lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <3F80837D.7000209@jackhammer.org>
From: pdt at jackhammer.org (Paul Tinsley)
Subject: Do not use the fix in lib-common.php . use
 in lib-security.php at /system/ dir

So now do we get to bitch at you for breaking Geeklog?

Since you obviously have the right to dig into a bunch of guys who are 
spending their free time throwing together a "product" for use by anyone 
who wishes to do download it for free.  In my eyes you get no level of 
guaranteed support or even for that matter the right to bitch.

A quick browse to their site shows that they are working to address the 
issue:

I'm sure by now many of you have heard of the Geeklog security issues 
that have been posted on lists such as Full Disclosure and Bugtraq.

One of the issues mentioned in that post regards the injection of HTML 
in the Shoutbox and can easily be addressed, as explained in the story 
"Fix your Shoutbox!".

The more scary bits, however, are those of the acclaimed SQL injection. 
Three members of the Geeklog development team have now been trying to 
reproduce these issues - and failed. That's not to say that the issues 
do not exist, but it seems they are a lot harder to exploit than the 
post claims. Even the person reporting the issues couldn't (or wouldn't) 
produce a working example.

So, we are still looking into it and will come up with a solution to 
filter these injections, just in case, eventually. In the meantime, it 
looks like this issue is not as dramatic as it first seemed.

We would also like to point out that the person who published that 
report didn't contact us before doing so. It could have avoided a lot of 
confusion and even misinformation (the post even claims to have found 
the problem in a 2.x version of Geeklog that doesn't exist yet). This is 
certainly not a very professional way to handle security issues. 
Regardless, we are taking the claims seriously and we are looking into 
the matter as we speak.


Hmm... the person who found the vulnerabilities not only didn't contact 
the "vendor" to give them a chance to fix it but also hasn't been 
working with them to try and fix it, but has the free time to come and 
bash them publicly.

Oh and by the way, can I mention how bad of an idea it is to do IP based 
client blocking on websites?  Have you tested your methods from AOL 
clients or large NAT networks, I bet not.


P.S. - In no way related to the Geeklog development team, just tired of 
seeing this drivel

Lorenzo Hernandez Garcia-Hierro wrote:

>If you use the fix in your lib-common.php you will damage your geeklog
>installation.
>Use instead in lib-security.php ;-) at the [your geeklog core files , not
>html]/system
>Include the fix  after <?php tag.
>----- THE FIX ----
>foreach ($HTTP_GET_VARS as $secvalue) {
>    if ((eregi("<[^>]*script*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*object*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*iframe*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*applet*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*meta*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*style*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*form*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*img*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*span*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*h1*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*table*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*body*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*pre*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*em*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*input*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*td*\"?[^>]*>", $secvalue)) ||
> (eregi("<[^>]*option*\"?[^>]*>", $secvalue)) ||
> (eregi(";", $secvalue)) ||
> (eregi("'", $secvalue)) ||
> (eregi("?", $secvalue)) ||
> (eregi("`", $secvalue)) ||
>(eregi("+", $secvalue)) ||
> (eregi("\"", $secvalue))) {
> die (";-) whereis lammer lammer: you");
>    }
>}
>----- <<EOF -----
>
>The advantage of this method is that all files of geeklog are using
>lib-common.php and the lib-common.php script includes the code of
>lib-security.php , al the things can be controlled by one script , thi is
>more easy than edit all the independant files of the html dir and include
>the fix.
>Enjoy !
>Regards,
>------------------------------------------------------
>Lorenzo Hernandez Garcia-Hierro
>---       Security Consultant           ---
>------------------NSRGroup-------------------
>PGP: Keyfingerprint
>D185 3555 8ECD 3921 6B21  ACC6 CEBB 2826 4B4C 283E
>ID: 0x4B4C283E
>Size: 4096
>**********************************
>NSRGroup
>( No Secure Root Group Security Research Team ) /
>( NovaPPC Security Research Group )
>http://www.nsrg-security.com
>______________________
>
>
>_______________________________________________
>Full-Disclosure - We believe in it.
>Charter: http://lists.netsys.com/full-disclosure-charter.html
>  
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ