[pLog-svn] Fwd: Vulnerabilities in Lifetype

Jon Daley plogworld at jon.limedaley.com
Sun Nov 26 23:31:52 GMT 2006 

 	Yeah, I don't think you can count this as a vulnerability.  What 
can you do if you have the full path?
 	My site has it turned off, which I believe the docs in php.ini say 
that should be the default for a "production" server.
http://jon.limedaley.com/plog/class/security/bayesianfilter.class.php
 	We could simply add an .htaccess, I don't see a downside to this. 
It would be nifty to have everything outside the webroot, though it makes 
it harder for people to untar probably.  And then a configuration option 
that people wouldn't understand...

On Sun, 26 Nov 2006, Reto Hugi wrote:

> Although I personally don't see path disclosures as a big security issue
> (it's a security through obscurity think, imo), some may classify it a
> vulnerability. At least it helps the attacker cathering information
> about the target.
> For example cakePHP (http://www.cakephp.org/) is having it's files below
> the webroot (i.e. the webroot is a subfolder of cakePHP.
>
> Saying that it's a LifeType vuln. is IMO a bit far fetched. But maybe we
> can copy the .htaccess from the templates folder and write some advices
> in the wizard to let users know about it. Would "JJ" agree on this as a fix?
>
>
> On 26.11.2006 22:28, Oscar Renalias wrote:
>> Well apparently the vulnerability is that PHP will reveal several
>> paths if you try to browse any of those URLs. But that's not LT's
>> fault, it's PHP's as at least in lifetype.net, it's configured to log
>> errors to the console (browser) too, and not just to Apache's error_log.
>>
>> I was just wondering whether this is severe enough to warrant the
>> moniker "vulnerability" or whether it should be written off.
>>
>> On 26 Nov 2006, at 23:24, Alexander Kaiser wrote:
>>
>>> ehm, he just send you these two urls?
>>> i don't know what he's up to.
>>>
>>> On 11/26/06, Oscar Renalias <oscar at renalias.net > wrote:What do
>>> make out of this? Does anybody think that this is a
>>> "vulnerability"? Can we come up with similar examples from other
>>> applications?
>>>
>>> Begin forwarded message:
>>>
>>>> From: "Jesper Jurcenoks" <jesper.jurcenoks at netvigilance.com>
>>>> Date: 26 November 2006 22:51:27 GMT+02:00
>>>> To: "Oscar Renalias" <oscar at renalias.net>
>>>> Cc: <contact at lifetype.net>
>>>> Subject: RE: Vulnerabilities in Lifetype
>>>>
>>>> Hi Oscar.
>>>>
>>>> Here are some live examples of the vulnerabnility
>>>>
>>>> http://www.lifetype.net/class/bootstrap.php
>>>> http://www.lifetype.net/class/security/bayesianfilter.class.php
>>>>
>>>> JJ
>>>>
>>>> -----Original Message-----
>>>> From: Jesper Jurcenoks
>>>> Sent: Sunday, November 26, 2006 12:46 PM
>>>> To: 'Oscar Renalias'
>>>> Cc: contact at lifetype.net
>>>> Subject: RE: Vulnerabilities in Lifetype
>>>>
>>>>  Here is the draft Advisory.
>>>>
>>>> I will not get CVE ID and osvdb id until tomorrow.
>>>>
>>>> JJ
>>>>
>>>> -----Original Message-----
>>>> From: Oscar Renalias [mailto:oscar at renalias.net]
>>>> Sent: Sunday, November 26, 2006 11:48 AM
>>>> To: Jesper Jurcenoks
>>>> Cc: contact at lifetype.net
>>>> Subject: Re: Vulnerabilities in Lifetype
>>>>
>>>> I think your terms are fair enough, I don't see any problem with
>>> them.
>>>>
>>>> As soon as you provide me with the details of the vulnerability, I
>>>> will get working on it and keep you posted.
>>>>
>>>> Oscar
>>>>
>>>> On 26 Nov 2006, at 21:23, Jesper Jurcenoks wrote:
>>>>
>>>>> Hi Oscar.
>>>>>
>>>>> I have not released the vulnerabilities yet.
>>>>>
>>>>> I like to have a link to a patch in the Security Advisory.
>>>>>
>>>>> Once the problem has been patched then you will probably make a
>>> small
>>>>> annoucement under news stating the problem and the solution, I
>>> would
>>>>> like to get credited for finding the vulnerability on this page.
>>>>>
>>>>> I would like to make a link to this news page as well.
>>>>>
>>>>> I would also like us to coordinate the release of the patch, your
>>>>> news
>>>>> blog and the security advisory release so that they are relleased
>>>>> at the
>>>>> same time.
>>>>>
>>>>> I would love to have you link back to my security advisory in your
>>>>> news
>>>>> release.
>>>>>
>>>>> Can we agree on these terms before I send you the Draft Security
>>>>> Advisory ?
>>>>>
>>>>> Regards
>>>>>
>>>>> Jesper Jurcenoks
>>>>>
>>>>> -----Original Message-----
>>>>> From: Oscar Renalias [mailto: oscar at renalias.net]
>>>>> Sent: Sunday, November 26, 2006 10:54 AM
>>>>> To: Jesper Jurcenoks
>>>>> Cc: contact at lifetype.net
>>>>> Subject: Re: Vulnerabilities in Lifestyle
>>>>>
>>>>> Hi,
>>>>>
>>>>> could you please send these vulnerabilities to this address? We
>>> will
>>>>> then act accordingly.
>>>>>
>>>>> Have you released them to the public in any way yet?
>>>>>
>>>>> Regards,
>>>>>
>>>>> Oscar Renalias
>>>>> LifeType Project Leader
>>>>>
>>>>> On 26 Nov 2006, at 20:32, Jesper Jurcenoks wrote:
>>>>>
>>>>>> Dear Lifestyle
>>>>>>
>>>>>>  I have found some vulnerabilities in your software and would like
>>>>>> to open a dialog with you about this.
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> JJ
>>>>>>
>>>>>> Jesper "JJ" Jurcenoks
>>>>>> Co-founder
>>>>>>
>>>>>> netVigilance is a leading provider of IT-security software
>>>>>>
>>>>>> jesper.jurcenoks at netvigilance.com
>>>>>>
>>>>>> Phone: +1 503-524-5758
>>>>>> Fax: +1 503-214-8612
>>>>>>
>>>>>> 17937 SW McEwan Road Suite 250
>>>>>> Portland, Oregon 97224
>>>>>>
>>>>>>
>>>>>> For more information about netVigilance, visit
>>> www.netvigilance.com
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>

-- 
Jon Daley
http://jon.limedaley.com/

All truth passes through 3 stages.  First, it is ridiculed.
Second, it is violently opposed.  Third, it is accepted as being self-evident.
-- Arthur Schopenhauer

More information about the pLog-svn mailing list