Full Disclosure mailing list archives
Re: Re: I have fixes for the Geeklog vulnerabilities
From: "Lorenzo Hernandez Garcia-Hierro" <lorenzohgh () nsrg-security com>
Date: Wed, 8 Oct 2003 19:04:01 +0200
Hi jelmer, you are completely right , MySQL versions 4.x are affected directly but , there are sufficient commands and codes to design successful queries in other versions. And again i must say that Dirk was lying saying that i reported false vulnerabilities , a good example of this that somebody accessed a non-protected part of my server database ( using mysql 3.53.) and changed funny the layout 8 a good reason to design the fix , non-official ) . I installed a mysql 4. server in a server of my home netowrk and i could t drop one table of the database. And jelmer , your exploit its amazing , is the future of exploits python ? ;-) if you want i will add your exploit in the group website. Murphy must add the rocket science bible ;-) all of use will understand it ! cxondo. I'm happy when i know that there are good people and real professionals in this world. Another thing that i don't like is that those developers such as Dirk , the Gator staff , say: oh! he is only 14 years old ! he doesn't know what things he say... it is stupid , the age does not matter , only experience and i'm not very old in this , only 2-3 years reporting this kind of issues , when i was 7 i started here in Spain to learn computers , at 2001-02 i reported my first vulnerability , i had more bad english but never i want to waste peoples time , the life is gold, the time is gold but the responsability is the double. and , Bill Gates and M$ developers are really more nold than me but they design really insecure products , is not the same but it is an example. another thing that it is a bit silly is that , if someone reports a vulnerability in a product such as Geeklog , and this product is used by lots of people , why you don't want to patch it ? lots of users are vulnerable , and , in the case of XSS attacks + SQL Injections , its really simple , script kiddies that only think in FUCK people and DESCOJONAR ( esto para los compis de espaƱa, abit word of spanenglish ;- ) will disturb people using Geeklog , and , the reason of " only versions 4.1 of mysql are vulnerable and it is not used" , do you know ,Dirk , all the people using Geeklog ? users of webhosting services that use those versions are vulnerable , is their responsability ? it is stupid to think it , in addition other versions are affected. Another point , you said " non exist version of..." is tru , i was using an old report for make it , i replaced the contents with the geeklog report and i made a mistake with versions , it is human to make errors but the real important thing is to recognize them. of course i don't want to tell my life in this post , [ Full-Disclosure NO es una verduleria chaval ! a ver si perdemos menos aceite eh... ] ( the last phrase is a typical expression for this times . Full Disclosure is not a list for post agressive things . Thanks to jelmer for the last post and his exploit in python. Thanks to all Full-Disclosure fantastic people for be patient with these last weeks and the Geeklog issues. ------------------------------------------------------ Lorenzo Hernandez Garcia-Hierro --- Security Consultant --- ------------------NSRGroup------------------- PGP: Keyfingerprint D185 3555 8ECD 3921 6B21 ACC6 CEBB 2826 4B4C 283E ID: 0x4B4C283E Size: 4096 ********************************** NSRGroup ( No Secure Root Group Security Research Team ) / ( NovaPPC Security Research Group ) http://www.nsrg-security.com ______________________ ----- Original Message ----- From: "jelmer" <jkuperus () planet nl> To: "Dirk Haun" <dirk () haun-online de>; <full-disclosure () lists netsys com>; <bugtraq () securityfocus com> Sent: Wednesday, October 08, 2003 2:23 AM Subject: Re: [Full-disclosure] Re: I have fixes for the Geeklog vulnerabilities
Dirk, Ok let me get this straight, basicly what your saying is, He's correct on one point the xss issue, and the others might possibly affect mysql 4.1" (it does) and then you go about and tell him how he wasted everybodys time So if it affects only 1% of your userbase its not an issue and you
shouldn't
be reporting it ? even on mysql 3 its probably posible to constuct some url that will suck
up
a lot of resources on your site you claim Three members of the Geeklog development team have now been trying to reproduce these issues and failed, wouldn't your time have been better spend
*fixing*
these issues, it's hardly rocket science. why wait until someone comes up with a clever way to exploit it. It's obviously a risk why wait until it becomes a threat IMHO you've got the wrong attitude. Anyway I am not done yet I don't normally "do" sql injection but beeing anoyed with your response
as
I was i took a quick look at this geeklog, and I was stunned at how insecure it was - It by default stores the password hash in a cookie, you cant turn that
off
- you dont have to enter your old password in order to change it this means that any xss issue in this site will lead to compromises of accounts, you can steal the hash and userID place it in your cookie, log in and voila, if you do this you have to be *EXTREMELY* wary of xss issues, well your not, you can find these all over the place all the classics just work like <img src="javascript:alert()"> <b style="background-image: url(javascript:alert(document))">test</b> in the forum, I wont even bother listing all the issues parameters passed in urls that get inserted into queries get sanitized hardly anywhere , I attached a python script that should crack any users account who ever posted to the forum's in under half an hour, just get the hash stuff it and the acomanying user id in a cookie, get to the site and change the password The exploit is rather messy and I haven't tested it too thorougly but it should work (i think :) ) note this is a seperate issue as the ones reported by Lorenzo. but again these issues all over the place --jelmer ----- Original Message ----- From: "Dirk Haun" <dirk () haun-online de> To: <full-disclosure () lists netsys com> Sent: Sunday, October 05, 2003 11:03 PM Subject: [Full-disclosure] Re: I have fixes for the Geeklog
vulnerabilities
Lorenzo Hernandez Garcia-Hierro wrote:Due to the completely incorrect treatment and work of the Geeklog development team , that they don't developed fixes for THEIR productAs a member of the Geeklog Development Team, I'd like to point out that the poster of the above lines did not bother to contact us, both with
his
original findings, nor with these patches. Talk about incorrect
treatment.
Furthermore, of the original findings (posted here and on BugTraq a week ago), only the Shoutbox issue has been confirmed (and a patch is available on the Geeklog website). None of the supposed SQL injection issues that Lorenzo Hernandez Garcia- Hierro claims to have found could be confirmed by us or members of the Geeklog community. We can only assume that he only noticed that when attempting to inject SQL into URLs, Geeklog would produce SQL errors and from that he seems to have deduced that Geeklog was vulnerable for SQL injections. When asked to explain his findings, he couldn't (or
wouldn't)
come up with a working example either. Now, there's no doubt that Geeklog could do a better job in filtering these attempts. Work on that is currently under way - which we would
have
told Lorenzo Hernandez Garcia-Hierro if he had bothered to contact us. Potential problems that we have found so far: - the SQL error message displayed by Geeklog could, in theory, leak sensitive information - sites where the PHP magic_quotes setting is OFF are slightly more
prone
to the (alleged) injections then when it's ON - sites running on MySQL 4.1 (which is currently in alpha state and not ready for production use) are at a higher risk since MySQL 4.1 allows concatenation of SQL requests (which previous versions didn't) We have informed our users about these issues on the Geeklog homepage
and
will continue to do so. We value security very highly, but we prefer to handle it in a non-sensationalist way. We would have prefered to come up with a solution to the problems and then post a detailed analysis of the problems here (and on BugTraq). With his failure to contact the developers, Lorenzo Hernandez Garcia-Hierro has yet again caused more confusion than actually helping the situation. Overall, this is a textbook example of how NOT to handle security
issues.
By not contacting the developers, posting a report full of inaccuracies, and, in the end, mostly non-working examples, Lorenzo Hernandez Garcia- Hierro has caused uncertainty and confusion amongst the Geeklog users
and
basically wasted everyone's time, including that of the developers. Dirk Haun, Maintainer of the Geeklog 1.3.x branch, Geeklog Development Team -- http://www.geeklog.net/ http://geeklog.info/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Re: I have fixes for the Geeklog vulnerabilities, (continued)
- Re: I have fixes for the Geeklog vulnerabilities Jouko Pynnonen (Oct 12)
- Re: I have fixes for the Geeklog vulnerabilities Dirk Haun (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities devnull (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities Michael Renzmann (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities John Sage (Oct 06)
- Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 06)
- Re: Re: I have fixes for the Geeklog vulnerabilities John Sage (Oct 09)
- Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 09)
- Re: Re: I have fixes for the Geeklog vulnerabilities morning_wood (Oct 05)
- Re: Re: I have fixes for the Geeklog vulnerabilities Lorenzo Hernandez Garcia-Hierro (Oct 08)