Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
GNUCITIZEN LOL
Posted by: ionic
Date: July 29, 2007 07:07AM

For sure Kuza and co will soon come out and tell us how bad it is to laugh at other people's mistakes.

Here we go: XSS vulnerability in GNUCITIZEN.org

http://blog.php-security.org/archives/90-More-CSRF-Redirectors.html

And yes WE laugh about it, because running around and telling everyone how doomed he is by XSS and then have XSS vulnerabilities in your own "tools" is hilarious.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: Anonymous User
Date: July 29, 2007 07:48AM

Yeah right on Stefan:

http://forum.hardened-php.net/viewforum.php/%22%3E%3CBODY%20ONLOAD=alert('XSS')%3E

Look who's talking now.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: Gareth Heyes
Date: July 29, 2007 10:02AM

lol Ronald I suppose everyone makes mistakes :)

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: Anonymous User
Date: July 29, 2007 11:13AM

Yeah and actually it is a PHP coding mistake, which makes it all the worse ^^
Ah well, not many peepz know and yes most sites are vulnerable.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Date: July 29, 2007 05:50PM

yep, the mistake was pretty bad, but I have no idea how the heck the thing slipped through my fingers. however, the good thing is that I patched it 15 minutes after Stefan's post, thanks to SECURLS awesome API. :)

anyway, everybody makes mistakes... when you start working on corporate level jobs you will realize that things are even worse. What big guys care about is not loosing their customers. Incidental hacks and other stuff like that are covered by the insurance companies and backed up by intelligent PR campaigns and crisis management plans. It is impossible to secure a network. It is impossible to secure large sites. You may stop most attackers but if they are dedicated enough, they will always find a way in. This is it. Finito. The entire security industry is based on managing the risk levels rather then securing the parameter, which is virtually impossible. This is a message that I am trying to send the everyone. Grow up!

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: kuza55
Date: July 30, 2007 02:21AM

ionic Wrote:
-------------------------------------------------------
> For sure Kuza and co will soon come out and tell
> us how bad it is to laugh at other people's
> mistakes.
"Kuza and co" - I could get used to the sound of that, ;)

> And yes WE laugh about it, because running around
> and telling everyone how doomed he is by XSS and
> then have XSS vulnerabilities in your own "tools"
> is hilarious.

Honestly, I just can't see the humor, it just doesn't seem funny to me. Though I'm glad you can get your kicks so easily.

Now, if someone who was bitching about how easy it is to fix XSS vulns had this happen to them, I'd be laughing along with you, since that'd be ironic. But I don't see that here.

Honestly I don't care if you're laughing about it, because unless you're doing something interesting, I really don't care.

I do think the security community needs to be less vulture-like (and 4 separate people posted something about it, and then comments about who found it first is definitely vulture like), but I'm not going to achieve anything by arguing with people like you who simply don't understand that mistakes happen, and that we shouldn't react to those mistakes on a personal level.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: ionic
Date: July 30, 2007 07:55AM

Like I already pointed out to Ronald in his blog until he blocked my IP.

This is btw a really nice way to censor different opinions. At the moment his website even claims that I am a "security scanner". LOL.

You can blame me all day long for using a PHP software that had a security hole in it. Actually you can really blame me, because the hole was known and I oversaw it when I backported security fixes. However you cannot blame me for writing this code, because I did not.

What you don't get is that there is a huge difference between being a security expert and write vulnerable code and being a security expert and using a vulnerable application.

Only dreamers believe that they can write every piece of code they need themself. In the real world one has to rely on 3rd party code.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: Anonymous User
Date: July 30, 2007 07:59AM

@ionic:

Same problems here (what a wonder). On my personal credibility-curve Princess Ronald just reached the very bottom (in case s/o wanted to know this - I don't really think so but just in case...)

over and out...
.mario

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: ionic
Date: July 30, 2007 08:07AM

@kuza55

For me it is really funny. Just sit back and watch what happens when you point out these bugs.

They all claim what you found is not dangerous. For various reasons... Maybe because there are no cookie to steal, ... Of course this is completely different when they find similar errors in other persons sites.

And then they try to come back at you by pointing out errors in 3rd party software you have installed. The next thing is that you show them more errors in their software and then they start blocking your IP in their blog.

And yes I consider it funny when you are a web security researcher and write 10 lines of PHP code and have several XSS errors in it.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: Anonymous User
Date: July 30, 2007 09:24AM

So what, those comments are spam because they spread over different articles. I won't allow spam and those who do will be blocked on IP.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Date: July 30, 2007 10:04AM

I would like to say a few thing here so everybody knows my statement. Finding vulnerabilities in public websites is wrong. What Stefan did was totally unethical. In fact, it is considered illegal. Some of you may say that it is just a simple XSS, but I've seen cases where simple XSS attacks can result into the backend going nuts and the entire system falling apart. You should not test public websites unless you have a permission to.

Second, the vulnerability within the CSRF redirector is simple and stupid. Ok, we screwed up. We fixed it and now we are moving on. We have some great projects to release and this is where I am going to concentrate my energy personally.

Thanks Ronald for supporting this statement all along. Oh, and thanks to Stefan for pointing out the vulnerability. Given the project load that we have at the moment for sure we would have missed it. BTW, things like this have happened before and we are open about it. Check this out: http://www.gnucitizen.org/blog/how-i-almost-got-hacked.

:) peace, btw if you are interested in winning an XSS Book, keep up with the GC blog.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: Anonymous User
Date: July 30, 2007 10:50AM

@ionic,

like I didn't know about the data directive? I was one of the first ones who published one on E-bay. Still it requires user interaction to click on it and has a char limit of 30. Go ahead, try to "pwn" it. I intentionally allowed users to submit many URI's but sensible attack charcters won't display: ' ` ^ { } < > = +

So it's just a childs game of not admitting you had a hole you didn't know. That is strange because you wrote about it in your own forum in 2005, little ironic isn't it?

I'm done with this game you play, and the posts spread across different articles is considered SPAM in my eyes and so forth it will be blocked, in this case you cannot comment with your IP, and I have all the right to do so. Oh and Stefan, better upgrade to the newest version of your "blog software" cause I found a new SQL injection point in the request parameters.

So move along, all nice friends again, I have to fix my bathroom now.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: christ1an
Date: July 30, 2007 02:05PM

Oh man, I am so fucking sick of all this. Damn it Ronald, was that spam on my planet meant to be some sort of revenge just because ionic and I mentioned that vulnerability on your site? Because I linked an old entry where I checked whether or not the URL field is vulnerable?

Damn it, you really think I did this on purpose to blame you, don't you? Yeah, after all those constructive thoughts I contributed in the past to your site this does make sense indeed.

This offence honestly is the poorest event of everything that has happend today. You really proved a lot by defacing a website that trusted your input.

And what the fuck is so difficult in exploiting this kind of vulnerability? Prepare a malicious link that loads some javascript from h4k.in or whatever, make the victim click on it and you're done.

Hell this sucks.

Regards,
- http://christ1an.blogspot.com

_______________________
[[url=http://php-ids.org]php-ids.org[/url]] Web Application Security 2.0

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: ionic
Date: July 30, 2007 02:08PM

@pdp

Stop writing such bullshit I did nothing illegal/unethical. I entered an URL in your attack tool, an attack tool that is by definition unethical and nowadays illegal in countries like germany.
However there are examples where german judges told the siteowners that it is their problem if eg. a bunch of customer data incl. credit card numbers is reachable by an URL.
And it is very amusing that you call me attacking an attack tool unethical but ronald exposing an XSS vulnerability in a forum with real users is okay.

@ronald

First of all you assume to much. I have done nothing with data: directives. I used plain javascript: URLs. Something you obviously did NOT block. 30 chars might be tough but things similar to eval(location.hash) might still work. (but I am not sure).

And unlike you I admit having a hole if I have one. But you have yet to find a hole in my code. You exploited a vulnerability in a 3rd party open source forum software that I use. I am not responsible for the code in there.
This is unlike your blog that most probably was coded by yourself and that
contains holes.

And no thanks I don't think I need to update my blog software.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: Anonymous User
Date: July 30, 2007 02:46PM

What holes..submitting a hyperlink?

I got another expl0it for you leets: telnet://evilsite.com

Oh wait this is a better one: http://www.0x000000.com/blah.php
(be warned when you use javascript, cause you won't recover)

So, this is the last thing I say about this cause you make me sick, go exploit hyperlinks.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: ionic
Date: July 30, 2007 02:57PM

Ronald you still don't get it that the javascript URL is executed within your domain, do you?

You are behaving like a little child that desperately tries to rescue its neck with nonsense pseudo arguments and spam attacks like spamming planet-websecurity.

Yes it IS only a hyperlink, but a hyperlink on YOUR site that is able to execute Javascript on behalf of YOUR domain (because YOU failed to code it correctly) if someone clicks it.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: Anonymous User
Date: July 30, 2007 03:15PM

Actuall, that was kinda funny ^^

it was not SPAM it was a CSRF done by the planet's own server, that's pure magic. BTW Any feedscraper was "pwned" today. So I had my fun also. And you may distort this story in any direction you want, and shall we cut the crap on the forum here? Let's enjoy it once again.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Date: July 30, 2007 03:28PM

Stefan, it is not OK. Disclosing bugs on public sites is not OK at all. I don't even know why RSnake supports that. I think I made my statement quite clear at OWASP. But let's cut the crap and go away peacefully. You proved you point. You found a bug. We fixed it. So what? I am sure that we have better things to do then pointing each others mistakes. I know for sure that I am not going to continue this crap. There is no value in it.

“The thing that is really hard, and really amazing, is giving up on being perfect and beginning the work of becoming yourself.” or “This is the very perfection of a man, to find out his own imperfections.”

so move on... that applies to everybody



Edited 2 time(s). Last edit at 07/30/2007 03:30PM by pdp.gnucitizen.

Options: ReplyQuote
Re: GNUCITIZEN LOL
Posted by: Anonymous User
Date: July 30, 2007 10:30PM

Well said.

So let's continue having a good time
and close this of with my favorite message:




Ah the joy... ^^

Options: ReplyQuote


Sorry, only registered users may post in this forum.