| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 14 Jun 2012 12:57:21 -0600
From: Information Booth <info@...ygekko.com>
To: bugtraq@...urityfocus.com
Subject: Re: Bugtraq ID# 53694 is invalid/fake
This is in regards to:
http://www.securityfocus.com/bid/53694
This is an uncoordinated release, the author did not make any attempt
to notify us either by email or the public forum. The non-working
exploit seems to have been copied and pasted with RIPS source code
analyzer and the author didn't even bother tho test our understand the
code. A real hacker can read source code, not run a RIPS source code
analyzer and publish the finding without due diligence.
This is the result:
Try : alert('..config.inc.php could not be loaded');
1) The "/" or %2F won't be accepted. $filename =
preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // sanitize, prevent
path traversal
2) It will only read js.gz file (I see attempts to load /etc/passwd
but that doesn't make sense - I don't think he knows/understand how to
read source code) - readfile(SITE_PATH.'/js/'.$
filename.'.js.gz'); The bad chars will be stripped anyway ...
3) Test:
http://gekkocms.babygekko.com/js/js_gzip.php?js=..%2Fconfig.inc.php
http://gekkocms.babygekko.com/js/js_gzip.php?js=../config.inc.php
The js_gzip.php was included as of v1.1.5a
Also older versions on my website:
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.4.zip
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5c.zip
I am fine with people publishing vulnerabilities to make code more
secure. What I'm unhappy is how some wannabe script kiddiot can just
download source code analyzers/scanners and publish things WITHOUT any
prior test and WITHOUT contacting vendors. I have had people publish
their findings in my forum and I'm fine. But not when they don't at
least test or contact me and then later turns out to be a false alarm.
Here's a copy & paste from v1.1.5a (old version - the same)
/js/js_gzip.php
//++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++//
// Baby Gekko content management system - Copyright (C) Baby Gekko.
// This is a SHARED SOURCE, NOT OPEN SOURCE (GPL).
// You may use this software commercially, but you are not allowed to
create a fork or create a derivative of this software
// Please read the license for details
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
include ('../config.inc.php');
error_reporting(0);
$filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); //
sanitize, prevent path traversal
$etag = sprintf('bbgk%u',crc32($filename));
header("Content-type: text/javascript; charset: UTF-8");
if(isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ||
isset($_SERVER['HTTP_IF_NONE_MATCH']))
{
if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] || str_replace('"', '',
stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])) == $etag)
{
header('HTTP/1.1 304 Not Modified');
exit();
}
} else
if (file_exists (SITE_PATH.'/js/'.$filename.'.js.gz'))
{
header("Vary: Accept-Encoding");
header("Cache-Control: public, max-age=".(144000 * 24));
header("Pragma: public");
header("Expires: Tue, 30 Aug 2037 20:00:00 GMT");
header("Content-Encoding: gzip");
header("ETag: \"{$etag}\"");
readfile(SITE_PATH.'/js/'.$filename.'.js.gz');
} else
{
echo ("alert('{$filename} could not be loaded');");
}
?>
Powered by blists - more mailing lists