[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6B9BF38A-CCD0-11D8-ADE7-000A957FCF60@miller-group.net>
From: schmad at miller-group.net (Andrew Schmadeke)
Subject: Malicious post by "Manip"
The Security Alert on Centre by the Miller Group seems to have been
posted maliciously.
Two of the three vulnerabilities do not exist, and the first one is an
obvious fabrication.
The link posted demonstrating the first vulnerability actually portrays
the correct behavior of the program.
http://demo.miller-group.net/index.php?
modfunc=create_account&staff&username=admin&staff_id=new points to a
page that allows parents and teachers to request access to the program.
This program was meant to be open to the public, and, in fact, the
extra information at the end of the URL
(&staff&username=admin&staff_id=new) does not affect the program's
performance. As you can see,
http://demo.miller-group.net/index.php?modfunc=create_account functions
the same as the URL provided by Manip.
http://demo.miller-group.net/index.php?modfunc=create_account is also a
link from the Centre login screen titled "Create Account." There is no
way to run any other program in Centre without being authenticated.
Also, the third "vulnerability" is not an issue. All variables in SQL
statements are encapsulated by single quotes, and Centre expects PHP's
magic quotes to be on. Furthermore, single quotes are replaced by
double single quotes (which cancels the single quote -- same behavior
as \'). So, SQL injection is impossible in every module of Centre.
This is obvious throughout the code.
Finally, Manip's second vulnerability did exist in Centre up until
Version 1.0. This was not a major vulnerability, since the malicious
code had to be somewhere on the server running Centre. However, this
vulnerability has been dealt with in Version 1.01, released today. Any
program not allowed to a user (or any program not in Centre) cannot be
run. And, the username and IP address of whomever attempts to run it
are captured by the system.
--Andrew Schmadeke
The Miller Group
schmad@...ler-group.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 1981 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040703/680201a8/attachment.bin
Powered by blists - more mailing lists