On Tue, Jan 20, 2009 at 6:57 PM, 3BUIb3S50i 3BUIb3S50i <3buib3s50i at gmail.com> wrote: > SomeDude wrote: > >> What version(s) of fms were these fixed in? >> > > Captcha validation was introduced in 0.2.23, but there was code to limit > the mime type to 50 characters back in 0.1.10. > > As far as the format strings, I suppose he's talking about the old log > file class. It was removed in 0.3.0. > >> How was this used to collect IP addresses? Can someone explain the >> mechanism in more detail? What does it mean by "redirects" - Freenet >> redirects? Or HTTP redirects? > > HTTP redirect. Each response from the HTTP server has header info in > it. The headers specify things like content type and data length. Each > header is separated by a newline, and from the actual data by 2 > newlines. FMS wasn't validating the MIME type, so nextgens was able to > put a newline in the mime type and add a location header that would > cause the browser to request that location. > > Content-Type: image/bmp > Location: http://www.nextgensevilsite.com > > My bad for not realizing it at the time. Nextgens bad for actively > exploiting it without disclosing it to me first.
The source code i have on hand does check if this is image/bmp: "src/freenet/introductionpuzzlerequester.cpp" line110 but i don't have the access to latest source code, nor do i have access to freenet. > On 1/20/09, Daniel Cheng <j16sdiz+freenet at gmail.com> wrote: >> 2009/1/20 Matthew Toseland <toad at amphibian.dyndns.org>: >>> On Monday 19 January 2009 19:42, Florent Daigni?re wrote: >>>> * Matthew Toseland <toad at amphibian.dyndns.org> [2009-01-19 13:02:31]: >>>> >>>> > There were at least: >>>> > - A lack of validation on the captchas page which enabled collecting >>>> > users >>> IP >>>> > addresses. This involved putting newlines into the headers in order to >>> send >>>> > extra headers and in particular redirects, and was actively exploited >>>> > by >>>> > nextgens to collect IP addresses. >>>> >>>> Unless you can prove it that's defamation ;) >>> >>> Then I retract it ... but I'm fairly sure this bug is exploitable, that's >>> the >>> point. :) >> >> Not sure if you are seeing the same problem. >> The only leak I am aware of is related to HTML injection, which is >> fixable with a few lines of code. >> >> (Which I have never tell SomeDude.... If you know any off-the-freenet >> way to send SomeDude >> message, please tell me........... for example: gpg-encrypted message >> posted on pastebin? ) >> >> Or do you means something HTTP Request Smuggling-like? >> >> -- >> _______________________________________________ >> Tech mailing list >> Tech at freenetproject.org >> http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech >> > > > -- > 3buib3s50i at gmail.com | dimonqmfcb at gmx.com > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech
