Full Disclosure mailing list archives
Re: Do not use the fix in lib-common.php . use in lib-security.php at /system/ dir
From: Paul Tinsley <pdt () jackhammer org>
Date: Sun, 05 Oct 2003 15:47:57 -0500
So now do we get to bitch at you for breaking Geeklog?Since you obviously have the right to dig into a bunch of guys who are spending their free time throwing together a "product" for use by anyone who wishes to do download it for free. In my eyes you get no level of guaranteed support or even for that matter the right to bitch.
A quick browse to their site shows that they are working to address the issue:
I'm sure by now many of you have heard of the Geeklog security issues that have been posted on lists such as Full Disclosure and Bugtraq.
One of the issues mentioned in that post regards the injection of HTML in the Shoutbox and can easily be addressed, as explained in the story "Fix your Shoutbox!".
The more scary bits, however, are those of the acclaimed SQL injection. Three members of the Geeklog development team have now been trying to reproduce these issues - and failed. That's not to say that the issues do not exist, but it seems they are a lot harder to exploit than the post claims. Even the person reporting the issues couldn't (or wouldn't) produce a working example.
So, we are still looking into it and will come up with a solution to filter these injections, just in case, eventually. In the meantime, it looks like this issue is not as dramatic as it first seemed.
We would also like to point out that the person who published that report didn't contact us before doing so. It could have avoided a lot of confusion and even misinformation (the post even claims to have found the problem in a 2.x version of Geeklog that doesn't exist yet). This is certainly not a very professional way to handle security issues. Regardless, we are taking the claims seriously and we are looking into the matter as we speak.
Hmm... the person who found the vulnerabilities not only didn't contact the "vendor" to give them a chance to fix it but also hasn't been working with them to try and fix it, but has the free time to come and bash them publicly.
Oh and by the way, can I mention how bad of an idea it is to do IP based client blocking on websites? Have you tested your methods from AOL clients or large NAT networks, I bet not.
P.S. - In no way related to the Geeklog development team, just tired of seeing this drivel
Lorenzo Hernandez Garcia-Hierro wrote:
If you use the fix in your lib-common.php you will damage your geeklog
installation.
Use instead in lib-security.php ;-) at the [your geeklog core files , not
html]/system
Include the fix after <?php tag.
----- THE FIX ----
foreach ($HTTP_GET_VARS as $secvalue) {
if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*span*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*h1*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*table*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*pre*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*em*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*input*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*td*\"?[^>]*>", $secvalue)) ||
(eregi("<[^>]*option*\"?[^>]*>", $secvalue)) ||
(eregi(";", $secvalue)) ||
(eregi("'", $secvalue)) ||
(eregi("ยด", $secvalue)) ||
(eregi("`", $secvalue)) ||
(eregi("+", $secvalue)) ||
(eregi("\"", $secvalue))) {
die (";-) whereis lammer lammer: you");
}
}
----- <<EOF -----
The advantage of this method is that all files of geeklog are using
lib-common.php and the lib-common.php script includes the code of
lib-security.php , al the things can be controlled by one script , thi is
more easy than edit all the independant files of the html dir and include
the fix.
Enjoy !
Regards,
------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
--- Security Consultant ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
D185 3555 8ECD 3921 6B21 ACC6 CEBB 2826 4B4C 283E
ID: 0x4B4C283E
Size: 4096
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://www.nsrg-security.com
______________________
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Do not use the fix in lib-common.php . use in lib-security.php at /system/ dir Lorenzo Hernandez Garcia-Hierro (Oct 05)
- Re: Do not use the fix in lib-common.php . use in lib-security.php at /system/ dir Paul Tinsley (Oct 05)