>I think your "vulnerability report" sucks (to use your word.) >1) You use very unprofessional language ghhh.
>2) You provide no links to either Base or the Base+ fork so the reader can >check for themselves. learn to read or to use google. (whats on the same top of my posting?) >3) You provide no source from the Base+ fork to show how its >authentication scheme is not vulnerable it's open source. go - check it yourself. >4) You personalize your report by using Kevin's name, in an attempt to >embarrass him it seems that you haven't yet noticed what is the name of his *security* product ;-) >5) You provide no evidence that you have ever contacted the Base project >and notified them of your "discovery" full disclosure. >6) You don't even mention that an authentication vulnerability was >**reported and fixed** more than a year ago, nor do you mention how your >report relates to that vulnerability [1][2][3] you haven't done your homework. this vulnerability has nothing to do with those you discovered. >7) You don't explain that the code you posted is not part of the >authentication system and that the auth code is in base_auth_inc.php. learn to read. lol. >8) You don't explain what you mean by "what if not?" The answer is, if >not, then authentication is required, you do have a role and you have >already authenticated. at this point you prove that you have no clue. please, stfu and go offlist noob. On 6/5/07, Paul Schmehl <[EMAIL PROTECTED]> wrote: > --On June 4, 2007 10:35:40 PM +0300 Johnny Storm <[EMAIL PROTECTED]> > wrote: > > > Basic Analysis and Security Engine (BASE) > > (http://base.secureideas.net/) > > > > > > One more security product with lame bugs... > > > > Let's look at Kevin's authentication code, > > for example in base_main.php (all pages vulnerable): > > > > [...] > > 64 // Check role out and redirect if needed -- Kevin > > 65 $roleneeded = 10000; > > 66 $BUser = new BaseUser(); > > 67 //if (($Use_Auth_System == 1) && ($BUser->hasRole($roleneeded) == > > 0)) 68 if ($Use_Auth_System == 1) > > 69 { > > 70 if ($BUser->hasRole($roleneeded) == 0) > > 71 { > > 72 header("Location: $BASE_urlpath/index.php"); > > 73 } > > 74 } > > [...] > > > > Where is bug? > > Yes, your browser will redirect after received location header, > > but what if not? ;-) > > > > Test with curl. This is not first authentication issue in BASE, > > putting at risk users which use BASE authentication feature. > > Google shows up many installations protected by this feature. > > > > All BASE versions with authentication are vulnerable. > > ACID is not vulnerable, since it doesn't has such feature. > > BASE+ fork has fixed this issue year ago. > > > > Use your web server authentication or BASE+, which sucks less. > > > I think your "vulnerability report" sucks (to use your word.) > 1) You use very unprofessional language > 2) You provide no links to either Base or the Base+ fork so the reader can > check for themselves. > 3) You provide no source from the Base+ fork to show how its > authentication scheme is not vulnerable > 4) You personalize your report by using Kevin's name, in an attempt to > embarrass him > 5) You provide no evidence that you have ever contacted the Base project > and notified them of your "discovery" > 6) You don't even mention that an authentication vulnerability was > **reported and fixed** more than a year ago, nor do you mention how your > report relates to that vulnerability [1][2][3] > 7) You don't explain that the code you posted is not part of the > authentication system and that the auth code is in base_auth_inc.php. > 8) You don't explain what you mean by "what if not?" The answer is, if > not, then authentication is required, you do have a role and you have > already authenticated. > > [1] <http://www.securityfocus.com/bid/17354> > [2] <http://www.nessus.org/plugins/index.php?view=single&id=21174> > [3] <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1505> > > Paul Schmehl ([EMAIL PROTECTED]) > Senior Information Security Analyst > The University of Texas at Dallas > http://www.utdallas.edu/ir/security/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
