[pLog-svn] Fwd: Vulnerabilities in Lifetype
Jon Daley
plogworld at jon.limedaley.com
Mon Nov 27 17:06:54 GMT 2006
I originally thought that too, but additionally, you can see the
folder that it is installed in, so a little more than just what can be
downloaded. I still don't know why anyone would care. This guy is just
trying to get some publicity for himself.
File coming shortly.
On Mon, 27 Nov 2006, Oscar Renalias wrote:
> This "vulnerability" probably reveals as much path as would be revealed by
> downloading the source code and looking at the folder structure.
>
> I don't think it's a big deal but some people see the word security
> vulnerability and freak out so it should look like we're doing something
> about it :-)
>
> Can anybody help me out with the .htaccess?
>
> On 27 Nov 2006, at 01:31, Jon Daley wrote:
>
>> Yeah, I don't think you can count this as a vulnerability. What can
>> you do if you have the full path?
>> My site has it turned off, which I believe the docs in php.ini say
>> that should be the default for a "production" server.
>> http://jon.limedaley.com/plog/class/security/bayesianfilter.class.php
>> We could simply add an .htaccess, I don't see a downside to this. It
>> would be nifty to have everything outside the webroot, though it makes it
>> harder for people to untar probably. And then a configuration option that
>> people wouldn't understand...
>>
>> On Sun, 26 Nov 2006, Reto Hugi wrote:
>>
>>> Although I personally don't see path disclosures as a big security issue
>>> (it's a security through obscurity think, imo), some may classify it a
>>> vulnerability. At least it helps the attacker cathering information
>>> about the target.
>>> For example cakePHP (http://www.cakephp.org/) is having it's files below
>>> the webroot (i.e. the webroot is a subfolder of cakePHP.
>>>
>>> Saying that it's a LifeType vuln. is IMO a bit far fetched. But maybe we
>>> can copy the .htaccess from the templates folder and write some advices
>>> in the wizard to let users know about it. Would "JJ" agree on this as a
>>> fix?
>>>
>>>
>>> On 26.11.2006 22:28, Oscar Renalias wrote:
>>>> Well apparently the vulnerability is that PHP will reveal several
>>>> paths if you try to browse any of those URLs. But that's not LT's
>>>> fault, it's PHP's as at least in lifetype.net, it's configured to log
>>>> errors to the console (browser) too, and not just to Apache's error_log.
>>>>
>>>> I was just wondering whether this is severe enough to warrant the
>>>> moniker "vulnerability" or whether it should be written off.
>>>>
>>>> On 26 Nov 2006, at 23:24, Alexander Kaiser wrote:
>>>>
>>>>> ehm, he just send you these two urls?
>>>>> i don't know what he's up to.
>>>>>
>>>>> On 11/26/06, Oscar Renalias <oscar at renalias.net > wrote:What do
>>>>> make out of this? Does anybody think that this is a
>>>>> "vulnerability"? Can we come up with similar examples from other
>>>>> applications?
>>>>>
>>>>> Begin forwarded message:
>>>>>
>>>>>> From: "Jesper Jurcenoks" <jesper.jurcenoks at netvigilance.com>
>>>>>> Date: 26 November 2006 22:51:27 GMT+02:00
>>>>>> To: "Oscar Renalias" <oscar at renalias.net>
>>>>>> Cc: <contact at lifetype.net>
>>>>>> Subject: RE: Vulnerabilities in Lifetype
>>>>>>
>>>>>> Hi Oscar.
>>>>>>
>>>>>> Here are some live examples of the vulnerabnility
>>>>>>
>>>>>> http://www.lifetype.net/class/bootstrap.php
>>>>>> http://www.lifetype.net/class/security/bayesianfilter.class.php
>>>>>>
>>>>>> JJ
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Jesper Jurcenoks
>>>>>> Sent: Sunday, November 26, 2006 12:46 PM
>>>>>> To: 'Oscar Renalias'
>>>>>> Cc: contact at lifetype.net
>>>>>> Subject: RE: Vulnerabilities in Lifetype
>>>>>>
>>>>>> Here is the draft Advisory.
>>>>>>
>>>>>> I will not get CVE ID and osvdb id until tomorrow.
>>>>>>
>>>>>> JJ
>>>>>>
>>>>>> -----Original Message-----
>>>>>> From: Oscar Renalias [mailto:oscar at renalias.net]
>>>>>> Sent: Sunday, November 26, 2006 11:48 AM
>>>>>> To: Jesper Jurcenoks
>>>>>> Cc: contact at lifetype.net
>>>>>> Subject: Re: Vulnerabilities in Lifetype
>>>>>>
>>>>>> I think your terms are fair enough, I don't see any problem with
>>>>> them.
>>>>>>
>>>>>> As soon as you provide me with the details of the vulnerability, I
>>>>>> will get working on it and keep you posted.
>>>>>>
>>>>>> Oscar
>>>>>>
>>>>>> On 26 Nov 2006, at 21:23, Jesper Jurcenoks wrote:
>>>>>>
>>>>>>> Hi Oscar.
>>>>>>>
>>>>>>> I have not released the vulnerabilities yet.
>>>>>>>
>>>>>>> I like to have a link to a patch in the Security Advisory.
>>>>>>>
>>>>>>> Once the problem has been patched then you will probably make a
>>>>> small
>>>>>>> annoucement under news stating the problem and the solution, I
>>>>> would
>>>>>>> like to get credited for finding the vulnerability on this page.
>>>>>>>
>>>>>>> I would like to make a link to this news page as well.
>>>>>>>
>>>>>>> I would also like us to coordinate the release of the patch, your
>>>>>>> news
>>>>>>> blog and the security advisory release so that they are relleased
>>>>>>> at the
>>>>>>> same time.
>>>>>>>
>>>>>>> I would love to have you link back to my security advisory in your
>>>>>>> news
>>>>>>> release.
>>>>>>>
>>>>>>> Can we agree on these terms before I send you the Draft Security
>>>>>>> Advisory ?
>>>>>>>
>>>>>>> Regards
>>>>>>>
>>>>>>> Jesper Jurcenoks
>>>>>>>
>>>>>>> -----Original Message-----
>>>>>>> From: Oscar Renalias [mailto: oscar at renalias.net]
>>>>>>> Sent: Sunday, November 26, 2006 10:54 AM
>>>>>>> To: Jesper Jurcenoks
>>>>>>> Cc: contact at lifetype.net
>>>>>>> Subject: Re: Vulnerabilities in Lifestyle
>>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> could you please send these vulnerabilities to this address? We
>>>>> will
>>>>>>> then act accordingly.
>>>>>>>
>>>>>>> Have you released them to the public in any way yet?
>>>>>>>
>>>>>>> Regards,
>>>>>>>
>>>>>>> Oscar Renalias
>>>>>>> LifeType Project Leader
>>>>>>>
>>>>>>> On 26 Nov 2006, at 20:32, Jesper Jurcenoks wrote:
>>>>>>>
>>>>>>>> Dear Lifestyle
>>>>>>>>
>>>>>>>> I have found some vulnerabilities in your software and would like
>>>>>>>> to open a dialog with you about this.
>>>>>>>>
>>>>>>>> Regards
>>>>>>>>
>>>>>>>> JJ
>>>>>>>>
>>>>>>>> Jesper "JJ" Jurcenoks
>>>>>>>> Co-founder
>>>>>>>>
>>>>>>>> netVigilance is a leading provider of IT-security software
>>>>>>>>
>>>>>>>> jesper.jurcenoks at netvigilance.com
>>>>>>>>
>>>>>>>> Phone: +1 503-524-5758
>>>>>>>> Fax: +1 503-214-8612
>>>>>>>>
>>>>>>>> 17937 SW McEwan Road Suite 250
>>>>>>>> Portland, Oregon 97224
>>>>>>>>
>>>>>>>>
>>>>>>>> For more information about netVigilance, visit
>>>>> www.netvigilance.com
>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>>>
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.lifetype.net
>>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>>
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.lifetype.net
>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>
>>> _______________________________________________
>>> pLog-svn mailing list
>>> pLog-svn at devel.lifetype.net
>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>>
>>
>> --
>> Jon Daley
>> http://jon.limedaley.com/
>>
>> All truth passes through 3 stages. First, it is ridiculed.
>> Second, it is violently opposed. Third, it is accepted as being
>> self-evident.
>> -- Arthur Schopenhauer
>> _______________________________________________
>> pLog-svn mailing list
>> pLog-svn at devel.lifetype.net
>> http://devel.lifetype.net/mailman/listinfo/plog-svn
>>
>
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
--
Jon Daley
http://jon.limedaley.com/
Laughter: A universal bond that draws all men closer.
-- Nathan Ausubel
More information about the pLog-svn
mailing list