Re: Kevin Johnson BASE <= 1.3.6 authentication bypass

["Johnny Storm" <johnny653 () gmail com>]

> I think your "vulnerability report" sucks (to use your word.)
> 1) You use very unprofessional language
ghhh.

> 2) You provide no links to either Base or the Base+ fork so the reader can
> check for themselves.
learn to read or to use google. (whats on the same top of my posting?)

> 3) You provide no source from the Base+ fork to show how its
> authentication scheme is not vulnerable
it's open source. go - check it yourself.

> 4) You personalize your report by using Kevin's name, in an attempt to
> embarrass him
it seems that you haven't yet noticed what is the name
of his *security* product ;-)

> 5) You provide no evidence that you have ever contacted the Base project
> and notified them of your "discovery"
full disclosure.

> 6) You don't even mention that an authentication vulnerability was
> **reported and fixed** more than a year ago, nor do you mention how your
> report relates to that vulnerability [1][2][3]
you haven't done your homework. this vulnerability has nothing
to do with those you discovered.

> 7) You don't explain that the code you posted is not part of the
> authentication system and that the auth code is in base_auth_inc.php.
learn to read. lol.

> 8) You don't explain what you mean by "what if not?"  The answer is, if
> not, then authentication is required, you do have a role and you have
> already authenticated.
at this point you prove that you have no clue.
please, stfu and go offlist noob.


On 6/5/07, Paul Schmehl <pauls () utdallas edu> wrote:
> --On June 4, 2007 10:35:40 PM +0300 Johnny Storm <johnny653 () gmail com>
> wrote:
>
> > Basic Analysis and Security Engine (BASE)
> > (http://base.secureideas.net/)
> >
> >
> > One more security product with lame bugs...
> >
> > Let's look at Kevin's authentication code,
> > for example in base_main.php (all pages vulnerable):
> >
> >  [...]
> >  64   // Check role out and redirect if needed -- Kevin
> >   65   $roleneeded = 10000;
> >   66   $BUser = new BaseUser();
> >   67   //if (($Use_Auth_System == 1) && ($BUser->hasRole($roleneeded) ==
> > 0))  68   if ($Use_Auth_System == 1)
> >  69   {
> >   70       if ($BUser->hasRole($roleneeded) == 0)
> >  71       {
> >   72           header("Location: $BASE_urlpath/index.php");
> >  73       }
> >  74   }
> >  [...]
> >
> > Where is bug?
> > Yes, your browser will redirect after received location header,
> > but what if not? ;-)
> >
> > Test with curl. This is not first authentication issue in BASE,
> > putting at risk users which use BASE authentication feature.
> > Google shows up many installations protected by this feature.
> >
> > All BASE versions with authentication are vulnerable.
> > ACID is not vulnerable, since it doesn't has such feature.
> > BASE+ fork has fixed this issue year ago.
> >
> > Use your web server authentication or BASE+, which sucks less.
> I think your "vulnerability report" sucks (to use your word.)
> 1) You use very unprofessional language
> 2) You provide no links to either Base or the Base+ fork so the reader can
> check for themselves.
> 3) You provide no source from the Base+ fork to show how its
> authentication scheme is not vulnerable
> 4) You personalize your report by using Kevin's name, in an attempt to
> embarrass him
> 5) You provide no evidence that you have ever contacted the Base project
> and notified them of your "discovery"
> 6) You don't even mention that an authentication vulnerability was
> **reported and fixed** more than a year ago, nor do you mention how your
> report relates to that vulnerability [1][2][3]
> 7) You don't explain that the code you posted is not part of the
> authentication system and that the auth code is in base_auth_inc.php.
> 8) You don't explain what you mean by "what if not?"  The answer is, if
> not, then authentication is required, you do have a role and you have
> already authenticated.
>
> [1] <http://www.securityfocus.com/bid/17354>
> [2] <http://www.nessus.org/plugins/index.php?view=single&id=21174>
> [3] <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1505>
>
> Paul Schmehl (pauls () utdallas edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/