* 3BUIb3S50i 3BUIb3S50i <3buib3s50i at gmail.com> [2009-01-20 11:57:35]:
> SomeDude wrote: > > > What version(s) of fms were these fixed in? > > > > Captcha validation was introduced in 0.2.23, but there was code to limit > the mime type to 50 characters back in 0.1.10. > > As far as the format strings, I suppose he's talking about the old log > file class. It was removed in 0.3.0. > > > How was this used to collect IP addresses? Can someone explain the > > mechanism in more detail? What does it mean by "redirects" - Freenet > > redirects? Or HTTP redirects? > > HTTP redirect. Each response from the HTTP server has header info in > it. The headers specify things like content type and data length. Each > header is separated by a newline, and from the actual data by 2 > newlines. FMS wasn't validating the MIME type, so nextgens was able to > put a newline in the mime type and add a location header that would > cause the browser to request that location. > > Content-Type: image/bmp > Location: http://www.nextgensevilsite.com > > My bad for not realizing it at the time. Nextgens bad for actively > exploiting it without disclosing it to me first. > How was I supposed to disclose it? That's one of the critics formulated on http://archives.freenetproject.org/message/20090119.194225.d034194b.en.html > On 1/20/09, Daniel Cheng <j16sdiz+freenet at gmail.com> wrote: > > 2009/1/20 Matthew Toseland <toad at amphibian.dyndns.org>: > >> On Monday 19 January 2009 19:42, Florent Daigni?re wrote: > >>> * Matthew Toseland <toad at amphibian.dyndns.org> [2009-01-19 13:02:31]: > >>> > >>> > There were at least: > >>> > - A lack of validation on the captchas page which enabled collecting > >>> > users > >> IP > >>> > addresses. This involved putting newlines into the headers in order to > >> send > >>> > extra headers and in particular redirects, and was actively exploited > >>> > by > >>> > nextgens to collect IP addresses. > >>> > >>> Unless you can prove it that's defamation ;) > >> > >> Then I retract it ... but I'm fairly sure this bug is exploitable, that's > >> the > >> point. :) > > > > Not sure if you are seeing the same problem. > > The only leak I am aware of is related to HTML injection, which is > > fixable with a few lines of code. > > > > (Which I have never tell SomeDude.... If you know any off-the-freenet > > way to send SomeDude > > message, please tell me........... for example: gpg-encrypted message > > posted on pastebin? ) > > > > Or do you means something HTTP Request Smuggling-like? > > > > -- > > _______________________________________________ > > Tech mailing list > > Tech at freenetproject.org > > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech > > > > > -- > 3buib3s50i at gmail.com | dimonqmfcb at gmx.com > _______________________________________________ > Tech mailing list > Tech at freenetproject.org > http://emu.freenetproject.org/cgi-bin/mailman/listinfo/tech -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: Digital signature URL: <https://emu.freenetproject.org/pipermail/tech/attachments/20090121/27b05eaa/attachment.pgp>
