[VIM] Bugtraq ID# 53694 is invalid/fake (fwd)

security curmudgeon jericho at attrition.org
Tue Jun 19 03:26:48 CDT 2012 

Posting here for public archiving.

---------- Forwarded message ----------
From: BabyGekko Support <info at babygekko.com>
To: l3br1z <l3br1z at gmail.com>
Cc: bugtraq at securityfocus.com, bugtraq2 at securityfocus.com,
     OSVDB Moderators <moderators at osvdb.org>
Date: Sun, 17 Jun 2012 18:06:29 -0600
Subject: Re: [OSVDB Mods] Bugtraq ID# 53694 is invalid/fake

Hello l3br1z,

I'm not mad. What I'm saying is you need to understand the function and 
what it does before jumping into conclusion. My forum is always open (and 
you are more than welcome to publish whatever finding you have). Again, 
take a look at TinyMCE compressor as an example. I have taken a look at 
your past exploits, and while some XSS that you've published are correct, 
many of your conclusion about remote file uploads were incorrect. 
Verifying your result with the vendor is important because the result 
isn't always correct.

Running a source code analyzer and publishing it without verification 
isn't going to make you "31337". It also reduces your credibility and 
people will less likely trust your result. When you're really good at what 
you do, you can actually make money from it instead of just running around 
and publishing arbitrary result of whatever source code analyzer gives 
you. Source code analyzers are worth a dime a dozen.

I'd say pick up some book about CS in general, learn the data structure, 
then you'll be a good security researcher who gets paid a lot of money in 
the future.

Best regards and good luck to all your future endeavours.

On 2012-06-16, at 6:36 AM, l3br1z wrote:

> Hello Man :D
>
> Ok Bro
>
> I will provide a Proof Of Concept Soon :D
>
> And I Will test your version on iis :D
>
> rg
>
> And If I Mad You , I'm sorry :(
>
> I'm From Lebanon
>
> My English Is not good :P
>
>
>
> On Fri, Jun 15, 2012 at 6:51 PM, BabyGekko Support <info at babygekko.com> wrote:
> Hello  l3br1z,
>
> The function is designed to load the js.gz in /js directory. Also - one more thing - you need to take a look at http://www.tinymce.com/wiki.php/Compressors:PHP
>
> Mine works in a similar function.
>
> 1) You did not provide a proof of concept. Please provide a proof of concept - you can test http://gekkocms.babygekko.com
> 2) Unlike real researchers who contacted me about other issues (and I respectfully published their research), they either contacted me via public forum or they emailed me. You did not show any respect for a software author, and you also did not provide a proof of concept. You need to learn how to read source code.
>
> I have no other file or "somefile.php" with cmd as parameter. Please provide a proof of concept via http://gekkocms.babygekko.com if you can read outside of /js directory. The function is designed to load anything with .js.gz extension. I don't have any file that has another readfile function. You're more than welcome to test the IIS version of babygekko CMS as well: http://www.microsoft.com/web/gallery/babygekko.aspx
>
> http://localhost/somefile.php?cmd=./somefile.php
>
> http://www.securityfocus.com/archive/1/description#0.1.8
> What is the proper protocol to report a security vulnerability?
> A sensible protocol to follow while reporting a security vulnerability is as follows:
>
> - Contact the product's vendor or maintainer and give them a one week period to respond. If they don't respond post to the list.
> - If you do hear from the vendor give them what you consider appropriate time to fix the vulnerability. This will depend on the vulnerability and the product. It's up to you to make and estimate. If they don't respond in time post to the list.
> - If they contact you asking for more time consider extending the deadline in good faith. If they continually fail to meet the deadline post to the list.
> When is it advisable to post to the list without contacting the vendor?
> - When the product is no longer actively supported.
> - When you believe the vulnerability to be actively exploited and not informing the community as soon as possible would cause more harm then good.
>
> I have no fix to be released because this isn't a vulnerability. It does what it's supposed to do and it won't load other file outside of that directory. Good luck with your study of source code analyzer :)
>
>
> On 2012-06-15, at 1:58 PM, l3br1z wrote:
>
>> Hello
>>
>> I'm l3br1'z
>>
>> man look to your code here
>>
>> $filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); //
>> sanitize, prevent path traversal
>> $etag = sprintf('bbgk%u',crc32($
>> filename));
>> header("Content-type: text/javascript; charset: UTF-8");
>> if(isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ||
>> isset($_SERVER['HTTP_IF_NONE_MATCH']))
>> {
>>     if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] || str_replace('"', '',
>> stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])) == $etag)
>>     {
>>         header('HTTP/1.1 304 Not Modified');
>>         exit();
>>     }
>> } else
>> if (file_exists (SITE_PATH.'/js/'.$filename.'.js.gz'))
>> {
>>     header("Vary: Accept-Encoding");
>>     header("Cache-Control: public, max-age=".(144000 * 24));
>>     header("Pragma: public");
>>     header("Expires: Tue, 30 Aug 2037 20:00:00 GMT");
>>     header("Content-Encoding: gzip");
>>     header("ETag: \"{$etag}\"");
>>     readfile(SITE_PATH.'/js/'.$filename.'.js.gz');
>> } else
>> {
>>     echo ("alert('{$filename} could not be loaded');");
>> }
>> ?>
>>
>>
>> $filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); //
>>
>> we have GET Js
>>
>> Well Lets See Below This Code :D
>>
>> readfile(SITE_PATH.'/js/'.$
>> filename.'.js.gz');
>> if (file_exists (SITE_PATH.'/js/'.$filename.'.
>> js.gz'))
>>
>> we have 2 func danger here :D
>>
>> 1st 1 is readfile
>>
>> E.g ( readfile($_GET['cmd']); )
>>
>> Will be
>>
>> http://localhost/somefile.php?cmd=./somefile.php
>>
>> will read this code easly :D
>>
>> and the func file_exists
>>
>> file exists like show_source if you know security Parameter :D
>>
>> And look to this :
>>     header("Vary: Accept-Encoding");
>>     header("Cache-Control: public, max-age=".(144000 * 24));
>>     header("Pragma: public");
>>     header("Expires: Tue, 30 Aug 2037 20:00:00 GMT");
>>     header("Content-Encoding: gzip");
>>     header("ETag: \"{$etag}\"");
>>     readfile(SITE_PATH.'/js/'.$
>> filename.'.js.gz');
>>
>> will download the file as .js.gz
>>
>>
>> http://gekkocms.babygekko.com/js/js_gzip.php?js=..%2Fconfig.inc.php
>> http://gekkocms.babygekko.com/js/js_gzip.php?js=../config.inc.php
>>
>> your p0c here not work :D
>>
>> cz we have
>>
>> readfile(SITE_PATH.'/js/'.$
>> filename.'.js.gz');
>>
>> js.gz
>>
>> the url will not download file
>>
>> cz we don't have file named
>>
>> config.inc.php.js.gz
>>
>> :D
>>
>> we will use the p0c from cmd :D
>>
>> rg
>>
>> Take Some Lessons Man :)
>>
>>
>>
>>
>>
>>
>> On Thu, Jun 14, 2012 at 11:57 AM, Information Booth <info at babygekko.com> wrote:
>> This is in regards to:
>>
>> http://www.securityfocus.com/bid/53694
>>
>> This is an uncoordinated release, the author did not make any attempt
>> to notify us either by email or the public forum. The non-working
>> exploit seems to have been copied and pasted with RIPS source code
>> analyzer and the author didn't even bother tho test our understand the
>> code. A real hacker can read source code, not run a RIPS source code
>> analyzer and publish the finding without due diligence.
>>
>> This is the result:
>> Try : alert('..config.inc.php could not be loaded');
>>
>> 1) The "/" or %2F won't be accepted. $filename =
>> preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // sanitize, prevent
>> path traversal
>> 2) It will only read js.gz file (I see attempts to load /etc/passwd
>> but that doesn't make sense - I don't think he knows/understand how to
>> read source code) - readfile(SITE_PATH.'/js/'.$
>> filename.'.js.gz'); The bad chars will be stripped anyway ...
>> 3) Test:
>> http://gekkocms.babygekko.com/js/js_gzip.php?js=..%2Fconfig.inc.php
>> http://gekkocms.babygekko.com/js/js_gzip.php?js=../config.inc.php
>>
>> The js_gzip.php was included as of v1.1.5a
>>
>> Also older versions on my website:
>>
>> http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.4.zip
>> http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip
>> http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip
>> http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5c.zip
>>
>> I am fine with people publishing vulnerabilities to make code more
>> secure. What I'm unhappy is how some wannabe script kiddiot can just
>> download source code analyzers/scanners and publish things WITHOUT any
>> prior test and WITHOUT contacting vendors. I have had people publish
>> their findings in my forum and I'm fine. But not when they don't at
>> least test or contact me and then later turns out to be a false alarm.
>>
>> Here's a copy & paste from v1.1.5a (old version - the same)
>> /js/js_gzip.php
>>
>> //++++++++++++++++++++++++++++
>> ++++++++++++++++++++++++++++++++++++++++++++++//
>> // Baby Gekko content management system - Copyright (C) Baby Gekko.
>> // This is a SHARED SOURCE, NOT OPEN SOURCE (GPL).
>> // You may use this software commercially, but you are not allowed to
>> create a fork or create a derivative of this software
>> // Please read the license for details
>> //++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
>> include ('../config.inc.php');
>> error_reporting(0);
>>
>> $filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); //
>> sanitize, prevent path traversal
>> $etag = sprintf('bbgk%u',crc32($filename));
>> header("Content-type: text/javascript; charset: UTF-8");
>> if(isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ||
>> isset($_SERVER['HTTP_IF_NONE_MATCH']))
>> {
>>     if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] || str_replace('"', '',
>> stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])) == $etag)
>>     {
>>         header('HTTP/1.1 304 Not Modified');
>>         exit();
>>     }
>> } else
>> if (file_exists (SITE_PATH.'/js/'.$filename.'.js.gz'))
>> {
>>     header("Vary: Accept-Encoding");
>>     header("Cache-Control: public, max-age=".(144000 * 24));
>>     header("Pragma: public");
>>     header("Expires: Tue, 30 Aug 2037 20:00:00 GMT");
>>     header("Content-Encoding: gzip");
>>     header("ETag: \"{$etag}\"");
>>     readfile(SITE_PATH.'/js/'.$filename.'.js.gz');
>> } else
>> {
>>     echo ("alert('{$filename} could not be loaded');");
>> }
>> ?>
>>
>>
>>
>> --
>> Proud To Be Lebanese :D
>>
>> I Will Miss You My Friends : b0x, Virus-Ra3ch, Damane2011, Hacker-1420, The Injector, N4ss1m, Sec4ever, B07 M4S73R, Stalk3r, Hacker-Dz, Mr.XKILLeR, The Viper, Th3 Killer Dz, Over-X <3, And All My Friends.
>>
>> Sec4ever.com.
>>
>
>
>
>
> --
> Proud To Be Lebanese :D
>
> I Will Miss You My Friends : b0x, Virus-Ra3ch, Damane2011, Hacker-1420, The Injector, N4ss1m, Sec4ever, B07 M4S73R, Stalk3r, Hacker-Dz, Mr.XKILLeR, The Viper, Th3 Killer Dz, Over-X <3, And All My Friends.
>
> Sec4ever.com.
>

_______________________________________________
Moderators mailing list
Moderators at osvdb.org
http://lists.osvdb.org/mailman/listinfo/moderators

More information about the VIM mailing list