SomeDude wrote: > What version(s) of fms were these fixed in? >
Captcha validation was introduced in 0.2.23, but there was code to limit the mime type to 50 characters back in 0.1.10. As far as the format strings, I suppose he's talking about the old log file class. It was removed in 0.3.0. > How was this used to collect IP addresses? Can someone explain the > mechanism in more detail? What does it mean by "redirects" - Freenet > redirects? Or HTTP redirects? HTTP redirect. Each response from the HTTP server has header info in it. The headers specify things like content type and data length. Each header is separated by a newline, and from the actual data by 2 newlines. FMS wasn't validating the MIME type, so nextgens was able to put a newline in the mime type and add a location header that would cause the browser to request that location. Content-Type: image/bmp Location: http://www.nextgensevilsite.com My bad for not realizing it at the time. Nextgens bad for actively exploiting it without disclosing it to me first. On 1/20/09, Daniel Cheng <j16sdiz+freenet at gmail.com> wrote: > 2009/1/20 Matthew Toseland <toad at amphibian.dyndns.org>: >> On Monday 19 January 2009 19:42, Florent Daigni?re wrote: >>> * Matthew Toseland <toad at amphibian.dyndns.org> [2009-01-19 13:02:31]: >>> >>> > There were at least: >>> > - A lack of validation on the captchas page which enabled collecting >>> > users >> IP >>> > addresses. This involved putting newlines into the headers in order to >> send >>> > extra headers and in particular redirects, and was actively exploited >>> > by >>> > nextgens to collect IP addresses. >>> >>> Unless you can prove it that's defamation ;) >> >> Then I retract it ... but I'm fairly sure this bug is exploitable, that's >> the >> point. :) > > Not sure if you are seeing the same problem. > The only leak I am aware of is related to HTML injection, which is > fixable with a few lines of code. > > (Which I have never tell SomeDude.... If you know any off-the-freenet > way to send SomeDude > message, please tell me........... for example: gpg-encrypted message > posted on pastebin? ) > > Or do you means something HTTP Request Smuggling-like? > > -- > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > -- 3buib3s50i at gmail.com | dimonqmfcb at gmx.com
