[pLog-svn] Fwd: Vulnerabilities in Lifetype

Matt Wood matt at woodzy.com
Mon Nov 27 19:32:49 GMT 2006 

"Full Path Disclosures" are rarely dangerous until coupled with a more
interesting exploit/vulnerability. It also provides information such as "is
this a default install"... was this customized... what kind of controls can
we expect on this machine. In short it reveals a lot about the configuration
of the server & plog installation.

But rarely is this alone a serious problem.

-Matt

On 11/27/06, Jon Daley <plogworld at jon.limedaley.com> wrote:
>
>         I originally thought that too, but additionally, you can see the
> folder that it is installed in, so a little more than just what can be
> downloaded.  I still don't know why anyone would care.  This guy is just
> trying to get some publicity for himself.
>         File coming shortly.
>
>
> On Mon, 27 Nov 2006, Oscar Renalias wrote:
>
> > This "vulnerability" probably reveals as much path as would be revealed
> by
> > downloading the source code and looking at the folder structure.
> >
> > I don't think it's a big deal but some people see the word security
> > vulnerability and freak out so it should look like we're doing something
> > about it :-)
> >
> > Can anybody help me out with the .htaccess?
> >
> > On 27 Nov 2006, at 01:31, Jon Daley wrote:
> >
> >>      Yeah, I don't think you can count this as a vulnerability.  What
> can
> >> you do if you have the full path?
> >>      My site has it turned off, which I believe the docs in php.ini say
> >> that should be the default for a "production" server.
> >> http://jon.limedaley.com/plog/class/security/bayesianfilter.class.php
> >>      We could simply add an .htaccess, I don't see a downside to this.
> It
> >> would be nifty to have everything outside the webroot, though it makes
> it
> >> harder for people to untar probably.  And then a configuration option
> that
> >> people wouldn't understand...
> >>
> >> On Sun, 26 Nov 2006, Reto Hugi wrote:
> >>
> >>> Although I personally don't see path disclosures as a big security
> issue
> >>> (it's a security through obscurity think, imo), some may classify it a
> >>> vulnerability. At least it helps the attacker cathering information
> >>> about the target.
> >>> For example cakePHP (http://www.cakephp.org/) is having it's files
> below
> >>> the webroot (i.e. the webroot is a subfolder of cakePHP.
> >>>
> >>> Saying that it's a LifeType vuln. is IMO a bit far fetched. But maybe
> we
> >>> can copy the .htaccess from the templates folder and write some
> advices
> >>> in the wizard to let users know about it. Would "JJ" agree on this as
> a
> >>> fix?
> >>>
> >>>
> >>> On 26.11.2006 22:28, Oscar Renalias wrote:
> >>>> Well apparently the vulnerability is that PHP will reveal several
> >>>> paths if you try to browse any of those URLs. But that's not LT's
> >>>> fault, it's PHP's as at least in lifetype.net, it's configured to log
> >>>> errors to the console (browser) too, and not just to Apache's
> error_log.
> >>>>
> >>>> I was just wondering whether this is severe enough to warrant the
> >>>> moniker "vulnerability" or whether it should be written off.
> >>>>
> >>>> On 26 Nov 2006, at 23:24, Alexander Kaiser wrote:
> >>>>
> >>>>> ehm, he just send you these two urls?
> >>>>> i don't know what he's up to.
> >>>>>
> >>>>> On 11/26/06, Oscar Renalias <oscar at renalias.net > wrote:What do
> >>>>> make out of this? Does anybody think that this is a
> >>>>> "vulnerability"? Can we come up with similar examples from other
> >>>>> applications?
> >>>>>
> >>>>> Begin forwarded message:
> >>>>>
> >>>>>> From: "Jesper Jurcenoks" <jesper.jurcenoks at netvigilance.com>
> >>>>>> Date: 26 November 2006 22:51:27 GMT+02:00
> >>>>>> To: "Oscar Renalias" <oscar at renalias.net>
> >>>>>> Cc: <contact at lifetype.net>
> >>>>>> Subject: RE: Vulnerabilities in Lifetype
> >>>>>>
> >>>>>> Hi Oscar.
> >>>>>>
> >>>>>> Here are some live examples of the vulnerabnility
> >>>>>>
> >>>>>> http://www.lifetype.net/class/bootstrap.php
> >>>>>> http://www.lifetype.net/class/security/bayesianfilter.class.php
> >>>>>>
> >>>>>> JJ
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Jesper Jurcenoks
> >>>>>> Sent: Sunday, November 26, 2006 12:46 PM
> >>>>>> To: 'Oscar Renalias'
> >>>>>> Cc: contact at lifetype.net
> >>>>>> Subject: RE: Vulnerabilities in Lifetype
> >>>>>>
> >>>>>> Here is the draft Advisory.
> >>>>>>
> >>>>>> I will not get CVE ID and osvdb id until tomorrow.
> >>>>>>
> >>>>>> JJ
> >>>>>>
> >>>>>> -----Original Message-----
> >>>>>> From: Oscar Renalias [mailto:oscar at renalias.net]
> >>>>>> Sent: Sunday, November 26, 2006 11:48 AM
> >>>>>> To: Jesper Jurcenoks
> >>>>>> Cc: contact at lifetype.net
> >>>>>> Subject: Re: Vulnerabilities in Lifetype
> >>>>>>
> >>>>>> I think your terms are fair enough, I don't see any problem with
> >>>>> them.
> >>>>>>
> >>>>>> As soon as you provide me with the details of the vulnerability, I
> >>>>>> will get working on it and keep you posted.
> >>>>>>
> >>>>>> Oscar
> >>>>>>
> >>>>>> On 26 Nov 2006, at 21:23, Jesper Jurcenoks wrote:
> >>>>>>
> >>>>>>> Hi Oscar.
> >>>>>>>
> >>>>>>> I have not released the vulnerabilities yet.
> >>>>>>>
> >>>>>>> I like to have a link to a patch in the Security Advisory.
> >>>>>>>
> >>>>>>> Once the problem has been patched then you will probably make a
> >>>>> small
> >>>>>>> annoucement under news stating the problem and the solution, I
> >>>>> would
> >>>>>>> like to get credited for finding the vulnerability on this page.
> >>>>>>>
> >>>>>>> I would like to make a link to this news page as well.
> >>>>>>>
> >>>>>>> I would also like us to coordinate the release of the patch, your
> >>>>>>> news
> >>>>>>> blog and the security advisory release so that they are relleased
> >>>>>>> at the
> >>>>>>> same time.
> >>>>>>>
> >>>>>>> I would love to have you link back to my security advisory in your
> >>>>>>> news
> >>>>>>> release.
> >>>>>>>
> >>>>>>> Can we agree on these terms before I send you the Draft Security
> >>>>>>> Advisory ?
> >>>>>>>
> >>>>>>> Regards
> >>>>>>>
> >>>>>>> Jesper Jurcenoks
> >>>>>>>
> >>>>>>> -----Original Message-----
> >>>>>>> From: Oscar Renalias [mailto: oscar at renalias.net]
> >>>>>>> Sent: Sunday, November 26, 2006 10:54 AM
> >>>>>>> To: Jesper Jurcenoks
> >>>>>>> Cc: contact at lifetype.net
> >>>>>>> Subject: Re: Vulnerabilities in Lifestyle
> >>>>>>>
> >>>>>>> Hi,
> >>>>>>>
> >>>>>>> could you please send these vulnerabilities to this address? We
> >>>>> will
> >>>>>>> then act accordingly.
> >>>>>>>
> >>>>>>> Have you released them to the public in any way yet?
> >>>>>>>
> >>>>>>> Regards,
> >>>>>>>
> >>>>>>> Oscar Renalias
> >>>>>>> LifeType Project Leader
> >>>>>>>
> >>>>>>> On 26 Nov 2006, at 20:32, Jesper Jurcenoks wrote:
> >>>>>>>
> >>>>>>>> Dear Lifestyle
> >>>>>>>>
> >>>>>>>> I have found some vulnerabilities in your software and would like
> >>>>>>>> to open a dialog with you about this.
> >>>>>>>>
> >>>>>>>> Regards
> >>>>>>>>
> >>>>>>>> JJ
> >>>>>>>>
> >>>>>>>> Jesper "JJ" Jurcenoks
> >>>>>>>> Co-founder
> >>>>>>>>
> >>>>>>>> netVigilance is a leading provider of IT-security software
> >>>>>>>>
> >>>>>>>> jesper.jurcenoks at netvigilance.com
> >>>>>>>>
> >>>>>>>> Phone: +1 503-524-5758
> >>>>>>>> Fax: +1 503-214-8612
> >>>>>>>>
> >>>>>>>> 17937 SW McEwan Road Suite 250
> >>>>>>>> Portland, Oregon 97224
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> For more information about netVigilance, visit
> >>>>> www.netvigilance.com
> >>>>>>>>
> >>>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>
> >>>>>>
> >>>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> pLog-svn mailing list
> >>>>> pLog-svn at devel.lifetype.net
> >>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>>>>
> >>>>> _______________________________________________
> >>>>> pLog-svn mailing list
> >>>>> pLog-svn at devel.lifetype.net
> >>>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>>>
> >>>> _______________________________________________
> >>>> pLog-svn mailing list
> >>>> pLog-svn at devel.lifetype.net
> >>>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>>
> >>> _______________________________________________
> >>> pLog-svn mailing list
> >>> pLog-svn at devel.lifetype.net
> >>> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>>
> >>
> >> --
> >> Jon Daley
> >> http://jon.limedaley.com/
> >>
> >> All truth passes through 3 stages.  First, it is ridiculed.
> >> Second, it is violently opposed.  Third, it is accepted as being
> >> self-evident.
> >> -- Arthur Schopenhauer
> >> _______________________________________________
> >> pLog-svn mailing list
> >> pLog-svn at devel.lifetype.net
> >> http://devel.lifetype.net/mailman/listinfo/plog-svn
> >>
> >
> > _______________________________________________
> > pLog-svn mailing list
> > pLog-svn at devel.lifetype.net
> > http://devel.lifetype.net/mailman/listinfo/plog-svn
>
> --
> Jon Daley
> http://jon.limedaley.com/
>
> Laughter: A universal bond that draws all men closer.
> -- Nathan Ausubel
> _______________________________________________
> pLog-svn mailing list
> pLog-svn at devel.lifetype.net
> http://devel.lifetype.net/mailman/listinfo/plog-svn
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http:// devel.lifetype.net/pipermail/plog-svn/attachments/20061127/f8777581/attachment-0001.html

More information about the pLog-svn mailing list