[pLog-svn] Fwd: Vulnerabilities in Lifetype

Jon Daley plogworld at jon.limedaley.com
Mon Nov 27 17:06:54 GMT 2006


 	I originally thought that too, but additionally, you can see the 
folder that it is installed in, so a little more than just what can be 
downloaded.  I still don't know why anyone would care.  This guy is just 
trying to get some publicity for himself.
 	File coming shortly.


On Mon, 27 Nov 2006, Oscar Renalias wrote:

> This "vulnerability" probably reveals as much path as would be revealed by 
> downloading the source code and looking at the folder structure.
>
> I don't think it's a big deal but some people see the word security 
> vulnerability and freak out so it should look like we're doing something 
> about it :-)
>
> Can anybody help me out with the .htaccess?
>
> On 27 Nov 2006, at 01:31, Jon Daley wrote:
>
>> 	Yeah, I don't think you can count this as a vulnerability.  What can 
>> you do if you have the full path?
>> 	My site has it turned off, which I believe the docs in php.ini say 
>> that should be the default for a "production" server.
>> http://jon.limedaley.com/plog/class/security/bayesianfilter.class.php
>> 	We could simply add an .htaccess, I don't see a downside to this. It 
>> would be nifty to have everything outside the webroot, though it makes it 
>> harder for people to untar probably.  And then a configuration option that 
>> people wouldn't understand...
>> 
>> On Sun, 26 Nov 2006, Reto Hugi wrote:
>> 
>>> Although I personally don't see path disclosures as a big security issue
>>> (it's a security through obscurity think, imo), some may classify it a
>>> vulnerability. At least it helps the attacker cathering information
>>> about the target.
>>> For example cakePHP (http://www.cakephp.org/) is having it's files below
>>> the webroot (i.e. the webroot is a subfolder of cakePHP.
>>> 
>>> Saying that it's a LifeType vuln. is IMO a bit far fetched. But maybe we
>>> can copy the .htaccess from the templates folder and write some advices
>>> in the wizard to let users know about it. Would "JJ" agree on this as a 
>>> fix?
>>> 
>>> 
>>> On 26.11.2006 22:28, Oscar Renalias wrote:
>>>> Well apparently the vulnerability is that PHP will reveal several
>>>> paths if you try to browse any of those URLs. But that's not LT's
>>>> fault, it's PHP's as at least in lifetype.net, it's configured to log
>>>> errors to the console (browser) too, and not just to Apache's error_log.
>>>> 
>>>> I was just wondering whether this is severe enough to warrant the
>>>> moniker "vulnerability" or whether it should be written off.
>>>> 
>>>> On 26 Nov 2006, at 23:24, Alexander Kaiser wrote:
>>>> 
>>>>> ehm, he just send you these two urls?
>>>>> i don't know what he's up to.
>>>>> 
>>>>> On 11/26/06, Oscar Renalias <oscar at renalias.net > wrote:What do
>>>>> make out of this? Does anybody think that this is a
>>>>> "vulnerability"? Can we come up with similar examples from other
>>>>> applications?
>>>>> 
>>>>> Begin forwarded message:
>>>>> 
>>>>>> From: "Jesper Jurcenoks" <jesper.jurcenoks at netvigilance.com>
>>>>>> Date: 26 November 2006 22:51:27 GMT+02:00
>>>>>> To: "Oscar Renalias" <oscar at renalias.net>
>>>>>> Cc: <contact at lifetype.net>
>>>>>> Subject: RE: Vulnerabilities in Lifetype
>>>>>> 
>>>>>> Hi Oscar.
>>>>>> 
>>>>>> Here are some live examples of the vulnerabnility
>>>>>> 
>>>>>> http://www.lifetype.net/class/bootstrap.php
>>>>>> http://www.lifetype.net/class/security/bayesianfilter.class.php
>>>>>> 
>>>>>> JJ
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: Jesper Jurcenoks
>>>>>> Sent: Sunday, November 26, 2006 12:46 PM
>>>>>> To: 'Oscar Renalias'
>>>>>> Cc: contact at lifetype.net
>>>>>> Subject: RE: Vulnerabilities in Lifetype
>>>>>> 
>>>>>> Here is the draft Advisory.
>>>>>> 
>>>>>> I will not get CVE ID and osvdb id until tomorrow.
>>>>>> 
>>>>>> JJ
>>>>>> 
>>>>>> -----Original Message-----
>>>>>> From: Oscar Renalias [mailto:oscar at renalias.net]
>>>>>> Sent: Sunday, November 26, 2006 11:48 AM
>>>>>> To: Jesper Jurcenoks
>>>>>> Cc: contact at lifetype.net
>>>>>> Subject: Re: Vulnerabilities in Lifetype
>>>>>> 
>>>>>> I think your terms are fair enough, I don't see any problem with
>>>>> them.
>>>>>> 
>>>>>> As soon as you provide me with the details of the vulnerability, I
>>>>>> will get working on it and keep you posted.
>>>>>> 
>>>>>> Oscar
>>>>>> 
>>>>>> On 26 Nov 2006, at 21:23, Jesper Jurcenoks wrote:
>>>>>> 
>>>>>>> Hi Oscar.
>>>>>>> 
>>>>>>> I have not released the vulnerabilities yet.
>>>>>>> 
>>>>>>> I like to have a link to a patch in the Security Advisory.
>>>>>>> 
>>>>>>> Once the problem has been patched then you will probably make a
>>>>> small
>>>>>>> annoucement under news stating the problem and the solution, I
>>>>> would
>>>>>>> like to get credited for finding the vulnerability on this page.
>>>>>>> 
>>>>>>> I would like to make a link to this news page as well.
>>>>>>> 
>>>>>>> I would also like us to coordinate the release of the patch, your
>>>>>>> news
>>>>>>> blog and the security advisory release so that they are relleased
>>>>>>> at the
>>>>>>> same time.
>>>>>>> 
>>>>>>> I would love to have you link back to my security advisory in your
>>>>>>> news
>>>>>>> release.
>>>>>>> 
>>>>>>> Can we agree on these terms before I send you the Draft Security
>>>>>>> Advisory ?
>>>>>>> 
>>>>>>> Regards
>>>>>>> 
>>>>>>> Jesper Jurcenoks
>>>>>>> 
>>>>>>> -----Original Message-----
>>>>>>> From: Oscar Renalias [mailto: oscar at renalias.net]
>>>>>>> Sent: Sunday, November 26, 2006 10:54 AM
>>>>>>> To: Jesper Jurcenoks
>>>>>>> Cc: contact at lifetype.net
>>>>>>> Subject: Re: Vulnerabilities in Lifestyle
>>>>>>> 
>>>>>>> Hi,
>>>>>>> 
>>>>>>> could you please send these vulnerabilities to this address? We
>>>>> will
>>>>>>> then act accordingly.
>>>>>>> 
>>>>>>> Have you released them to the public in any way yet?
>>>>>>> 
>>>>>>> Regards,
>>>>>>> 
>>>>>>> Oscar Renalias
>>>>>>> LifeType Project Leader
>>>>>>> 
>>>>>>> On 26 Nov 2006, at 20:32, Jesper Jurcenoks wrote:
>>>>>>> 
>>>>>>>> Dear Lifestyle
>>>>>>>> 
>>>>>>>> I have found some vulnerabilities in your software and would like
>>>>>>>> to open a dialog with you about this.
>>>>>>>> 
>>>>>>>> Regards
>>>>>>>> 
>>>>>>>> JJ
>>>>>>>> 
>>>>>>>> Jesper "JJ" Jurcenoks
>>>>>>>> Co-founder
>>>>>>>> 
>>>>>>>> netVigilance is a leading provider of IT-security software
>>>>>>>> 
>>>>>>>> jesper.jurcenoks at netvigilance.com
>>>>>>>> 
>>>>>>>> Phone: +1 503-524-5758
>>>>>>>> Fax: +1 503-214-8612
>>>>>>>> 
>>>>>>>> 17937 SW McEwan Road Suite 250
>>>>>>>> Portland, Oregon 97224
>>>>>>>> 
>>>>>>>> 
>>>>>>>> For more information about netVigilance, visit
>>>>> www.netvigilance.com
>>>>>>>> 
>>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>>> 
>>>>>> 
>>>>>> 
>>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>>> 
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>> 
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>> 
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>> 
>> 
>> -- 
>> Jon Daley
>> http://jon.limedaley.com/
>> 
>> All truth passes through 3 stages.  First, it is ridiculed.
>> Second, it is violently opposed.  Third, it is accepted as being 
>> self-evident.
>> -- Arthur Schopenhauer
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>> 
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn

-- 
Jon Daley
http://jon.limedaley.com/

Laughter: A universal bond that draws all men closer.
-- Nathan Ausubel


More information about the pLog-svn mailing list