| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
From: dirk at haun-online.de (Dirk Haun) Subject: Re: I have fixes for the Geeklog vulnerabilities Lorenzo Hernandez Garcia-Hierro wrote: >Due to the completely incorrect treatment and work of the Geeklog >development team , that they don't developed fixes for THEIR product As a member of the Geeklog Development Team, I'd like to point out that the poster of the above lines did not bother to contact us, both with his original findings, nor with these patches. Talk about incorrect treatment. Furthermore, of the original findings (posted here and on BugTraq a week ago), only the Shoutbox issue has been confirmed (and a patch is available on the Geeklog website). None of the supposed SQL injection issues that Lorenzo Hernandez Garcia- Hierro claims to have found could be confirmed by us or members of the Geeklog community. We can only assume that he only noticed that when attempting to inject SQL into URLs, Geeklog would produce SQL errors and from that he seems to have deduced that Geeklog was vulnerable for SQL injections. When asked to explain his findings, he couldn't (or wouldn't) come up with a working example either. Now, there's no doubt that Geeklog could do a better job in filtering these attempts. Work on that is currently under way - which we would have told Lorenzo Hernandez Garcia-Hierro if he had bothered to contact us. Potential problems that we have found so far: - the SQL error message displayed by Geeklog could, in theory, leak sensitive information - sites where the PHP magic_quotes setting is OFF are slightly more prone to the (alleged) injections then when it's ON - sites running on MySQL 4.1 (which is currently in alpha state and not ready for production use) are at a higher risk since MySQL 4.1 allows concatenation of SQL requests (which previous versions didn't) We have informed our users about these issues on the Geeklog homepage and will continue to do so. We value security very highly, but we prefer to handle it in a non-sensationalist way. We would have prefered to come up with a solution to the problems and then post a detailed analysis of the problems here (and on BugTraq). With his failure to contact the developers, Lorenzo Hernandez Garcia-Hierro has yet again caused more confusion than actually helping the situation. Overall, this is a textbook example of how NOT to handle security issues. By not contacting the developers, posting a report full of inaccuracies, and, in the end, mostly non-working examples, Lorenzo Hernandez Garcia- Hierro has caused uncertainty and confusion amongst the Geeklog users and basically wasted everyone's time, including that of the developers. Dirk Haun, Maintainer of the Geeklog 1.3.x branch, Geeklog Development Team -- http://www.geeklog.net/ http://geeklog.info/
Powered by blists - more mailing lists