lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20060627153439.GA6300@merlins.org>
Date: Tue, 27 Jun 2006 08:34:39 -0700
From: Marc MERLIN <marc_news@...lins.org>
To: bugtraq@...urityfocus.com
Subject: Re: [MajorSecurity #18] Ralf Image Gallery <=0.7.4  - Multiple XSS, Remote File Include and directory traversal vulnerabilities

On Tue, Jun 20, 2006 at 02:32:16PM -0000, admin@...orsecurity.de wrote:
> Credits:
> ----------------------------------------------
> Discovered by: David "Aesthetico" Vieira-Kurz
> http://www.majorsecurity.de
> 
> Original Advisory:
> ----------------------------------------------
> http://www.majorsecurity.de/advisory/major_rls18.txt
> 
> Affected Products:
> ----------------------------------------------
> RIG 0.7.4(unstable) and prior
> (http://sourceforge.net/project/showfiles.php?group_id=54367&release_id=179661)
> 
> RIG 0.6.45 and 0.7(stable) and prior
> 
> Contacted Vendor:
> ----------------------------------------------
> I have contacted Le R'alf on June, 12th 2006 at 2:37 PM via e-mail, but until today I got no response
> and the bug was still not fixed!!!

So, for the record, R'alf never received the mail, never had a trace of it
reaching its smtp server in his logs, and neither him or I heard back from
Mr Vieira-Kurz when asking for information about that original mail like the
destination or Message-Id.

In other words, instead of giving the author a chance to fix the software,
get/give peer review on the fix, and a chance to the users to upgrade
their servers, his work helped create more nodes in botnets that tried/are
now trying to attack your machines, and send you spam.

Full disclosure is good, but a minimum of effort trying to prevent the
negative and unnecessary effects of it would go a long way to make this
internet a better place.

That said, R'alf fixed the software soon after being really notified (i.e.
his machine being attacked after the info posted here), and the fix can be
found here:
http://rig.powerpulsar.com/#news

The delay in this Email here was to give a chance to Mr Vieira-Kurz to reply
before posting here, but he never did. Whether he never sent the
notification, sent it to the wrong address, or sent it to the right one, but
the internet ate it, we can't say without his cooperation.

Marc
(not the author of RIG, just posting the link here for those who might not 
be on the user list, and didn't get the fix and the original upgrade
announcement attached in this mail)
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/  

View attachment "rig" of type "text/plain" (4832 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ