lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <bdc9e5ef0706051048i17bbcbeare0c34735376f8289@mail.gmail.com>
Date: Tue, 5 Jun 2007 20:48:20 +0300
From: "Johnny Storm" <johnny653@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Kevin Johnson BASE <= 1.3.6 authentication
	bypass

>I think your "vulnerability report" sucks (to use your word.)
>1) You use very unprofessional language
ghhh.

>2) You provide no links to either Base or the Base+ fork so the reader can
>check for themselves.
learn to read or to use google. (whats on the same top of my posting?)

>3) You provide no source from the Base+ fork to show how its
>authentication scheme is not vulnerable
it's open source. go - check it yourself.

>4) You personalize your report by using Kevin's name, in an attempt to
>embarrass him
it seems that you haven't yet noticed what is the name
of his *security* product ;-)

>5) You provide no evidence that you have ever contacted the Base project
>and notified them of your "discovery"
full disclosure.

>6) You don't even mention that an authentication vulnerability was
>**reported and fixed** more than a year ago, nor do you mention how your
>report relates to that vulnerability [1][2][3]
you haven't done your homework. this vulnerability has nothing
to do with those you discovered.

>7) You don't explain that the code you posted is not part of the
>authentication system and that the auth code is in base_auth_inc.php.
learn to read. lol.

>8) You don't explain what you mean by "what if not?"  The answer is, if
>not, then authentication is required, you do have a role and you have
>already authenticated.
at this point you prove that you have no clue.
please, stfu and go offlist noob.


On 6/5/07, Paul Schmehl <pauls@...allas.edu> wrote:
> --On June 4, 2007 10:35:40 PM +0300 Johnny Storm <johnny653@...il.com>
> wrote:
>
> > Basic Analysis and Security Engine (BASE)
> > (http://base.secureideas.net/)
> >
> >
> > One more security product with lame bugs...
> >
> > Let's look at Kevin's authentication code,
> > for example in base_main.php (all pages vulnerable):
> >
> >  [...]
> >  64   // Check role out and redirect if needed -- Kevin
> >   65   $roleneeded = 10000;
> >   66   $BUser = new BaseUser();
> >   67   //if (($Use_Auth_System == 1) && ($BUser->hasRole($roleneeded) ==
> > 0))  68   if ($Use_Auth_System == 1)
> >  69   {
> >   70       if ($BUser->hasRole($roleneeded) == 0)
> >  71       {
> >   72           header("Location: $BASE_urlpath/index.php");
> >  73       }
> >  74   }
> >  [...]
> >
> > Where is bug?
> > Yes, your browser will redirect after received location header,
> > but what if not? ;-)
> >
> > Test with curl. This is not first authentication issue in BASE,
> > putting at risk users which use BASE authentication feature.
> > Google shows up many installations protected by this feature.
> >
> > All BASE versions with authentication are vulnerable.
> > ACID is not vulnerable, since it doesn't has such feature.
> > BASE+ fork has fixed this issue year ago.
> >
> > Use your web server authentication or BASE+, which sucks less.
> >
> I think your "vulnerability report" sucks (to use your word.)
> 1) You use very unprofessional language
> 2) You provide no links to either Base or the Base+ fork so the reader can
> check for themselves.
> 3) You provide no source from the Base+ fork to show how its
> authentication scheme is not vulnerable
> 4) You personalize your report by using Kevin's name, in an attempt to
> embarrass him
> 5) You provide no evidence that you have ever contacted the Base project
> and notified them of your "discovery"
> 6) You don't even mention that an authentication vulnerability was
> **reported and fixed** more than a year ago, nor do you mention how your
> report relates to that vulnerability [1][2][3]
> 7) You don't explain that the code you posted is not part of the
> authentication system and that the auth code is in base_auth_inc.php.
> 8) You don't explain what you mean by "what if not?"  The answer is, if
> not, then authentication is required, you do have a role and you have
> already authenticated.
>
> [1] <http://www.securityfocus.com/bid/17354>
> [2] <http://www.nessus.org/plugins/index.php?view=single&id=21174>
> [3] <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1505>
>
> Paul Schmehl (pauls@...allas.edu)
> Senior Information Security Analyst
> The University of Texas at Dallas
> http://www.utdallas.edu/ir/security/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ