hey kitty's! please, keep your non-technical bullshit offlist. i have made very clear what is vulnerable and what is not where it is and how to reproduce it.
so stop bullshitting and go get some milk. On 6/5/07, Kradorex Xeron <[EMAIL PROTECTED]> wrote: > I'm not going to bother commenting on your specific sections, so I'll top-post > so as not to expose people to the bad content of the previous message: > > Okay... > 1. You claim this is "Full Disclosure" yet you fail to disclose alot of the > information required to make an accurate advisory, THEN you proceed to tell > people to google for it themselves. If you post it in that context, What > relevance is your "advisory"? Why did you post it at all if you supply little > to no source information, and no proof? Without that information, > this "advisory" is useless. > > 2. This is a list designed for professionals and those who know what they're > talking about in a "loosened up" environment that we don't feel we'll get > moderated for stuff we post. > > 3. You then proceed to use someone else's name to do what exactly? Your > attempts at defaming Kevin Johnson made you yourself defamed instead as it > makes you appear egotistical and trying to bring someone else down for your > own glory. You failed. > > 4. While on this list, Try to speak professionally, and don't talk like you're > some script kiddie that's urging to get some glory. From my perspective, > that's what you are doing. If you don't want to be interpreted as that, use > good form, dont' use "STFU", "LOL" and/or such more than one time per post. > > Thank you, > Krad Xeron > > On Tuesday 05 June 2007 13:48, Johnny Storm wrote: > > >I think your "vulnerability report" sucks (to use your word.) > > >1) You use very unprofessional language > > > > ghhh. > > > > >2) You provide no links to either Base or the Base+ fork so the reader can > > >check for themselves. > > > > learn to read or to use google. (whats on the same top of my posting?) > > > > >3) You provide no source from the Base+ fork to show how its > > >authentication scheme is not vulnerable > > > > it's open source. go - check it yourself. > > > > >4) You personalize your report by using Kevin's name, in an attempt to > > >embarrass him > > > > it seems that you haven't yet noticed what is the name > > of his *security* product ;-) > > > > >5) You provide no evidence that you have ever contacted the Base project > > >and notified them of your "discovery" > > > > full disclosure. > > > > >6) You don't even mention that an authentication vulnerability was > > >**reported and fixed** more than a year ago, nor do you mention how your > > >report relates to that vulnerability [1][2][3] > > > > you haven't done your homework. this vulnerability has nothing > > to do with those you discovered. > > > > >7) You don't explain that the code you posted is not part of the > > >authentication system and that the auth code is in base_auth_inc.php. > > > > learn to read. lol. > > > > >8) You don't explain what you mean by "what if not?" The answer is, if > > >not, then authentication is required, you do have a role and you have > > >already authenticated. > > > > at this point you prove that you have no clue. > > please, stfu and go offlist noob. > > > > On 6/5/07, Paul Schmehl <[EMAIL PROTECTED]> wrote: > > > --On June 4, 2007 10:35:40 PM +0300 Johnny Storm <[EMAIL PROTECTED]> > > > > > > wrote: > > > > Basic Analysis and Security Engine (BASE) > > > > (http://base.secureideas.net/) > > > > > > > > > > > > One more security product with lame bugs... > > > > > > > > Let's look at Kevin's authentication code, > > > > for example in base_main.php (all pages vulnerable): > > > > > > > > [...] > > > > 64 // Check role out and redirect if needed -- Kevin > > > > 65 $roleneeded = 10000; > > > > 66 $BUser = new BaseUser(); > > > > 67 //if (($Use_Auth_System == 1) && ($BUser->hasRole($roleneeded) > > > > == 0)) 68 if ($Use_Auth_System == 1) > > > > 69 { > > > > 70 if ($BUser->hasRole($roleneeded) == 0) > > > > 71 { > > > > 72 header("Location: $BASE_urlpath/index.php"); > > > > 73 } > > > > 74 } > > > > [...] > > > > > > > > Where is bug? > > > > Yes, your browser will redirect after received location header, > > > > but what if not? ;-) > > > > > > > > Test with curl. This is not first authentication issue in BASE, > > > > putting at risk users which use BASE authentication feature. > > > > Google shows up many installations protected by this feature. > > > > > > > > All BASE versions with authentication are vulnerable. > > > > ACID is not vulnerable, since it doesn't has such feature. > > > > BASE+ fork has fixed this issue year ago. > > > > > > > > Use your web server authentication or BASE+, which sucks less. > > > > > > I think your "vulnerability report" sucks (to use your word.) > > > 1) You use very unprofessional language > > > 2) You provide no links to either Base or the Base+ fork so the reader > > > can check for themselves. > > > 3) You provide no source from the Base+ fork to show how its > > > authentication scheme is not vulnerable > > > 4) You personalize your report by using Kevin's name, in an attempt to > > > embarrass him > > > 5) You provide no evidence that you have ever contacted the Base project > > > and notified them of your "discovery" > > > 6) You don't even mention that an authentication vulnerability was > > > **reported and fixed** more than a year ago, nor do you mention how your > > > report relates to that vulnerability [1][2][3] > > > 7) You don't explain that the code you posted is not part of the > > > authentication system and that the auth code is in base_auth_inc.php. > > > 8) You don't explain what you mean by "what if not?" The answer is, if > > > not, then authentication is required, you do have a role and you have > > > already authenticated. > > > > > > [1] <http://www.securityfocus.com/bid/17354> > > > [2] <http://www.nessus.org/plugins/index.php?view=single&id=21174> > > > [3] <http://nvd.nist.gov/nvd.cfm?cvename=CVE-2006-1505> > > > > > > Paul Schmehl ([EMAIL PROTECTED]) > > > Senior Information Security Analyst > > > The University of Texas at Dallas > > > http://www.utdallas.edu/ir/security/ > > > > > > _______________________________________________ > > > Full-Disclosure - We believe in it. > > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
