[pLog-svn] Fwd: Vulnerabilities in Lifetype

Reto Hugi plog at hugi.to
Sun Nov 26 22:19:03 GMT 2006 

Although I personally don't see path disclosures as a big security issue
(it's a security through obscurity think, imo), some may classify it a
vulnerability. At least it helps the attacker cathering information
about the target.
For example cakePHP (http://www.cakephp.org/) is having it's files below
the webroot (i.e. the webroot is a subfolder of cakePHP.

Saying that it's a LifeType vuln. is IMO a bit far fetched. But maybe we
can copy the .htaccess from the templates folder and write some advices
in the wizard to let users know about it. Would "JJ" agree on this as a fix?


On 26.11.2006 22:28, Oscar Renalias wrote:
> Well apparently the vulnerability is that PHP will reveal several  
> paths if you try to browse any of those URLs. But that's not LT's  
> fault, it's PHP's as at least in lifetype.net, it's configured to log  
> errors to the console (browser) too, and not just to Apache's error_log.
> 
> I was just wondering whether this is severe enough to warrant the  
> moniker "vulnerability" or whether it should be written off.
> 
> On 26 Nov 2006, at 23:24, Alexander Kaiser wrote:
> 
>> ehm, he just send you these two urls?
>> i don't know what he's up to.
>>
>> On 11/26/06, Oscar Renalias <oscar at renalias.net > wrote:What do  
>> make out of this? Does anybody think that this is a
>> "vulnerability"? Can we come up with similar examples from other
>> applications?
>>
>> Begin forwarded message:
>>
>> > From: "Jesper Jurcenoks" <jesper.jurcenoks at netvigilance.com>
>> > Date: 26 November 2006 22:51:27 GMT+02:00
>> > To: "Oscar Renalias" <oscar at renalias.net>
>> > Cc: <contact at lifetype.net>
>> > Subject: RE: Vulnerabilities in Lifetype
>> >
>> > Hi Oscar.
>> >
>> > Here are some live examples of the vulnerabnility
>> >
>> > http://www.lifetype.net/class/bootstrap.php
>> > http://www.lifetype.net/class/security/bayesianfilter.class.php
>> >
>> > JJ
>> >
>> > -----Original Message-----
>> > From: Jesper Jurcenoks
>> > Sent: Sunday, November 26, 2006 12:46 PM
>> > To: 'Oscar Renalias'
>> > Cc: contact at lifetype.net
>> > Subject: RE: Vulnerabilities in Lifetype
>> >
>> >  Here is the draft Advisory.
>> >
>> > I will not get CVE ID and osvdb id until tomorrow.
>> >
>> > JJ
>> >
>> > -----Original Message-----
>> > From: Oscar Renalias [mailto:oscar at renalias.net]
>> > Sent: Sunday, November 26, 2006 11:48 AM
>> > To: Jesper Jurcenoks
>> > Cc: contact at lifetype.net
>> > Subject: Re: Vulnerabilities in Lifetype
>> >
>> > I think your terms are fair enough, I don't see any problem with  
>> them.
>> >
>> > As soon as you provide me with the details of the vulnerability, I
>> > will get working on it and keep you posted.
>> >
>> > Oscar
>> >
>> > On 26 Nov 2006, at 21:23, Jesper Jurcenoks wrote:
>> >
>> >> Hi Oscar.
>> >>
>> >> I have not released the vulnerabilities yet.
>> >>
>> >> I like to have a link to a patch in the Security Advisory.
>> >>
>> >> Once the problem has been patched then you will probably make a  
>> small
>> >> annoucement under news stating the problem and the solution, I  
>> would
>> >> like to get credited for finding the vulnerability on this page.
>> >>
>> >> I would like to make a link to this news page as well.
>> >>
>> >> I would also like us to coordinate the release of the patch, your
>> >> news
>> >> blog and the security advisory release so that they are relleased
>> >> at the
>> >> same time.
>> >>
>> >> I would love to have you link back to my security advisory in your
>> >> news
>> >> release.
>> >>
>> >> Can we agree on these terms before I send you the Draft Security
>> >> Advisory ?
>> >>
>> >> Regards
>> >>
>> >> Jesper Jurcenoks
>> >>
>> >> -----Original Message-----
>> >> From: Oscar Renalias [mailto: oscar at renalias.net]
>> >> Sent: Sunday, November 26, 2006 10:54 AM
>> >> To: Jesper Jurcenoks
>> >> Cc: contact at lifetype.net
>> >> Subject: Re: Vulnerabilities in Lifestyle
>> >>
>> >> Hi,
>> >>
>> >> could you please send these vulnerabilities to this address? We  
>> will
>> >> then act accordingly.
>> >>
>> >> Have you released them to the public in any way yet?
>> >>
>> >> Regards,
>> >>
>> >> Oscar Renalias
>> >> LifeType Project Leader
>> >>
>> >> On 26 Nov 2006, at 20:32, Jesper Jurcenoks wrote:
>> >>
>> >>> Dear Lifestyle
>> >>>
>> >>>  I have found some vulnerabilities in your software and would like
>> >>> to open a dialog with you about this.
>> >>>
>> >>> Regards
>> >>>
>> >>> JJ
>> >>>
>> >>> Jesper "JJ" Jurcenoks
>> >>> Co-founder
>> >>>
>> >>> netVigilance is a leading provider of IT-security software
>> >>>
>> >>> jesper.jurcenoks at netvigilance.com
>> >>>
>> >>> Phone: +1 503-524-5758
>> >>> Fax: +1 503-214-8612
>> >>>
>> >>> 17937 SW McEwan Road Suite 250
>> >>> Portland, Oregon 97224
>> >>>
>> >>>
>> >>> For more information about netVigilance, visit  
>> www.netvigilance.com
>> >>>
>> >>>
>> >>
>> >>
>> >>
>> >
>> >
>> >
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> 
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn

More information about the pLog-svn mailing list