatable/* and datatable.logs.php
CVE-2014-3773, OSVDB-107167, OSVDB-107168, OSVDB-107169, OSVDB-107170, OSVDB-107171, OSVDB-107173
Initial disclosure date: 2014-05-18
Initial disclosure to vendor: CVE-2014-3771-3774_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/05/18/2 -
TeamPass: File execution protection bypass via incorrect use of session variables
Initial disclosure date: 2014-05-18
Initial disclosure to vendor: CVE-2014-3771-3774_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/05/18/2 -
TeamPass: File execution protection bypass via language path injection
Initial disclosure date: 2014-05-18
Initial disclosure to vendor: CVE-2014-3771-3774_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/05/18/2POC / exploit: teampass-lang-exploit.html.txt
-
Linux: Linux kernel floppy disk driver - information (memory address) leak
Initial disclosure date: 2014-04-27
Initial disclosure to vendor: CVE-2014-1737-1738_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/05/09/2POC / exploit: floppy-disk-exploit.c
-
Linux: Linux kernel floppy disk driver - attacker-controlled kfree
Initial disclosure date: 2014-04-27
Initial disclosure to vendor: CVE-2014-1737-1738_privatediscl.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/05/09/2POC / exploit: floppy-disk-exploit.c
-
GNUstep: gdomap invalid request handling remote DoS
Initial disclosure date: 2014-04-19
Initial disclosure to vendor: https://savannah.gnu.org/bugs/?41751
Public disclosure: http://seclists.org/oss-sec/2014/q2/143 -
Xen:
FLASK_AVC_CACHESTAT
suboperation off-by-one hypervisor memory disclosureInitial disclosure date: 2014-02-06
Initial disclosure to vendor: xen-flask.txt
-
Xen: XSM/Flask
flask_copyin_string
function integer overflow local DoSInitial disclosure date: 2014-02-06
Initial disclosure to vendor: xen-flask.txt
-
python-gnupg: Shell injection via mishandled backslash characters
Initial disclosure date: 2014-02-04
Public disclosure: http://www.openwall.com/lists/oss-security/2014/02/04/4
-
Oracle VM VirtualBox: VMMDev HGCM argument type confusion privileged memory disclosure
Initial disclosure date: 2014-01-14
Public disclosure: http://seclists.org/bugtraq/2014/Feb/21
-
Oracle VM VirtualBox: VMMDev
SetPointerShape
handler malformed request VBox process local DoSInitial disclosure date: 2014-01-14
Public disclosure: http://seclists.org/bugtraq/2014/Feb/21
-
Oracle VM VirtualBox: Windows shared folder redirector RDBSS FOBX handling local privilege escalation
Initial disclosure date: 2014-01-14
Public disclosure: http://seclists.org/bugtraq/2014/Feb/21
-
Oracle VM VirtualBox:
vmmdevHGCMSaveLinPtr
AssertRelease
crafted HGCM call VBox process local doSInitial disclosure date: 2014-01-14
Public disclosure: http://seclists.org/bugtraq/2014/Feb/21
-
Oracle VM VirtualBox: VMMDev HGCM argument size overflow VM Escape
Initial disclosure date: 2014-01-14
Public disclosure: http://seclists.org/bugtraq/2014/Feb/21
-
Tntnet: Crafted HTTP request previous request cross-user disclosure
Initial disclosure date: 2013-12-13
Initial disclosure to vendor: tntnet.txt
Public disclosure: http://www.openwall.com/lists/oss-security/2014/01/18/5 -
Xen: qemu disk backend (qdisk) mapped grant reference leak local DoS
Initial disclosure date: 2013-10-10
-
Xen:
libxl_list_cpupool
multithreaded toolstack use-after-free local DoSInitial disclosure date: 2013-10-10
-
Xen:
xc_vcpu_getaffinity
function multithreaded toolstack use-after-free local DoSInitial disclosure date: 2013-10-10
-
Xen: libxlu
xlu_vif_parse_rate
function VIF ratelimiting parsing null pointer dereference local DoSInitial disclosure date: 2013-10-10
-
Xen: OUTS instruction emulation hypervisor stack content local disclosure
Initial disclosure date: 2013-10-10
Initial disclosure to vendor: xen-outs.txt
-
Xen: libxl allows guest write access to sensitive console related xenstore keys
Initial disclosure date: 2013-06-20
Initial disclosure to vendor: xen-libxl-xs.txt
-
Xen: Multiple vulnerabilities in libelf PV kernel handling
CVE-2013-2194, CVE-2013-2195, CVE-2013-2196
Initial disclosure date: 2013-06-03
Initial disclosure to vendor: xen-libelf.txt
-
Xen: Linux netback DoS via malicious guest ring
Initial disclosure date: 2013-02-05
Initial disclosure to vendor: xen-netback-leak.txt
-
Xen: oxenstored incorrect handling of certain Xenbus ring states
Initial disclosure date: 2013-02-05
-
Xen: several hypercalls do not validate input GFNs
Initial disclosure date: 2012-12-03
Initial disclosure to vendor: xen-gfns.txt
-
Xen: HVMOP_get_mem_access crash / HVMOP_set_mem_access information leak
Initial disclosure date: 2012-12-03
-
Xen: several HVM operations do not validate the range of their inputs
Initial disclosure date: 2012-12-03
-
Xen: Grant table version switch list corruption vulnerability
Initial disclosure date: 2012-12-03
Initial disclosure to vendor: xen-grants.txt
-
Xen:
PHYSDEVOP_map_pirq
suboperation array indexing local DoSInitial disclosure date: 2012-09-05
-
Xen: Transcendent Memory (TMEM) hypercall multiple suboperation validation weaknesses local privilege escalation
CVE-2012-3497, CVE-2012-6030, CVE-2012-6031, CVE-2012-6032, CVE-2012-6033, CVE-2012-6034, CVE-2012-6035, CVE-2012-6036, CVE-2012-2497, OSVDB-85199
Initial disclosure date: 2012-09-05
-
Xen:
XENMEM_populate_physmap
suboperationMEMF_populate_on_demand
flag handling local DoSInitial disclosure date: 2012-09-05
-
Xen:
PHYSDEVOP_get_free_pirq
suboperation physical IRQ allocationget_free_pirq
call return value verification local privilege escalationInitial disclosure date: 2012-09-05
-
Xen:
set_debugreg
hypercall missing validation local DosInitial disclosure date: 2012-09-05
-
GEAR Software: CD DVD Filter Driver
0x00222000
IOCTL SCSI pass through SCSI message parsing local privilege escalationInitial disclosure date: 2012-06-07
Initial disclosure to vendor: gear.txt
-
GEAR Software: CD DVD Filter Driver
0x00222000
IOCTL non-paged pool overflow local privilege escalationInitial disclosure date: 2012-06-07
Initial disclosure to vendor: gear.txt
-
Node.js: HTTP parser crafted request freed memory information disclosure
Initial disclosure date: 2012-05-07
Initial disclosure to vendor: nodejs.txt
-
nginx:
ngx_http_mp4_module
module MP4 file handling remote overflowInitial disclosure date: 2012-04-13
Initial disclosure to vendor: nginx-mp4.txt
-
nginx: HTTP response header parser freed memory information disclosure
Initial disclosure date: 2012-03-15
Initial disclosure to vendor: nginx-mem.txt
-
PacketFence: Command injection in guest management and captive portal web interfaces
Initial disclosure date: 2011-10-24
Initial disclosure to vendor: http://www.packetfence.org/bugs/view.php?id=1295
-
PacketFence: Session state shared between captive portal and guest management web interfaces
Initial disclosure date: 2011-10-24
Initial disclosure to vendor: http://www.packetfence.org/bugs/view.php?id=1294
-
PacketFence: Issues with LDAP-based authentication in web administration interface
Initial disclosure date: 2011-10-24
Initial disclosure to vendor: http://www.packetfence.org/bugs/view.php?id=1293
-
PacketFence: XSS in captive portal and web adminstration interfaces
Initial disclosure date: 2011-10-24
Disclosures before 2011-10-01 are not listed (yet!)