Re: Re: I have fixes for the Geeklog vulnerabilities

["Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>]

Hi jelmer,
you are completely right , MySQL versions 4.x are affected directly but ,
there are sufficient commands and codes to design successful queries in
other versions.
And again i must say that Dirk was lying saying that i reported false
vulnerabilities , a good example of this that somebody accessed a
non-protected part of my server database ( using mysql 3.53.) and changed
funny the layout 8 a good reason to design the fix , non-official ) .
I installed a mysql 4. server in a server of my home netowrk and i could t
drop one table of the database.
And jelmer , your exploit its amazing , is the future of exploits python ?
;-)
if you want i will add your exploit in the group website.
Murphy must add the rocket science bible ;-) all of use will understand it !
cxondo.

I'm happy when i know that there are good people and real professionals in
this world.
Another thing that i don't like is that those developers such as Dirk , the
Gator staff , say: oh! he is only 14 years old ! he doesn't know what things
he say...
it is stupid , the age does not matter , only experience and i'm not very
old in this , only 2-3 years reporting this kind of issues , when i was 7 i
started here in Spain to learn computers , at 2001-02 i reported my first
vulnerability , i had more bad english but never i want to waste peoples
time , the life is gold, the time is gold but the responsability is the
double.
and , Bill Gates and M$ developers are really more nold than me but they
design really insecure products , is not the same but it is an example.

another thing that it is a bit silly is that , if someone reports a
vulnerability in a product such as Geeklog , and this product is used by
lots of people , why you don't want to patch it ? lots of users are
vulnerable , and , in the case of XSS attacks + SQL Injections , its really
simple , script kiddies that only think in FUCK people and DESCOJONAR ( esto
para los compis de españa, abit word of spanenglish ;- ) will disturb people
using Geeklog , and , the reason of  " only versions 4.1 of mysql are
vulnerable and it is not used" , do you know ,Dirk , all the people using
Geeklog ? users of webhosting services that use those versions are
vulnerable , is their responsability ? it is stupid to think it , in
addition other versions are affected.

Another point , you said " non exist version of..." is tru , i was using an
old report for make it , i replaced the contents with the geeklog report and
i made a mistake with versions , it is human to make errors but the real
important thing is to recognize them.

of course i don't want to tell my life in this post , [ Full-Disclosure NO
es una verduleria chaval ! a ver si perdemos menos aceite eh... ] ( the last
phrase is a typical expression for this times . Full Disclosure is not a
list for post agressive things .


Thanks to jelmer for the last post and his exploit in python.

Thanks to all Full-Disclosure fantastic people for be patient with these
last weeks and the Geeklog issues.


------------------------------------------------------
Lorenzo Hernandez Garcia-Hierro
---       Security Consultant           ---
------------------NSRGroup-------------------
PGP: Keyfingerprint
D185 3555 8ECD 3921 6B21  ACC6 CEBB 2826 4B4C 283E
ID: 0x4B4C283E
Size: 4096
**********************************
NSRGroup
( No Secure Root Group Security Research Team ) /
( NovaPPC Security Research Group )
http://www.nsrg-security.com
______________________
----- Original Message ----- 
From: "jelmer" <jkuperus () planet nl>
To: "Dirk Haun" <dirk () haun-online de>; <full-disclosure () lists netsys com>;
<bugtraq () securityfocus com>
Sent: Wednesday, October 08, 2003 2:23 AM
Subject: Re: [Full-disclosure] Re: I have fixes for the Geeklog
vulnerabilities


> Dirk,
>
> Ok let me get this straight, basicly what your saying is,
> He's correct on one point the xss issue, and the others might possibly
> affect mysql 4.1" (it does)
> and then you go about and tell him how he wasted everybodys time
> So if it affects only 1% of your userbase its not an issue and you
shouldn't
> be reporting it ?
> even on mysql 3 its probably posible to constuct some url that will suck
up
> a lot of resources
>
> on your site you claim Three members of the Geeklog development team have
> now been trying to reproduce
> these issues and failed, wouldn't your time have been better spend
*fixing*
> these issues,
> it's hardly rocket science. why wait until someone comes up with a clever
> way to exploit it. It's obviously
> a risk why wait until it becomes a threat
>
> IMHO you've got the wrong attitude. Anyway I am not done yet
> I don't normally "do" sql injection but beeing anoyed with your response
as
> I was i took a quick
> look at this geeklog, and I was stunned at how insecure it was
>
> - It by default stores the password hash in a cookie, you cant turn that
off
> - you dont have to enter your old password in order to change it
>
> this means that any xss issue in this site will lead to compromises of
> accounts, you can steal the
> hash and userID place it in your cookie, log in and voila, if you do this
> you have to be *EXTREMELY*
> wary of xss issues, well your not, you can find these all over the place
>
> all the classics just work like
>
> <img src="javascript:alert()">
>
> <b style="background-image: url(javascript:alert(document))">test</b>
>
> in the forum, I wont even bother listing all the issues
>
> parameters passed in urls that get inserted into queries get sanitized
> hardly anywhere ,
> I attached a python script that should crack any users account  who ever
> posted to the forum's in under half an hour,
> just get the hash stuff it and the acomanying user id in a cookie, get to
> the site and change the password
> The exploit is rather messy and I haven't tested it too thorougly but it
> should work (i think :) )  note this is a seperate issue as the ones
> reported by Lorenzo. but again these issues all over the place
>
>
> --jelmer
>
>
>
>
> ----- Original Message ----- 
> From: "Dirk Haun" <dirk () haun-online de>
> To: <full-disclosure () lists netsys com>
> Sent: Sunday, October 05, 2003 11:03 PM
> Subject: [Full-disclosure] Re: I have fixes for the Geeklog
vulnerabilities
> > Lorenzo Hernandez Garcia-Hierro wrote:
> >
> > > Due to the completely incorrect treatment and work of the Geeklog
> > > development team , that they don't developed fixes for THEIR product
> >
> > As a member of the Geeklog Development Team, I'd like to point out that
> > the poster of the above lines did not bother to contact us, both with
his
> > original findings, nor with these patches. Talk about incorrect
treatment.
> > Furthermore, of the original findings (posted here and on BugTraq a week
> > ago), only the Shoutbox issue has been confirmed (and a patch is
> > available on the Geeklog website).
> >
> > None of the supposed SQL injection issues that Lorenzo Hernandez Garcia-
> > Hierro claims to have found could be confirmed by us or members of the
> > Geeklog community. We can only assume that he only noticed that when
> > attempting to inject SQL into URLs, Geeklog would produce SQL errors and
> > from that he seems to have deduced that Geeklog was vulnerable for SQL
> > injections. When asked to explain his findings, he couldn't (or
wouldn't)
> > come up with a working example either.
> >
> > Now, there's no doubt that Geeklog could do a better job in filtering
> > these attempts. Work on that is currently under way - which we would
have
> > told Lorenzo Hernandez Garcia-Hierro if he had bothered to contact us.
> >
> > Potential problems that we have found so far:
> >
> > - the SQL error message displayed by Geeklog could, in theory, leak
> > sensitive information
> > - sites where the PHP magic_quotes setting is OFF are slightly more
prone
> > to the (alleged) injections then when it's ON
> > - sites running on MySQL 4.1 (which is currently in alpha state and not
> > ready for production use) are at a higher risk since MySQL 4.1 allows
> > concatenation of SQL requests (which previous versions didn't)
> >
> > We have informed our users about these issues on the Geeklog homepage
and
> > will continue to do so. We value security very highly, but we prefer to
> > handle it in a non-sensationalist way. We would have prefered to come up
> > with a solution to the problems and then post a detailed analysis of the
> > problems here (and on BugTraq). With his failure to contact the
> > developers, Lorenzo Hernandez Garcia-Hierro has yet again caused more
> > confusion than actually helping the situation.
> >
> > Overall, this is a textbook example of how NOT to handle security
issues.
> > By not contacting the developers, posting a report full of inaccuracies,
> > and, in the end, mostly non-working examples, Lorenzo Hernandez Garcia-
> > Hierro has caused uncertainty and confusion amongst the Geeklog users
and
> > basically wasted everyone's time, including that of the developers.
> >
> > Dirk Haun,
> > Maintainer of the Geeklog 1.3.x branch,
> > Geeklog Development Team
> >
> >
> > -- 
> > http://www.geeklog.net/
> > http://geeklog.info/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html