[pLog-svn] Fwd: Vulnerabilities in Lifetype

Oscar Renalias oscar at renalias.net
Mon Nov 27 16:59:15 GMT 2006 

This "vulnerability" probably reveals as much path as would be  
revealed by downloading the source code and looking at the folder  
structure.

I don't think it's a big deal but some people see the word security  
vulnerability and freak out so it should look like we're doing  
something about it :-)

Can anybody help me out with the .htaccess?

On 27 Nov 2006, at 01:31, Jon Daley wrote:

> 	Yeah, I don't think you can count this as a vulnerability.  What  
> can you do if you have the full path?
> 	My site has it turned off, which I believe the docs in php.ini say  
> that should be the default for a "production" server.
> http://jon.limedaley.com/plog/class/security/bayesianfilter.class.php
> 	We could simply add an .htaccess, I don't see a downside to this.  
> It would be nifty to have everything outside the webroot, though it  
> makes it harder for people to untar probably.  And then a  
> configuration option that people wouldn't understand...
>
> On Sun, 26 Nov 2006, Reto Hugi wrote:
>
>> Although I personally don't see path disclosures as a big security  
>> issue
>> (it's a security through obscurity think, imo), some may classify  
>> it a
>> vulnerability. At least it helps the attacker cathering information
>> about the target.
>> For example cakePHP (http://www.cakephp.org/) is having it's files  
>> below
>> the webroot (i.e. the webroot is a subfolder of cakePHP.
>>
>> Saying that it's a LifeType vuln. is IMO a bit far fetched. But  
>> maybe we
>> can copy the .htaccess from the templates folder and write some  
>> advices
>> in the wizard to let users know about it. Would "JJ" agree on this  
>> as a fix?
>>
>>
>> On 26.11.2006 22:28, Oscar Renalias wrote:
>>> Well apparently the vulnerability is that PHP will reveal several
>>> paths if you try to browse any of those URLs. But that's not LT's
>>> fault, it's PHP's as at least in lifetype.net, it's configured to  
>>> log
>>> errors to the console (browser) too, and not just to Apache's  
>>> error_log.
>>>
>>> I was just wondering whether this is severe enough to warrant the
>>> moniker "vulnerability" or whether it should be written off.
>>>
>>> On 26 Nov 2006, at 23:24, Alexander Kaiser wrote:
>>>
>>>> ehm, he just send you these two urls?
>>>> i don't know what he's up to.
>>>>
>>>> On 11/26/06, Oscar Renalias <oscar at renalias.net > wrote:What do
>>>> make out of this? Does anybody think that this is a
>>>> "vulnerability"? Can we come up with similar examples from other
>>>> applications?
>>>>
>>>> Begin forwarded message:
>>>>
>>>>> From: "Jesper Jurcenoks" <jesper.jurcenoks at netvigilance.com>
>>>>> Date: 26 November 2006 22:51:27 GMT+02:00
>>>>> To: "Oscar Renalias" <oscar at renalias.net>
>>>>> Cc: <contact at lifetype.net>
>>>>> Subject: RE: Vulnerabilities in Lifetype
>>>>>
>>>>> Hi Oscar.
>>>>>
>>>>> Here are some live examples of the vulnerabnility
>>>>>
>>>>> http://www.lifetype.net/class/bootstrap.php
>>>>> http://www.lifetype.net/class/security/bayesianfilter.class.php
>>>>>
>>>>> JJ
>>>>>
>>>>> -----Original Message-----
>>>>> From: Jesper Jurcenoks
>>>>> Sent: Sunday, November 26, 2006 12:46 PM
>>>>> To: 'Oscar Renalias'
>>>>> Cc: contact at lifetype.net
>>>>> Subject: RE: Vulnerabilities in Lifetype
>>>>>
>>>>>  Here is the draft Advisory.
>>>>>
>>>>> I will not get CVE ID and osvdb id until tomorrow.
>>>>>
>>>>> JJ
>>>>>
>>>>> -----Original Message-----
>>>>> From: Oscar Renalias [mailto:oscar at renalias.net]
>>>>> Sent: Sunday, November 26, 2006 11:48 AM
>>>>> To: Jesper Jurcenoks
>>>>> Cc: contact at lifetype.net
>>>>> Subject: Re: Vulnerabilities in Lifetype
>>>>>
>>>>> I think your terms are fair enough, I don't see any problem with
>>>> them.
>>>>>
>>>>> As soon as you provide me with the details of the vulnerability, I
>>>>> will get working on it and keep you posted.
>>>>>
>>>>> Oscar
>>>>>
>>>>> On 26 Nov 2006, at 21:23, Jesper Jurcenoks wrote:
>>>>>
>>>>>> Hi Oscar.
>>>>>>
>>>>>> I have not released the vulnerabilities yet.
>>>>>>
>>>>>> I like to have a link to a patch in the Security Advisory.
>>>>>>
>>>>>> Once the problem has been patched then you will probably make a
>>>> small
>>>>>> annoucement under news stating the problem and the solution, I
>>>> would
>>>>>> like to get credited for finding the vulnerability on this page.
>>>>>>
>>>>>> I would like to make a link to this news page as well.
>>>>>>
>>>>>> I would also like us to coordinate the release of the patch, your
>>>>>> news
>>>>>> blog and the security advisory release so that they are relleased
>>>>>> at the
>>>>>> same time.
>>>>>>
>>>>>> I would love to have you link back to my security advisory in  
>>>>>> your
>>>>>> news
>>>>>> release.
>>>>>>
>>>>>> Can we agree on these terms before I send you the Draft Security
>>>>>> Advisory ?
>>>>>>
>>>>>> Regards
>>>>>>
>>>>>> Jesper Jurcenoks
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Oscar Renalias [mailto: oscar at renalias.net]
>>>>>> Sent: Sunday, November 26, 2006 10:54 AM
>>>>>> To: Jesper Jurcenoks
>>>>>> Cc: contact at lifetype.net
>>>>>> Subject: Re: Vulnerabilities in Lifestyle
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> could you please send these vulnerabilities to this address? We
>>>> will
>>>>>> then act accordingly.
>>>>>>
>>>>>> Have you released them to the public in any way yet?
>>>>>>
>>>>>> Regards,
>>>>>>
>>>>>> Oscar Renalias
>>>>>> LifeType Project Leader
>>>>>>
>>>>>> On 26 Nov 2006, at 20:32, Jesper Jurcenoks wrote:
>>>>>>
>>>>>>> Dear Lifestyle
>>>>>>>
>>>>>>>  I have found some vulnerabilities in your software and would  
>>>>>>> like
>>>>>>> to open a dialog with you about this.
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> JJ
>>>>>>>
>>>>>>> Jesper "JJ" Jurcenoks
>>>>>>> Co-founder
>>>>>>>
>>>>>>> netVigilance is a leading provider of IT-security software
>>>>>>>
>>>>>>> jesper.jurcenoks at netvigilance.com
>>>>>>>
>>>>>>> Phone: +1 503-524-5758
>>>>>>> Fax: +1 503-214-8612
>>>>>>>
>>>>>>> 17937 SW McEwan Road Suite 250
>>>>>>> Portland, Oregon 97224
>>>>>>>
>>>>>>>
>>>>>>> For more information about netVigilance, visit
>>>> www.netvigilance.com
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>>
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>
> -- 
> Jon Daley
> http://jon.limedaley.com/
>
> All truth passes through 3 stages.  First, it is ridiculed.
> Second, it is violently opposed.  Third, it is accepted as being  
> self-evident.
> -- Arthur Schopenhauer
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>

More information about the pLog-svn mailing list