Vulnerability reporting
Posted by: Alme (---.dyn.estpak.ee)
Date: December 13, 2016 05:33PM

Hello
I would like to report a vulnerability, can you please give me a point of contact as well as your publik pgp key.
Thanks

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: RiggsFolly (Moderator)
Date: December 13, 2016 06:09PM

Please say anything you have to say here.

Note:

If the vulnerability is in Apache report it to the Apache team

If the vulnerability is in MYSQL report it to the MYSQL team

If the vulnerability is in PHP report it to the PHP team

As the bit of WAMPServer that is purely WAMPServer does not do anything open to vulnerabilities I doubt what you have to report is related to pure WAMPServer.


But I would very much like to hear what you think you have discovered.

Also remember that as WAMPServer is delivered with a configuration that does not allow access from anywhere other than the PC running WAMPServer, to Apache or MySQL any vulnerability you believe you have discovered is most likely to be related to configuration changes you yourself have made.

Oh and if you want to communicate privately, please send me a Private Message, as that will only be seen by me.

---------------------------------------------------------------------------------------------
(Windows 10 Pro 64bit) (Wampserver 3.1.8 32bit & 64bit)
<Apache versions MULTIPE> <PHP versions MULTIPLE> <MySQL Versions MULTIPLE>
<MariaDB versions MULTIPLE> <phpMyAdmin versions MULTIPLE> <MySQL Workbench 8.0.16>

Read The Manuals Apache -- MySQL -- PHP -- phpMyAdmin
Get your Apache/MySQL/mariaDB/PHP ADDONs here from the WAMPServer alternate Repo
-X-X-X- Backup your MySQL databases regularly Here is How dont regret it later! Yes even when developing -X-X-X-



Edited 2 time(s). Last edit at 12/13/2016 06:15PM by RiggsFolly.

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Alme (194.204.10.---)
Date: December 14, 2016 04:05PM

Hey RiggsFolly

I sent you a PM

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Alme (88.128.80.---)
Date: December 24, 2016 09:13AM

Hello

Since you do not reply to any of my private messages I am forced to inform you one more time here in public. The vulnerability which I reported to you over two weeks ago has been acknowledged as such by MITRE and they have assigned CVE-2016-10031.

Looking forward to your answer.

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Otomatic (Moderator)
Date: December 24, 2016 05:05PM

Hi,

In the About.. box of Wampserver 3.0.6, there is a valid email address.
Why did not you make contact on this email address?

------------------------------------------------------------------------------------------------------------
Wampserver 3.1.9 32 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27 - MariaDB 10.3.16
Wampserver 3.1.9 64 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27/8.0.17 - MariaDB 10.3.16
PhPMyadmin 4.9.0.1 - MysqlDumper 1.24.5
on W10 and W7 Pro 64 bit
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons
« Ce n'est pas parce qu'ils sont nombreux à avoir tort, qu'ils ont forcément raison. Coluche »
« It's not because they are many to be wrong, they are necessarily right. Coluche »

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Alme (79.106.209.---)
Date: December 24, 2016 11:19PM

Hello

I have sent an email to info@ and admin@
I also wrote a ticket on your bug page: [sourceforge.net]
Wrote here on the forum and sent three private messages to RiggsFolly

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Otomatic (Moderator)
Date: December 25, 2016 09:52AM

Hi,

> I have sent an email to info@ and admin@
There is no evidence that these addresses are valid.

> I also wrote a ticket on your bug page: [sourceforge.net]
For me, Sourceforge is only a file repository and, in no way, a communications platform. I'll see what happens on Sourceforge roughly once every three months.
If this is so problematic and crucial for the security of Wampserver users, and since there are no details at both MITRE and Sourceforge, send me an email via the address of About.

------------------------------------------------------------------------------------------------------------
Wampserver 3.1.9 32 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27 - MariaDB 10.3.16
Wampserver 3.1.9 64 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27/8.0.17 - MariaDB 10.3.16
PhPMyadmin 4.9.0.1 - MysqlDumper 1.24.5
on W10 and W7 Pro 64 bit
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons
« Ce n'est pas parce qu'ils sont nombreux à avoir tort, qu'ils ont forcément raison. Coluche »
« It's not because they are many to be wrong, they are necessarily right. Coluche »

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Alme (79.106.209.---)
Date: December 25, 2016 08:33PM

hello

Drop me your email here and I will forward the message I sent to RiggsFolly 2 weeks ago

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Otomatic (Moderator)
Date: December 26, 2016 09:35AM

Hi,

wampserver[at]otomatic[dot]net

------------------------------------------------------------------------------------------------------------
Wampserver 3.1.9 32 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27 - MariaDB 10.3.16
Wampserver 3.1.9 64 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27/8.0.17 - MariaDB 10.3.16
PhPMyadmin 4.9.0.1 - MysqlDumper 1.24.5
on W10 and W7 Pro 64 bit
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons
« Ce n'est pas parce qu'ils sont nombreux à avoir tort, qu'ils ont forcément raison. Coluche »
« It's not because they are many to be wrong, they are necessarily right. Coluche »

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Otomatic (Moderator)
Date: December 26, 2016 05:43PM

Hi,

I think we should stop telling crap about possible vulnerabilities of Wampserver.

What you sent me as an explanation is ONLY for Apache and Mysql and is an integral part of the documentation for both applications.
These are the procedures recommended by Apache and MySQL to create the services.
So if you really think this is a vulnerability, go directly to Apache and MySQL.

Also, in total opposition to what you are telling, a Windows user who is not in an administrator session can not start the services.

------------------------------------------------------------------------------------------------------------
Wampserver 3.1.9 32 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27 - MariaDB 10.3.16
Wampserver 3.1.9 64 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27/8.0.17 - MariaDB 10.3.16
PhPMyadmin 4.9.0.1 - MysqlDumper 1.24.5
on W10 and W7 Pro 64 bit
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons
« Ce n'est pas parce qu'ils sont nombreux à avoir tort, qu'ils ont forcément raison. Coluche »
« It's not because they are many to be wrong, they are necessarily right. Coluche »

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Alme (79.106.209.---)
Date: December 26, 2016 06:03PM

Hello

Before calling it crap you should at least respect the time I spent to research and also inform you about this. I am doing that entirely on my free time, so the least you should do is show a little respect.

Second of all, this is a vulnerability because for your information starting from windows Vista Microsoft introduced UAC where user SYSTEM and Administrator are totally separate with the second having less access. You can have Admin rights however you still have to elevate your privileges to system in order to have high access.

Last but not least, the issue is not coming from Apache neither from Mysql. Is entirely coming from whoever is working as a developer there starting service applications with wrong permissions. And this is not the first time. Take a look at this reported few weeks ago by a different person:

[packetstormsecurity.com]

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Otomatic (Moderator)
Date: December 26, 2016 06:35PM

Hi,

I particularly love the paragraph: "====Proof-of-Concept===="

« To properly exploit this vulnerability, the local attacker must insert an executable file called mysqld.exe or httpd.exe and replace the original files. Next time service starts the malicious file will get executed as SYSTEM. »

From the moment that "someone" (an attacker) is able to replace files on a PC, we will say that it is the fault of Wampserver, even if it is not on the PC.

The only way to not be vulnerable is to leave the PC switched off permanently.
For my part, we will leave it at that.

------------------------------------------------------------------------------------------------------------
Wampserver 3.1.9 32 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27 - MariaDB 10.3.16
Wampserver 3.1.9 64 bit - Apache 2.4.41 - PHP 7.3.8/7.2.21/7.1.31/7.0.33/5.6.40 - MySQL 5.7.27/8.0.17 - MariaDB 10.3.16
PhPMyadmin 4.9.0.1 - MysqlDumper 1.24.5
on W10 and W7 Pro 64 bit
Documentation Apache - Documentation PHP - Documentation MySQL - Wampserver install files & addons
« Ce n'est pas parce qu'ils sont nombreux à avoir tort, qu'ils ont forcément raison. Coluche »
« It's not because they are many to be wrong, they are necessarily right. Coluche »



Edited 1 time(s). Last edit at 12/26/2016 06:49PM by Otomatic.

Options: ReplyQuote
Re: Vulnerability reporting
Posted by: Alme (79.106.209.---)
Date: December 26, 2016 06:44PM

Hello

Clear

Thank you for your time!

Options: ReplyQuote


Sorry, only registered users may post in this forum.