Re: CVE request: Fat Free CRM multiple vulnerabilities

[cve-assign () mitre org]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> I can confirm for issue 3 that the disclosure also involves to_xml.
> Please assign the additional CVE ID.

Use CVE-2013-7249.


> Re: denial of service, I don't believe this is an issue as the exploit
> only relates to read operations.

OK, there is no CVE assignment for this. Just for clarification, the
"denial of service" theory was related to:

  https://github.com/fatfreecrm/fat_free_crm/commit/cf26a04b356ad2161c4c6160260eb870a3de5328

specifically:

   -  resources :users, :id => /\d+/ do
   +  resources :users, :id => /\d+/, :except => [:index, :destroy] do

and:

   -   it "recognizes and generates #destroy" do
   -      { :delete => "/users/1" }.should route_to(:controller => "users", :action => "destroy", :id => "1")
   +    it "doesn't recognize #destroy" do
   +      { :delete => "/users/1" }.should_not be_routable

in which a reader might infer that a "destroy" of some data associated
with a user account would be a denial of service.

Our understanding now is that the presence of ":destroy" in the added
code string:

   , :except => [:index, :destroy]

does not prevent any type of attack, and therefore it is not a
vulnerability fix.

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through http://cve.mitre.org/cve/request_id.html ]
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.14 (SunOS)

iQEcBAEBAgAGBQJSwtq0AAoJEKllVAevmvmsd7IH/1zw1OPyRZMnweFANOFheRMg
QfJxobXUXBHa30uZeRaOBujRNzx/ptTl0CrfyCSDpktcXQ803TW8MmfOCwEfzvym
8QtH41XTxkXDzVNujl5jtVCMCEw9+/zPYvvsRT9vrQPNp1F2cIkUxcggn3PGJ4Et
Exuo83rI5ciyWgPOdB/s748PhPNRPIw8rx5zahxw9fepsxNnlXngdpGmxa6dD4YU
NZ7pNjc2RpUq22gVcSks17/JnqetCrvkwmUgTHT0VbYhu/c+Zf7DUd/vL6uvkmxh
GUUJsmsP/oUwmWrw8a4m2/cKFYMjORsOYK1KU2IjhtezddiiysOtg6E/eEs1SZQ=
=RNUF
-----END PGP SIGNATURE-----