Re: Kevin Johnson BASE <= 1.3.6 authentication bypass

["Johnny Storm" <johnny653 () gmail com>]

hey kitty's!
please, keep your non-technical bullshit offlist.

i have made very clear what is vulnerable and what is not
where it is and how to reproduce it.

so stop bullshitting and go get some milk.


On 6/5/07, Kradorex Xeron <admin () digibase ca> wrote:
> I'm not going to bother commenting on your specific sections, so I'll top-post
> so as not to expose people to the bad content of the previous message:
>
> Okay...
> 1. You claim this is "Full Disclosure" yet you fail to disclose alot of the
> information required to make an accurate advisory, THEN you proceed to tell
> people to google for it themselves. If you post it in that context, What
> relevance is your "advisory"? Why did you post it at all if you supply little
> to no source information, and no proof? Without that information,
> this "advisory" is useless.
>
> 2. This is a list designed for professionals and those who know what they're
> talking about in a "loosened up" environment that we don't feel we'll get
> moderated for stuff we post.
>
> 3. You then proceed to use someone else's name to do what exactly? Your
> attempts at defaming Kevin Johnson made you yourself defamed instead as it
> makes you appear egotistical and trying to bring someone else down for your
> own glory. You failed.
>
> 4. While on this list, Try to speak professionally, and don't talk like you're
> some script kiddie that's urging to get some glory. From my perspective,
> that's what you are doing. If you don't want to be interpreted as that, use
> good form, dont' use "STFU", "LOL" and/or such more than one time per post.
>
> Thank you,
> Krad Xeron
>
> On Tuesday 05 June 2007 13:48, Johnny Storm wrote:
> > > I think your "vulnerability report" sucks (to use your word.)
> > > 1) You use very unprofessional language
> >
> > ghhh.
> >
> > > 2) You provide no links to either Base or the Base+ fork so the reader can
> > > check for themselves.
> >
> > learn to read or to use google. (whats on the same top of my posting?)
> >
> > > 3) You provide no source from the Base+ fork to show how its
> > > authentication scheme is not vulnerable
> >
> > it's open source. go - check it yourself.
> >
> > > 4) You personalize your report by using Kevin's name, in an attempt to
> > > embarrass him
> >
> > it seems that you haven't yet noticed what is the name
> > of his *security* product ;-)
> >
> > > 5) You provide no evidence that you have ever contacted the Base project
> > > and notified them of your "discovery"
> >
> > full disclosure.
> >
> > > 6) You don't even mention that an authentication vulnerability was
> > > **reported and fixed** more than a year ago, nor do you mention how your
> > > report relates to that vulnerability [1][2][3]
> >
> > you haven't done your homework. this vulnerability has nothing
> > to do with those you discovered.
> >
> > > 7) You don't explain that the code you posted is not part of the
> > > authentication system and that the auth code is in base_auth_inc.php.
> >
> > learn to read. lol.
> >
> > > 8) You don't explain what you mean by "what if not?"  The answer is, if
> > > not, then authentication is required, you do have a role and you have
> > > already authenticated.
> >
> > at this point you prove that you have no clue.
> > please, stfu and go offlist noob.
> >
> > On 6/5/07, Paul Schmehl <pauls () utdallas edu> wrote:
> > > --On June 4, 2007 10:35:40 PM +0300 Johnny Storm <johnny653 () gmail com>
> > >
> > > wrote:
> > > > Basic Analysis and Security Engine (BASE)
> > > > (http://base.secureideas.net/)
> > > >
> > > >
> > > > One more security product with lame bugs...
> > > >
> > > > Let's look at Kevin's authentication code,
> > > > for example in base_main.php (all pages vulnerable):
> > > >
> > > >  [...]
> > > >  64   // Check role out and redirect if needed -- Kevin
> > > >   65   $roleneeded = 10000;
> > > >   66   $BUser = new BaseUser();
> > > >   67   //if (($Use_Auth_System == 1) && ($BUser->hasRole($roleneeded)
> > > > == 0))  68   if ($Use_Auth_System == 1)
> > > >  69   {
> > > >   70       if ($BUser->hasRole($roleneeded) == 0)
> > > >  71       {
> > > >   72           header("Location: $BASE_urlpath/index.php");
> > > >  73       }
> > > >  74   }
> > > >  [...]
> > > >
> > > > Where is bug?
> > > > Yes, your browser will redirect after received location header,
> > > > but what if not? ;-)
> > > >
> > > > Test with curl. This is not first authentication issue in BASE,
> > > > putting at risk users which use BASE authentication feature.
> > > > Google shows up many installations protected by this feature.
> > > >
> > > > All BASE versions with authentication are vulnerable.
> > > > ACID is not vulnerable, since it doesn't has such feature.
> > > > BASE+ fork has fixed this issue year ago.
> > > >
> > > > Use your web server authentication or BASE+, which sucks less.
> > >
> > > I think your "vulnerability report" sucks (to use your word.)
> > > 1) You use very unprofessional language
> > > 2) You provide no links to either Base or the Base+ fork so the reader
> > > can check for themselves.
> > > 3) You provide no source from the Base+ fork to show how its
> > > authentication scheme is not vulnerable
> > > 4) You personalize your report by using Kevin's name, in an attempt to
> > > embarrass him
> > > 5) You provide no evidence that you have ever contacted the Base project
> > > and notified them of your "discovery"
> > > 6) You don't even mention that an authentication vulnerability was
> > > **reported and fixed** more than a year ago, nor do you mention how your
> > > report relates to that vulnerability [1][2][3]
> > > 7) You don't explain that the code you posted is not part of the
> > > authentication system and that the auth code is in base_auth_inc.php.
> > > 8) You don't explain what you mean by "what if not?"  The answer is, if
> > > not, then authentication is required, you do have a role and you have
> > > already authenticated.
> > >
> > > [1] <http://www.securityfocus.com/bid/17354>
> > > [2] <http://www.nessus.org/plugins/index.php?view=single&id=21174>
> > > [3] <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1505>
> > >
> > > Paul Schmehl (pauls () utdallas edu)
> > > Senior Information Security Analyst
> > > The University of Texas at Dallas
> > > http://www.utdallas.edu/ir/security/
> > >
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > > Hosted and sponsored by Secunia - http://secunia.com/
> >
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> > Hosted and sponsored by Secunia - http://secunia.com/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/