Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Bugtraq ID# 53694 is invalid/fake
From: Information Booth <info () babygekko com>
Date: Thu, 14 Jun 2012 12:57:21 -0600

This is in regards to:

http://www.securityfocus.com/bid/53694

This is an uncoordinated release, the author did not make any attempt
to notify us either by email or the public forum. The non-working
exploit seems to have been copied and pasted with RIPS source code
analyzer and the author didn't even bother tho test our understand the
code. A real hacker can read source code, not run a RIPS source code
analyzer and publish the finding without due diligence.

This is the result:
Try : alert('..config.inc.php could not be loaded');

1) The "/" or %2F won't be accepted. $filename =
preg_replace("/[^a-z._\d]/i", "", $_GET['js']); // sanitize, prevent
path traversal
2) It will only read js.gz file (I see attempts to load /etc/passwd
but that doesn't make sense - I don't think he knows/understand how to
read source code) - readfile(SITE_PATH.'/js/'.$
filename.'.js.gz'); The bad chars will be stripped anyway ...
3) Test:
http://gekkocms.babygekko.com/js/js_gzip.php?js=..%2Fconfig.inc.php
http://gekkocms.babygekko.com/js/js_gzip.php?js=../config.inc.php

The js_gzip.php was included as of v1.1.5a

Also older versions on my website:

http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.4.zip
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5a.zip
http://www.babygekko.com/downloads/archives/gekko_web_builder_v1.1.5c.zip

I am fine with people publishing vulnerabilities to make code more
secure. What I'm unhappy is how some wannabe script kiddiot can just
download source code analyzers/scanners and publish things WITHOUT any
prior test and WITHOUT contacting vendors. I have had people publish
their findings in my forum and I'm fine. But not when they don't at
least test or contact me and then later turns out to be a false alarm.

Here's a copy & paste from v1.1.5a (old version - the same)
/js/js_gzip.php

//++++++++++++++++++++++++++++
++++++++++++++++++++++++++++++++++++++++++++++//
// Baby Gekko content management system - Copyright (C) Baby Gekko.
// This is a SHARED SOURCE, NOT OPEN SOURCE (GPL).
// You may use this software commercially, but you are not allowed to
create a fork or create a derivative of this software
// Please read the license for details
//++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++//
include ('../config.inc.php');
error_reporting(0);

$filename = preg_replace("/[^a-z._\d]/i", "", $_GET['js']); //
sanitize, prevent path traversal
$etag = sprintf('bbgk%u',crc32($filename));
header("Content-type: text/javascript; charset: UTF-8");
if(isset($_SERVER['HTTP_IF_MODIFIED_SINCE']) ||
isset($_SERVER['HTTP_IF_NONE_MATCH']))
{
    if ($_SERVER['HTTP_IF_MODIFIED_SINCE'] || str_replace('"', '',
stripslashes($_SERVER['HTTP_IF_NONE_MATCH'])) == $etag)
    {
        header('HTTP/1.1 304 Not Modified');
        exit();
    }
} else
if (file_exists (SITE_PATH.'/js/'.$filename.'.js.gz'))
{
    header("Vary: Accept-Encoding");
    header("Cache-Control: public, max-age=".(144000 * 24));
    header("Pragma: public");
    header("Expires: Tue, 30 Aug 2037 20:00:00 GMT");
    header("Content-Encoding: gzip");
    header("ETag: \"{$etag}\"");
    readfile(SITE_PATH.'/js/'.$filename.'.js.gz');
} else
{
    echo ("alert('{$filename} could not be loaded');");
}
?>


  By Date           By Thread  

Current thread:
  • Re: Bugtraq ID# 53694 is invalid/fake Information Booth (Jun 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault