Improve the layout of the related vulns in the documentation

author: jvoisin 2017-10-10 23:53:15 +0200
committer: jvoisin 2017-10-10 23:53:15 +0200
commit: b8dd5ce7f5d36c969944d425ff1fbe5f200a1dc8 (patch)
tree: c98ca4566838291e58608754404a904c431c30b6 /doc/source
parent: 994e197bcd6107f7af6279f3c897f05017ca22db (diff)
1 files changed, 25 insertions, 5 deletions
diff --git a/doc/source/features.rst b/doc/source/features.rst
index 3aab1a0..3643326 100644
--- a/doc/source/features.rst
+++ b/doc/source/features.rst
@@ -25,7 +25,9 @@ Unfortunately, passing user-controlled parameters to it often leads to arbitrary
 We're mitigating it by filtering the ``$``, ``|``, ``;``, `````, ``\n`` and ``&`` chars in our
 default configuration, making it a lot harder for an attacker to inject arbitrary commands.
-This family of vulnerabilities lead to various CVE entries, like:
+Examples of related vulnerabilities
+"""""""""""""""""""""""""""""""""""
 - `CVE-2017-7981 <https://tuleap.net/plugins/tracker/?aid=10159>`_: Authenticated remote code execution on Tuleap
 - `CVE-2014-4688 <https://www.pfsense.org/security/advisories/pfSense-SA-14_10.webgui.asc>`_: Authenticated remote code execution on pfSense
@@ -50,7 +52,9 @@ often meaning an arbitrary code execution.
 We're killing it by preventing any extra options in additional_parameters.
-This family of vulnerabilities lead to various CVE, like:
+Examples of related vulnerabilities
+"""""""""""""""""""""""""""""""""""
 - `CVE-2017-7692 <https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html>`_: Authenticated remote code execution in SquirrelMail
 - `CVE-2016-10074 <https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html>`_: remote code execution in SwiftMailer
@@ -100,6 +104,16 @@ inside the script to ensure the file doesn't contain any valid PHP code, with so
  $ php -d vld.execute=0 -d vld.active=1 -d extension=vld.so $file
+Examples of related vulnerabilities
+"""""""""""""""""""""""""""""""""""
+- `CVE-2017-6090 <https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/>`_: Unauthenticated remote code execution in PhpCollab
+- `EDB-38407 <https://www.exploit-db.com/exploits/38407/>`_: Authenticated remote code execution in GLPI
+- `CVE-2013-5576 <https://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads>`_: Authenticated remote code execution in Joomla
+- `EDB-19154 <https://www.rapid7.com/db/modules/exploit/multi/http/qdpm_upload_exec>`_: Authenticated remote code execution in qdPM
 Unserialize-related magic
 ^^^^^^^^^^^^^^^^^^^^^^^^^
@@ -136,7 +150,9 @@ issues related to the complexity of ``unserialize``'s implementation,
 and the amount of control if provides to an attacker, like `CVE-2016-9137, CVE-2016-9138 <https://bugs.php.net/bug.php?id=73147>`_,
 `2016-7124 <https://bugs.php.net/bug.php?id=72663>`_, `CVE-2016-5771 and CVE-2016-5773 <https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/>`_.
-This family of vulnerabilities lead to various CVE, like:
+Examples of related vulnerabilities
+"""""""""""""""""""""""""""""""""""
 - `CVE-2016-???? <https://www.computest.nl/advisories/CT-2016-1110_Observium.txt>`_: Unauthenticated remote code execution in Observium (leading to remote root)
 - `CVE-2016-5726 <http://seclists.org/oss-sec/2016/q2/521>`_: Unauthenticated remote code execution in Simple Machines Forums
@@ -179,7 +195,9 @@ This is of course addressed as well by the ``harden_rand`` feature.
  Activating this feature will raise an `Error <https://secure.php.net/manual/en/class.error.php>`_
  exception if ``min`` is superior to ``max``, while the default dehaviour is simply to swap them.
-This family of vulnerabilities lead to various CVE, like:
+Examples of related vulnerabilities
+"""""""""""""""""""""""""""""""""""
 - `CVE-2015-5267 <https://moodle.org/mod/forum/discuss.php?d=320291>`_: Unauthenticated accounts takeover in in Moodle
 - `CVE-2014-9624 <https://www.mantisbt.org/bugs/view.php?id=17984>`_: Captcha bypass in MantisBT
@@ -211,7 +229,9 @@ the `libxml_disable_entity_loader <https://secure.php.net/manual/en/function.lib
 function with its parameter set to ``true`` at startup,
 and then *nop'ing* it, so it won't do anything if ever called again.
-This family of vulnerabilities lead to various CVE vulnerabilities, like:
+Examples of related vulnerabilities
+"""""""""""""""""""""""""""""""""""
 - `CVE-2015-5161 <https://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.html>`_: Unauthenticated arbitrary file disclosure on Magento
 - `CVE-2014-8790 <https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944>`_: Unauthenticated remote code execution in GetSimple CMS
author	jvoisin	2017-10-10 23:53:15 +0200
committer	jvoisin	2017-10-10 23:53:15 +0200
commit	b8dd5ce7f5d36c969944d425ff1fbe5f200a1dc8 (patch)
tree	c98ca4566838291e58608754404a904c431c30b6 /doc/source
parent	994e197bcd6107f7af6279f3c897f05017ca22db (diff)

diff --git a/doc/source/features.rst b/doc/source/features.rst index 3aab1a0..3643326 100644 --- a/doc/source/features.rst +++ b/doc/source/features.rst
@@ -25,7 +25,9 @@ Unfortunately, passing user-controlled parameters to it often leads to arbitrary
25	We're mitigating it by filtering the ``$``, ``\|``, ``;``, `````, ``\n`` and ``&`` chars in our	25	We're mitigating it by filtering the ``$``, ``\|``, ``;``, `````, ``\n`` and ``&`` chars in our
26	default configuration, making it a lot harder for an attacker to inject arbitrary commands.	26	default configuration, making it a lot harder for an attacker to inject arbitrary commands.
27		27
28	This family of vulnerabilities lead to various CVE entries, like:	28
		29	Examples of related vulnerabilities
		30	"""""""""""""""""""""""""""""""""""
29		31
30	- `CVE-2017-7981 <https://tuleap.net/plugins/tracker/?aid=10159>`_: Authenticated remote code execution on Tuleap	32	- `CVE-2017-7981 <https://tuleap.net/plugins/tracker/?aid=10159>`_: Authenticated remote code execution on Tuleap
31	- `CVE-2014-4688 <https://www.pfsense.org/security/advisories/pfSense-SA-14_10.webgui.asc>`_: Authenticated remote code execution on pfSense	33	- `CVE-2014-4688 <https://www.pfsense.org/security/advisories/pfSense-SA-14_10.webgui.asc>`_: Authenticated remote code execution on pfSense
@@ -50,7 +52,9 @@ often meaning an arbitrary code execution.
50		52
51	We're killing it by preventing any extra options in additional_parameters.	53	We're killing it by preventing any extra options in additional_parameters.
52		54
53	This family of vulnerabilities lead to various CVE, like:	55
		56	Examples of related vulnerabilities
		57	"""""""""""""""""""""""""""""""""""
54		58
55	- `CVE-2017-7692 <https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html>`_: Authenticated remote code execution in SquirrelMail	59	- `CVE-2017-7692 <https://legalhackers.com/advisories/SquirrelMail-Exploit-Remote-Code-Exec-CVE-2017-7692-Vuln.html>`_: Authenticated remote code execution in SquirrelMail
56	- `CVE-2016-10074 <https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html>`_: remote code execution in SwiftMailer	60	- `CVE-2016-10074 <https://legalhackers.com/advisories/SwiftMailer-Exploit-Remote-Code-Exec-CVE-2016-10074-Vuln.html>`_: remote code execution in SwiftMailer
@@ -100,6 +104,16 @@ inside the script to ensure the file doesn't contain any valid PHP code, with so
100		104
101	$ php -d vld.execute=0 -d vld.active=1 -d extension=vld.so $file	105	$ php -d vld.execute=0 -d vld.active=1 -d extension=vld.so $file
102		106
		107
		108	Examples of related vulnerabilities
		109	"""""""""""""""""""""""""""""""""""
		110
		111	- `CVE-2017-6090 <https://sysdream.com/news/lab/2017-09-29-cve-2017-6090-phpcollab-2-5-1-arbitrary-file-upload-unauthenticated/>`_: Unauthenticated remote code execution in PhpCollab
		112	- `EDB-38407 <https://www.exploit-db.com/exploits/38407/>`_: Authenticated remote code execution in GLPI
		113	- `CVE-2013-5576 <https://developer.joomla.org/security/news/563-20130801-core-unauthorised-uploads>`_: Authenticated remote code execution in Joomla
		114	- `EDB-19154 <https://www.rapid7.com/db/modules/exploit/multi/http/qdpm_upload_exec>`_: Authenticated remote code execution in qdPM
		115
		116
103	Unserialize-related magic	117	Unserialize-related magic
104	^^^^^^^^^^^^^^^^^^^^^^^^^	118	^^^^^^^^^^^^^^^^^^^^^^^^^
105		119
@@ -136,7 +150,9 @@ issues related to the complexity of ``unserialize``'s implementation,
136	and the amount of control if provides to an attacker, like `CVE-2016-9137, CVE-2016-9138 <https://bugs.php.net/bug.php?id=73147>`_,	150	and the amount of control if provides to an attacker, like `CVE-2016-9137, CVE-2016-9138 <https://bugs.php.net/bug.php?id=73147>`_,
137	`2016-7124 <https://bugs.php.net/bug.php?id=72663>`_, `CVE-2016-5771 and CVE-2016-5773 <https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/>`_.	151	`2016-7124 <https://bugs.php.net/bug.php?id=72663>`_, `CVE-2016-5771 and CVE-2016-5773 <https://www.evonide.com/how-we-broke-php-hacked-pornhub-and-earned-20000-dollar/>`_.
138		152
139	This family of vulnerabilities lead to various CVE, like:	153
		154	Examples of related vulnerabilities
		155	"""""""""""""""""""""""""""""""""""
140		156
141	- `CVE-2016-???? <https://www.computest.nl/advisories/CT-2016-1110_Observium.txt>`_: Unauthenticated remote code execution in Observium (leading to remote root)	157	- `CVE-2016-???? <https://www.computest.nl/advisories/CT-2016-1110_Observium.txt>`_: Unauthenticated remote code execution in Observium (leading to remote root)
142	- `CVE-2016-5726 <http://seclists.org/oss-sec/2016/q2/521>`_: Unauthenticated remote code execution in Simple Machines Forums	158	- `CVE-2016-5726 <http://seclists.org/oss-sec/2016/q2/521>`_: Unauthenticated remote code execution in Simple Machines Forums
@@ -179,7 +195,9 @@ This is of course addressed as well by the ``harden_rand`` feature.
179	Activating this feature will raise an `Error <https://secure.php.net/manual/en/class.error.php>`_	195	Activating this feature will raise an `Error <https://secure.php.net/manual/en/class.error.php>`_
180	exception if ``min`` is superior to ``max``, while the default dehaviour is simply to swap them.	196	exception if ``min`` is superior to ``max``, while the default dehaviour is simply to swap them.
181		197
182	This family of vulnerabilities lead to various CVE, like:	198
		199	Examples of related vulnerabilities
		200	"""""""""""""""""""""""""""""""""""
183		201
184	- `CVE-2015-5267 <https://moodle.org/mod/forum/discuss.php?d=320291>`_: Unauthenticated accounts takeover in in Moodle	202	- `CVE-2015-5267 <https://moodle.org/mod/forum/discuss.php?d=320291>`_: Unauthenticated accounts takeover in in Moodle
185	- `CVE-2014-9624 <https://www.mantisbt.org/bugs/view.php?id=17984>`_: Captcha bypass in MantisBT	203	- `CVE-2014-9624 <https://www.mantisbt.org/bugs/view.php?id=17984>`_: Captcha bypass in MantisBT
@@ -211,7 +229,9 @@ the `libxml_disable_entity_loader <https://secure.php.net/manual/en/function.lib
211	function with its parameter set to ``true`` at startup,	229	function with its parameter set to ``true`` at startup,
212	and then nop'ing it, so it won't do anything if ever called again.	230	and then nop'ing it, so it won't do anything if ever called again.
213		231
214	This family of vulnerabilities lead to various CVE vulnerabilities, like:	232
		233	Examples of related vulnerabilities
		234	"""""""""""""""""""""""""""""""""""
215		235
216	- `CVE-2015-5161 <https://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.html>`_: Unauthenticated arbitrary file disclosure on Magento	236	- `CVE-2015-5161 <https://legalhackers.com/advisories/eBay-Magento-XXE-Injection-Vulnerability.html>`_: Unauthenticated arbitrary file disclosure on Magento
217	- `CVE-2014-8790 <https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944>`_: Unauthenticated remote code execution in GetSimple CMS	237	- `CVE-2014-8790 <https://github.com/GetSimpleCMS/GetSimpleCMS/issues/944>`_: Unauthenticated remote code execution in GetSimple CMS